| New Law Protects Privacy of Medical Records | |
|
On Dec. 20, 2000, President Clinton announced regulations creating the first-ever federal privacy protections for the personal health information of all Americans. The rules apply to virtually all health insurers and most health care providers and clearinghouses.
The regulations, will be fully implemented within two years, and were issued under the authority of the bipartisan Health Insurance Portability and Accountability Act (HIPAA).
You know what the problems are -- regulated only by various state laws, if at all, medical records are shared without the patients' consent for uses totally unrelated to health care. Insurers pass records to mortgage lenders, credit agencies and employers. Health plan providers often give, or sell, medical records for insurance underwriting, market research and other purposes without any concern for the patients' privacy. In fact, the only person often denied access to a patient's medical records -- is the patient.
Let's
see in non-legalese what the new federal regulations do to solve those problems
and protect our personal privacy. Under the new rules:
Health plans and providers must tell consumers how their information is
being used, and to whom it is and has been disclosed. Patients have the
right to a "disclosure history," listing all parties that were
given their information for purposes unrelated to their medical treatment
within 60 days. Doctors and hospitals must get patients' written consent to use their
health information -- even for routine purposes, such as treatment and
insurance payment. Non-routine uses of records require separate, specific
authorization by the patient. Patients have the right to see and copy their own records, as well as the right to request correction of potentially
harmful errors in their health files. This may be the single most important
provision of the new regulations. Without it, incorrect or inappropriate
medical information could be used to deny health insurance, leaving the
patient with no course of appeal. The quantity of information used and disclosed is limited to the "minimum
necessary." For example, if an employer requests specific information
necessary to process a worker's compensation claim, the health care provider
may release only the specific information, not the workers entire medical
history. Responsibility for privacy is placed on the people who have the records.
All entities holding patient records must establish formal internal
procedures to ensure that health records remain private. These procedures
should include employee training, designation of a "privacy officer" to assist patients with
complaints, and ensuring that appropriate safeguards are in place for the
protection of health information. For intentional disclosure of records without consent of the patient --
up to $50,000 and one year in prison. For disclosure with intent to sell the
data -- up to $250,000 and 10 years in prison. Also, civil penalties of
$100 per person for unintentional disclosures and other violations (up to
$25,000 per person per year). The rules in no way limit a person's individual
right to sue and be compensated for damages related to improper use of
medical records.
Next page > Penalties for Violation & Public
Safety Considerations > Page 1, 2
