HHS wants individuals to have easier access to their own records
Traditionally, health care practitioners have used a standard authorization for disclosure medical records even for individuals requesting their own medical records. In an effort to make it easier for patients to obtain their own records, HHS has issued new guidance that discourages the use of the standard medical records release. In recent audits, HHS has reminded practitioners that patients should be able to request their own records without the formality that governs authorization for disclosure of protected health information. Healthy Patients members should use the new Healthy Patients form for individual access to records or devise their own simple request form.
HHS provides this comparison between individual access to records and authorization:
Patients have a right to be reckless with their records
After years of warning practitioners against the use of unencrypted email, HHS has put practitioners in a bind by requiring practitioners to send email in an unsafe manner if that’s what the patient wants. However, practitioners must still offer patients a secure choice and must warn patients of the risks involved. Healthy Patients has developed an “informed consent” document for members. Practitioners should protect themselves from the inevitable finger pointing when patient records fall into the wrong hands. Instructions for use of the new form can be found here.
“The Secretary will impose a civil money penalty upon a covered entity or business associate if the Secretary determines that the covered entity or business associate has violated [these rules].” [HIPAA Rule – 45 CFR §160.402]
For quite some time now, federal regulations have required the protection and management of electronic health information in accordance with guidelines that either must be weighed and considered or are required of everyone subject to the regulations. For health care practitioners who believe they can ignore security standards by working with paper records only, remember that other laws impose obligations to secure records including Washington’s Uniform Health Care Information Act.
Too many health care practitioners neglect health information privacy and security requirements imposed by a variety of laws. Practitioners either assume compliance is too costly or that the law does not apply to their practice. Here are some resources that should change those beliefs:
Privacy and Security Compliance Survey
Complete this general questionnaire about your information management and security practices and find out how much you meet HIPAA compliance standards. Click here to go to the survey page.
Small Health Care Practices and Small Businesses
You can get quick answers to HIPAA compliance questions asked by small health care practices and small businesses by going to the Office of Civil Rights (enforcement agency) web page. Their “Frequently Asked Questions” page for small practices and businesses can be found here.
Information Privacy and Security Standards Other Than HPAA
HIPAA privacy and security requirements fit into a broad web of state federal laws governing personal privacy including laws governing particular types of information. Here is a link to a 2010 table of federal laws.
The Federal Trade Commission provides guidance on statutes, regulations, and requirements for practitioner governing that can be found in this report: Medical Identity Theft
Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?
The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.
Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?
Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:
- A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
- A hospital may discuss a patient’s payment options with her adult daughter.
- A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
- A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.
Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:
- A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
- A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.
In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.
Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes?
Yes. The Privacy Rule allows covered health care providers to share PHI electronically (or in any other form) for treatment purposes, as long as they apply reasonable safeguards when doing so. Thus, for example, a physician may consult with another physician by e-mail about a patient’s condition, or health care providers may electronically exchange PHI to and through a health information organization (HIO) for patient care.