Privacy Issues in Health Care Related to HIPAA

Patient Rights

• Under the federal HIPAA Privacy Rule, patients have several rights regarding their medical information. The privacy regulations apply to many kinds of health information including patient medical records, electronic health records, billing information and conversations between doctors and other health care providers, according to the US Department of Health and Human Services. Patients' health care providers must provide them with notification explaining how their medical records and other health information will be utilized. According to the Department of Health and Human Services, medical information cannot be released to employers, an advertising or sales company or any family member or friend that has not been designated as a personal representative for the patient. If patients consent to having their information given to another party, they must sign an authorization form that clearly explains who the information is being released to and for what reason. HIPAA regulations also give patients the right to receive one annual report from their health care provider that documents who their information was shared with. For example, health information can be released to government agencies for public health purposes without a patient's direct permission.

  Patients, and in some cases the court system, can appoint a patient representative to receive health care information on their behalf. Parents and legal guardians automatically have this right when dealing with minor patients. In addition, individuals that have power of attorney or are executives of a deceased patient's estate can be considered patient representatives. However, according to the HHS, a health care institution is permitted to refuse to release patient information to a representative deemed as a danger to the patient.

Health Care Providers' Responsibilities

• Health care providers, health insurance companies, health maintenance organizations, health care clearinghouses and government providers such as Medicaid and Medicare are required to adhere to the HIPAA privacy rules. This includes hospitals, clinics, pharmacies, dental offices, physician offices and nursing homes, according to the Department of Health and Human Services. These institutions must have procedures in place to protect health information and to ensure that any entities with whom they are contracted do the same. Any staff that has access to medical information must receive in-service training on HIPAA regulations and the employer's patient protection policies. The federal Health Information Privacy website states that providers that fail to comply with the HIPAA privacy regulations and are found to have done so purposely are subject to financial penalties totaling up to $1.5 million per year. In addition, purposeful noncompliance may result in criminal charges that result in fines or imprisonment.

Filing a Complaint

• Patients and their representatives may file a complaint with their health care provider if they believe their health information has been misused in accordance with HIPAA privacy standards. Health care providers must give anyone making a complaint the contact information for the designated staff member in charge of investigating such incidents. Consumers also have the right to file a complaint with the federal government's Office for Civil Rights, or OCR. Complaint forms can be obtained on the Department of Health and Human Services website. Consumers may submit their documents by mail, email or fax to the OCR up to 180 days after the incident.