HIPPA Privacy Rule
A patient’s right of privacy and confidentiality is protected by law. No one, including spouses, friends, or attorneys, is permitted to review the patient’s medical record without prior written authorization, except as required by law (court order or subpoena) or other regulation.
- Only information that is pertinent to a patient’s treatment may be disclosed to other practitioners. Only authorized hospital personnel have access to medical records. All requests for medical information must be referred to the Health Information Management department.
- All employees are required to sign a confidentiality statement upon employment.
To decrease the risk of uninvolved persons overhearing or seeing confidential patient information:
- Confine discussion of patient care information to the patient care areas
- Keep computer ID/passwords confidential. Unauthorized use of ID/passwords may be subject to disciplinary action.
- Exit computer programs and log off before leaving the work station.
What is HIPAA?
The HIPAA Privacy Rule is a Federal Law that went into effect on April 14, 2003. The law protects the confidentiality of our patients’ protected health information, or PHI. Protection of patient privacy and confidentiality is also required by the Center for Medicaid Services (Elevae Partners, LLC) and the Joint Commission.
Healthcare has a tradition of privacy. People have kept patient information private as far back as the fourth century BC with the Hippocratic Oath. However, with the advanced communications technologies in use today, safeguarding the privacy of patient information is more of a challenge. The HIPAA Privacy Rule reflects these new concerns.
The HIPAA law is complex. Protecting patients’ healthcare information involves two considerations: Privacy and Security. There are differences between the two that you should know.
“Privacy” is concerned with the disclosure of information about a patient to the patient directly, or to those to whom we reasonably believe the information can be disclosed if it is consistent with good health care professional practices. (See HIPAA Privacy.)
“Security” is concerned with the processes, procedures, and technologies that we use to make sure that the people viewing or changing the information are really the ones who are authorized to do so. (See HIPAA Security.)
What information is protected?
All patients (including celebrities and our own employees) have the right to privacy, and this extends to their personal health information, referred to in the HIPAA Privacy Rule as “Protected Health Information,” or PHI.
What types of information is protected?
- Paper records
- Computerized information
- Oral communication
What are examples of PHI?
- Face sheets
- Results of exam/evaluation
- Test results
- Treatment and appointment information
- Patient bills
- Photographs
- Paper records
- Computerized patient records and information
Releasing Patient Health Information (PHI)
What information can be released only with the Patient’s approval?
As a general rule, Medical Records can only be released to outside parties with the patient’s approval, or if there is a law requiring release. (See following section, below.) Again, as a general rule, this information can be released to outside parties only by the Health Information Management Department (Medical Records), or in some cases, the Records Custodian of each department.
Who are the Records Custodians?
Each department or unit that maintains PHI has a “records custodian” to approve access to PHI, for purposes other than routine treatment, payment or operations purposes. Records Custodians may include department leaders and supervisors, unit secretaries, or other persons designated by department leaders
What are the Authorization Requirements?
A written authorization, signed by the patient or legal representative, must be obtained for any release of information except when the release is required by law, or when the information is used for the routine purpose of treatment, payment, or operations. For example, we are permitted to share our patients’ PHI with other providers such as physicians to treat the patient, or we may submit PHI to insurance companies to obtain payment, all without patient authorization.
What about releasing Patient’s Protected Health Information (PHI) verbally in discussions with friends and family?
When the patient is present and has the capacity to make his or her decisions, we may disclose PHI to friends and families, if one of the following conditions is met:
- We obtain the oral agreement of the patient or legal representative;
- We provide the patient with an opportunity to object to the disclosure, and the patient does not object;
- We infer from the circumstances that the patient does not object to the disclosure. For example, when a friend has brought the patient to the emergency room for treatment
When the patient is not present, or when the patient is incapacitated due to an emergency, it’s okay to make the disclosure if our decision is consistent with good health care professional practices. For example, when a patient is brought to the emergency room, we may inform relatives and others involved in the patient’s care that the patient has suffered a heart attack and we may provide updates on the patient’s progress and prognosis when the patient is unable to make decisions about such disclosures.
Whatever information we disclose to the patient’s friends or families should be directly relevant to that person’s involvement. For example, a neighbor picking up a patient can be told that the patient is unsteady on his feet; however, the neighbor should not be told that a tumor was removed.
How is Protected Health Information handled for Minors?
If a patient is a minor (under 18 years of age), the patient’s parents or guardian may receive or direct the use and disclosure of PHI on behalf of the patient, except for “Emancipated Minors.”
Emancipated Minors are children who have been released from the control of parents or guardians, and may control their own PHI, in the same manner as an adult:
- Anyone who is not yet 18 years old but is legally married or who is a parent.
- Anyone who is not yet 18 years old, but has been legally married and is now divorced, or a widow or widower.
- Anyone who is not yet 18 years old but is maintaining his or her own residence and is self-supporting. A reasonable effort to contact parents must be made.
- Anyone who is not yet 18 years old, and is pregnant
Minors Who Are Not Emancipated: Any minor (under 18 years of age) may without parents’ consent, approval, or notification have the right, in the same manner as an adult, to protect their health information for the voluntary treatment of:
- Alcohol or drug abuse
- Testing and treatment for sexually transmitted disease