Medical Privacy and Your Rights
Personal information you give to your doctor is shared with insurance companies, pharmacies, researchers, and employers based on specific regulations. The privacy of your health records is protected by federal law, the Health Insurance Portability and Accountability Act, also known as HIPAA.
HIPAA was passed in 1996 to make health insurance transferable between jobs. It is made up of a set of privacy and security regulations that offer baseline consumer protections and applies to health care providers, health plans and health care clearinghouses.
The law defines the various players as follows:
- Health care providers include doctors, hospitals, other caregivers, and health care researchers.
- A health plan is defined as an individual or group plan that either provides or pays the cost of medical care.
- A health care clearinghouse standardizes health information, such as a billing service that processes data into a standardized billing format.
- A ‘business associate’ is the HIPAA term for a third party that performs services for a covered entity that involves the use or disclosure of protected health information. They can be based overseas and include practice management services, data processing and pharmacy benefits managers. They must comply with HIPAA.
- ‘Personal health information’ often refers to protected health information or medical information.
Meanwhile, ‘consent’ and ‘authorization’ are used interchangeably, and this often confuses consumers.
In California, covered entities that want to obtain your medical information must first have your authorization, handwritten, signed or signed by someone authorized to sign for you.
Concerns Over Loopholes
There is concern, however, that your consent for the use of your medical information is assumed for treatment, payment, and health care. Consent is not required for a long list of legal and administrative purposes that include law enforcement and public health. That situation has been seen as a huge federal oversight to consumer protection.
In late January (2013), the U.S. Dept. of Health and Human Services moved forward to strengthen the privacy and security protections of HIPAA. The final rule expands many of the requirements to business associates of health care providers, health plans, their contractors and subcontracts, and others that process health insurance claims. This has come about because some of the largest breaches of protected medical information have involved business associates.
Penalties have been increased for noncompliance based on negligence levels to a maximum of $1.5 million per violation. The new rules also clarify when breaches of unsecured health information must be reported to Health and Human Services.
Meanwhile, the new rules strengthen consumer rights. Patients can now ask for a copy of their electronic medical record in an electronic form. When paying in cash, they can also instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes. It also prohibits the sale of an individual’s health information without their permission.
The rule also makes it easier for parents and others to give permission to share proof of a child’s immunization with a school. Covered entities and business associates have up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
Your Medical Information and Privacy Rights under HIPAA
It’s important to note the HIPAA does not guarantee privacy of your medical information. Its protections only apply to the covered entities of health care providers, health plans and health care clearinghouses mentioned above. Nevertheless, your medical provider does not need your consent to share your medical information for treatment, payment or HIPAA’s definition of ‘heath care operations.’ And, if your medical information is in the hands of your employer, the courts or an insurer not covered by HIPAA, such as workers’ compensation, it is protected, if at all, by a different set of privacy standards.
You do have a right to your ask for and receive your medical records. You will receive a privacy notice from your provider including information on how you can obtain copies of your medical records. The notice should also tell you if a written request is necessary. If denied access, you can file a complaint with the Health and Human Services Office of Civil Rights. HIPAA gives providers 30 days to provide the records.
You can be charged ‘reasonable fees’ for the access based on cost of materials and copying. You cannot be charged for the time spent searching for your records. Access exceptions include the right to access to psychotherapy notes or information compiled for litigation. Requests can also be denied if the provider finds access to the records could result in harm to you or another person.
You can find out who has had access to your health records for the prior six years, but there are exceptions to the disclosure requirement. Those involved with treatment, payment or health care operations do not need to be listed in the disclosure log. And incidental disclosures permitted under HIPAA do not need to be accounted for.
If your rights have been violated under HIPAA, your recourse is not a lawsuit, but to file a complaint. Complaints must be filed with the Health and Human Services Office of Civil Rights within 180 days of the violation, but extensions can be granted. Violations can result in a civil fine of up to $25,000. If a criminal investigation is triggered, violators can face up to 10 years in jail and a fine of up to $250,000.
If your privacy rights have been violated under other federal or state laws or regulations, you may be able to sue. A lawyer can help you find out.
Information about an unpaid medical bill can be disclosed to a debt collector, since it is information involving a payment. It can also appear as a negative entry on your credit report. Information that can be disclosed to a credit bureau includes:
- Your name and address
- Date of birth
- Social Security number
- Payment history
- Account number
- Health care provider or plan that says you owe the money
Two companies, MedPoint and IntelliScript compile information and issue reports to insurance companies when consumers apply for private health, disability or life insurance. You may want to find out if your insurer has received a report from either one. Requests for your information can be made to both companies.
And federal law prohibits your employer or health insurer from requesting, requiring or purchasing genetic information about you.
Your Medical Privacy Rights in California
California laws are generally more protective for medical records privacy than HIPAA. California has stronger requirements for notifying individuals about health information security breaches.
For instance, California requires state agencies and private business that handle unprotected employee information on computers to notify the affected California resident. It allows individuals to sue for harm suffered from the breach and allows statutory damages of $1,000 for negligently breached medical information without the need to prove harm. Additional breach protection for medical information applies to clinics, health facilities, home health agencies and hospices. In these cases, failure to prevent unauthorized disclosures can result in fines of up to $25,000.
And in California consumers have more control over information considered sensitive. It requires a separate signed authorization for such releases. An example is the treatment of HIV and sexually transmitted diseases. Both California and federal law require authorization to release psychotherapy notes as well as for records of substance abuse treatment.
Other medical information privacy protections offered by California law include:
- Collection of medical records for direct marketing is prohibited
- A limit on collection, maintenance and distribution of personal information by state agencies. You can find out who has accessed your records and request inaccurate or irrelevant information be changed.
- Patients have the right to see and copy their medical records, in most cases, that are maintained by health care providers. They can also request corrections to errors in the information.
- Disclosure of genetic information requires your written authorization. Insurance coverage cannot be denied on the basis of a genetic test.
California Legislative Update
SB 46 is a pending bill introduced on December 14th, 2012 by Sen. Ellen Corbett (D-San Leandro). It would expand the definition of ‘personal information’ to be included in the current requirements that a California agency or business notify individuals whose personal information has been breached on its computer system. Among the types of personal information the bill brings into play are ‘medical information,’ defined as any information on an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. It would also include ‘health insurance information,’ defined as an individual’s health insurance policy number or subscriber ID number, or ‘any unique identifier’ used by a health insurer to identify the individual, information in the individual’s application and claims history, including appeals records.
SB 138 is another pending bill introduced January 28, 2013, by Sen. Ed Hernandez (D-West Covina). It seeks to incorporate HIPAA standards into state law, to clarify the standards protecting the confidentiality of medical information in insurance transactions. It would allow insured individuals to submit and authorize release of medical information. It would specify confidentiality requirements by insurers regarding the treatment of individuals 26 or younger that are insured as dependents on a policy, regarding sensitive information or information that could be potentially harmful. It would also authorize a health care provider to share information regarding benefit cost sharing arrangements to a health care service plan. And it would also prohibit health care insurers from requiring communications authorizations from individuals to be enrolled in their plans.