Insurance Law

Your Right to Medical Privacy: HIPAA

 In 1996, Congress passed the Health Insurance Portability and Accountability Act, commonly known as HIPAA. The law has many different elements including the protection of health insurance when an employee loses her job and national standards for certain health care transactions. However, one of the best known sections of the law is the one that addresses a patient’s medical privacy.

What Does HIPAA Protect?
The privacy protections of HIPAA are found within the Administrative Simplification section of the law. The privacy rule has been in place since 2003. It provides specific rules about the dissemination of protected health information. Protected health information is defined as any information about the health status, provision of health care or payment of health care that can be linked to an individual. In essence, it means that there are now specific rules about sharing any part of a patient’s medical record or billing history.

How are the Privacy Protection of HIPAA implemented?
The law makes clear that covered entities (such as doctors and health insurance companies) must make reasonable efforts to ensure confidentiality of communications. A patient, for example, could request that all phone calls and written correspondence be directed to his or her home only and not his or her workplace. Further, the patient can request that no information be sent via e-mail.
Every covered entity must make sure that it has policies and procedures in place to protect patient privacy in accordance with HIPAA. Each entity must also have a point person who is responsible for the proper implementation of those policies and procedures.

What Are the Exceptions to HIPAA Protection?
If the information contained in the medical records is something that the health care provider or insurance company is required to disclose by law then HIPAA protection does not apply. For example, if a child’s medical records indicate injuries from child abuse then the health care provider is mandated to report that to the police in most states.
An individual is always entitled to the information contained in his or her own medical record or payment history within 30 days of making the request. Further, personal health information may be disclosed if the patient has given authorization for its release. For example, a doctor may share information with a person’s employer if he or she has prior authorization from the patient. The doctor does have an obligation, however, to only disclose the relevant information required to achieve the purpose of the disclosure.

What To Do if Your HIPAA Privacy Rights Have Been Violated
The law requires each covered entity to have a complaint procedure set up so that a patient who believes his or her rights have been violated can file a complaint. A patient may also file a complaint with the Department of Health and Human Services Office for Civil Rights.
The HIPAA privacy standards are meant to protect the patient and to allow the patient to control the disclosure of his or her own medical information. While some critics argue that the standards are too strict and make it difficult for concerned parties, such as relatives, to obtain important information, the law’s supporters argue that the law provides needed protection for patients. Whether you support or oppose the law, it is important to understand its provisions and how it applies to you.