QUESTIONS AND ANSWERS ABOUT CONFIDENTIALITY OF PATIENT INFORMATION

1.How are patients' confidential medical records protected?

The confidentiality and security of medical information is protected by privacy and
security regulations issued under the “Health Insurance Portability and Accountability Act of 1996” (HIPAA). The HIPAA privacy rule protects the quality of health care and strengthens privacy protections. While still allowing for the needed flow of medical information in order to assure quality health care, the privacy rule ensures that patients' confidential medical information is kept secure.

Covered entities -- hospitals, clinicians, health plans, clearinghouses, and business associates -- under the HIPAA privacy rule may only use and disclose certain protected health information.  This means identifiable information that is necessary for treatment, payment, and health care operations activities, as well as for very limited activities in the public interest. The rule makes no restriction on information that providers need to treat their patients, but beyond treatment, covered entities may only use or share the minimum amount of information necessary for a particular purpose, such as payment or health care operations.  Patients must specifically authorize any disclosure of their information that is not related to their health care.

2.When did the HIPAA privacy rule take effect?

The proposed HIPAA privacy rule was first published on November 3, 1999. After drawing more than 50,000 comments from interested parties, the final version of the privacy rule was published December 28, 2000. Modifications to the final rule were published on August 14, 2002, before the effective date of the rule on April 14, 2003. Small health plans with annual receipts of not more than $5 million were given until April 14, 2004, to comply.

3.Who is covered by the HIPAA privacy regulation?

Health care plans, clearinghouses, and providers who store or transmit health information electronically are covered by the rule.  As such, they are sometimes referred to as "covered entities." These covered entities are also required contractually to bind their business associates to comply with the rule's provisions.

4.What information is protected by the HIPAA privacy rule?

The privacy rule protects all individually identifiable health information that is either held or transmitted by a covered entity or its business associate. This includes electronic, paper, or oral information that relates to the individual's past, present, or future health conditions, treatment, or payment for the provision of health care.  This also includes many common identifiers, such as the individual's name, address, birthday, and Social Security Number. The HIPAA privacy rule refers to this information as protected health information (PHI).

5.How is the HIPAA privacy rule enforced?

The Department of Health and Human Services Office for Civil Rights (OCR) reviews every complaint and conducts investigations where warranted by facts and circumstances presented by the complaint.  Through 2007, 32,487 complaints were received by OCR and 25,743 of those complaints were resolved.  The OCR investigated 8,199 complaints with corrective action obtained in 67% and no violation being found in 33% of the investigated complaints.

6.Electronic protected health information seems like it would be particularly
vulnerable to breaches in security.  What other standards must covered entities meet in order to ensure the safety of this information?

As of April 2005, covered entities must also be in compliance with the HIPAA security rule.  The security rule applies to electronic PHI that a covered entity creates, receives, maintains, or transmits.  The rule requires covered entities to protect against reasonably anticipated threats or hazards to the security or integrity of information, as well as uses and disclosures not allowed by the privacy rule. In addition, the security rule requires that covered entities must ensure compliance by their own workforce. Under the rule, covered entities must meet administrative, physical, and technical standards as well as organizational, policy, procedural, and documentation requirements in order to ensure the safety and confidentiality of electronic PHI.

7.What would be wrong with adding more requirements to HIPAA, such as
requiring health providers to obtain patient’s consent before using her identifiable health information?

Requiring prior consent to use information for treatment, payment, health care operations, and research, i.e., routine and legitimate purposes, will disrupt and delay health care for patients.  During the extensive comment period on the proposed rule, doctors, hospitals, pharmacists, and other health care providers gave real-life examples of problems caused by a prior consent mandate.   For example:

• Millions of prescriptions could not be refilled until patients came in to sign a consent form;
• Doctors would be unable to refer patients to specialists or other providers until the patient signed consent forms with those other providers;
• Patients would find it more difficult to schedule surgery at outpatient facilities, or begin communicating prior to outpatient surgery; and
• Doctors would be unable to phone in prescriptions for patients until they went to the pharmacy to sign consent forms.

8.Can't medical providers and plans comply with both federal and state laws on
privacy? What's wrong with having state and federal privacy rules?  Is a national standard really necessary?

Health care providers and plans want effective, workable, and well-understood rules for protecting confidentiality.  The laws on the books at the state level are an unbelievably complex patchwork that is difficult to follow. Also, the delivery and financing of health care – particularly with the increasing use of the computer and Internet – now cross state lines. For example, the simple act of a patient getting a prescription ordered, filled, and paid for can easily involve entities operating in half a dozen states.

As with most segments of our economy, more and more of our health care system is integrated and operates with pieces in many states.  One episode of care could easily involve entities in a dozen states or more with physicians in one or more states, a pharmacy in another, a health plan in another, a pharmacy benefit manager in another, a lab test in another, and so on.  Which states’ confidentiality laws apply when getting a prescription involves a prescribing doctor in Virginia, a pharmacy in Washington, D.C., an employer health plan in Maryland, a pharmacy benefit manager in Arizona, a third party administrator in Connecticut, and a mail order firm in Pennsylvania?  Furthermore, within each of those states, which privacy law applies? The law on insurance, the pharmacy board law, the medical licensing law, the Education Department law, the medical privacy law, or other statutes scattered throughout the state law?
 
Add to that equation the fact that there are literally thousands of state laws and regulations on medical privacy, creating an incomprehensibly confusing patchwork of conflicting rules. Studies of state laws bear this out. Patient privacy rules have been tucked away in laws including: Library Code; Public Officers Code; Industrial Insurance Code; Foods, Drugs, Cosmetics and Poisons Code; Family Code; Education Code; Revenue and Taxation; General School Operations Code; Unemployment Insurance, Welfare, Public Assistance Code; State Government “Printing and Documents” Code; Mental Illness Code, Mental Retardation Code; Human Resources Code; Medical Review Code, Adoption Code, Administration of Government Code; Courts Not of Record Code; Commissions, Boards and Institutions; Health Code; Persons With Disabilities Code, Freedom of Information; Board of Pharmacy Code; State Alcohol, Drug Abuse Code, Communicable Diseases Code; Chronic Disease and Injury Code; Businesses and Professions Code; Probate, Trusts and Fiduciaries Code; Consumer Affairs; and others.

Finally, several states that have experimented with medical confidentiality have taken serious missteps.  Minnesota’s law on privacy and research had to be significantly amended and Maine repealed its privacy law a mere 12 days after it took effect.


9. Shouldn't patients have control over which parts of their medical records are
accessible through an interoperable health system?

Patient care will be seriously compromised if patients are allowed to supply information selectively to their medical providers.  If patients are allowed to choose which information is provided for their treatment, clinicians will be unable to rely on the medical record as a tool for diagnosis and treatment as it may or may not include the facts necessary for the delivery of quality medical care.

Though it may not occur to a patient, records regarding a particular illness may contain essential information about medications and other treatments.  If this information is kept from a treating provider, dangerous drug interactions and other serious consequences may result.

The privacy rule does impose greater protection on some more sensitive information.  The privacy rule recognizes that, for example, private notes concerning mental health therapy contain sensitive patient information. Because of this, under the privacy rule, psychotherapy notes can only be used by the practitioner who took the notes unless the patient specifically authorizes another use. But, in general, the rule recognizes that financial information a patient may deem sensitive could be essential to a patient’s care in a subsequent illness or episode.

An electronic medical records system constrained by additional patient controls will discourage the participation of providers as they simply cannot rely on incomplete medical records without serious repercussions for patients and sweeping liability for providers.

10.  Shouldn't medical providers be required to send patients a notice of a security
breach that would affect their medical records?

Data security legislation under consideration by the House of Representatives and the Senate requires health care entities to provide a notice to patients if their personal information is accessed by an unauthorized person. As most medical files include personal identifiers such as Social Security number or financial information for payment, providers will be required by the new legislation to supply patients with a notice in the event of a security breach.  Establishing a competing and duplicative regime under the department of HHS would be confusing and unnecessary. 

In addition, under HIPAA patients are entitled to an accounting of any disclosure of their information, including any unauthorized use. Should the HHS secretary determine that additional notice requirements are necessary, the secretary already has the authority to establish a notice requirement by making it a part of the HIPAA regulation.

11.  How are patients informed of the ways in which their medical information is
used by health care providers, plans, and clearinghouses?

Covered entities must provide patients with a Notice of Privacy Practices which outlines how they may use personal medical information.   The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must also include a point of contact for further information and for making complaints to the covered entity.

12.  Can a patient's information be shared for marketing purposes?

No, covered entities must first obtain an individual's specific authorization before disclosing his or her patient information for marketing.

13.  What steps must covered entities take to ensure that all staff within their
organizations comply with the HIPAA privacy standards?

Covered entities must have a written privacy policy that outlines how information will be used and includes a description of which staff will have access to the information. Covered entities must train their employees in their privacy procedures and must name a privacy official to ensure the rules are followed. If employees fail to follow the procedures, a covered entity must take suitable disciplinary action.

14.  What entities are considered business associates under the rule?  And what
must a covered entity require in its business associate contracts?

Any person or organization that performs functions or activities or provides services to a covered entity that involve the use or disclosure of individually identifiable health information is considered a “business associate” under the privacy rule.

In the business associate contract, the covered entity must impose specified written safeguards that are consistent with HIPAA rules on the individually identifiable health information used or disclosed by its business associates.  Business associates must be prohibited from making any use or disclosure of protected health information that would violate the privacy rule.  The business associates must also be required to put in place appropriate safeguards to protect against a use or disclosure not permitted by the contract. Business associates must agree to bind any subcontractors or agents to the same restrictions.  The business associate contract must authorize a covered entity to terminate the contract if the covered entity determines the business associate has violated a material term of the contract.