The following information was discussed by Attorney Whitney Hughes on the September 11, 2007 edition of Legal Briefs on KDKA's Pittsburgh Today Live Show.
Many times we field questions from individuals asking about whether or not their privacy rights have been violated in any given situation, but most often when dealing with medical records.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. Actually writing the rules on privacy as well as enforcing them eventually fell to the U.S. Department of Health and Human Services (HHS).
HIPAA does 9 things:
Your consent to the use of your medical information is not required if it is used or disclosed for treatment, payment, or health care operations. Since your consent is not required for payment, your health care provider can submit a claim to your insurance company—even for a procedure you wanted to keep private and intended to pay for yourself.
Your past medical information may become available, even if you thought the information was long buried and would remain private. An event, treatment, or procedure from your distant past can be disclosed the same as information about current conditions.
Your private health information can be used for marketing and may be disclosed without your authorization to pharmaceutical companies or businesses looking to recall, repair, or replace a product or medication.
You have no right to sue under HIPAA for violations of your privacy. In other words, you do not have a "private right of action." Only the HHS or the U.S. Department of Justice has the authority to file an action for violations of the Privacy Rule.
Law enforcement access to protected health information under HIPAA is a significant concern of privacy and civil liberties advocates. Some disclosures may be made to law enforcement without a warrant or court order.
HIPAA pertains to three categories of "covered entities"— health care providers, health plans, and health care clearinghouses.
Health care providers are covered if they transmit health information electronically. Keep in mind that it is nearly impossible to provide health care today without using electronic means in some way.
As long as information is transmitted electronically, "health care provider" includes your doctors, hospitals, staff involved in your treatment, laboratories, pharmacists, dentists, and many others that provide medical, dental, and mental health care or treatment. In short, a provider is almost anyone in the business of providing health care who is licensed or regulated by the states.
Health plan means anyone that pays for the cost of medical care. This includes: health insurance companies, HMOs (health maintenance organizations), group health plans sponsored by your employer, Medicare and Medicaid, and virtually any other company or arrangement that pays for your health care.
Health care clearinghouses are organizations that work as a go-between for health care providers and health plans. An example of this would be a billing service.
HIPAA covers any information about your past, present, or future mental or physical health including information about payment for your care. To be covered by HIPAA, information has to be kept by a covered entity a health care provider, health care plan, or health care clearinghouse. This, combined with some fact that identifies you (your name, address, telephone number, Social Security number) is called "protected health information" or PHI. PHI can be oral, handwritten, or entered into a computer. This means a conversation between a doctor and nurse about your condition has the same general protections as information written on your records.
Consent for use of your information is not the same as consent for treatment. HIPAA doesn’t change the general requirement that a health care provider needs your consent before treating you.
A covered entity is allowed to seek your consent, and some state laws require patient consent for treatment, payment, and other disclosures. A covered entity is required to make a good faith effort to obtain your acknowledgment that you received a notice of privacy practices, but this is not the same as obtaining consent.
Your consent is not required when your medical information is used for treatment, payment, or for health care operations or when your information is used by a business associate of your health care provider or plan.
No. HIPAA only gives you the right to get copies of your records. Or, if you choose, you can ask to see your medical records or ask for a summary of your medical file. You will have to pay for those as well.
Even if your doctor does not require a written request, it is always a good idea to put your request in writing. That way, you have a record of important details such as when you filed your request and the record you requested.
Usually, you should get your copies within 30 days of the request. Under HIPAA, if the process takes more than 30 days, you must be given a reason.
HIPAA says that the group health plan can tell your employer whether you are enrolled in the plan or not. Your employer can also get from the group plan what is called "summary" information to use to obtain premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures much like that of a covered entity.
You don't have the right to sue under HIPAA. The most you can do is file a complaint. The privacy notice you receive from your health care provider or plan is required to tell you how to file a complaint within the organization. The notice should also tell you how to contact the HHS Office of Civil Rights. This is the government office charged with enforcing the Privacy Rule.
You must file your complaint within 180 days of the violation, but HHS can extend that time. HIPAA says you cannot be denied treatment because you file a complaint.
Even though the HIPAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy.
As with anything else, if you feel your rights have been violated, you may want to discuss the situation with an attorney.
Call the Allegheny County Bar Association’s Lawyer Referral Service to be referred to an attorney who practices in the area of HIPAA violations or privacy issues.