New Law Restricting Public Access to Your Medical Records
Posted on Tuesday, March 23rd, 2004
Health care providers in Love County have stepped up their efforts to protect the confidentiality of patient records, under terms of a new federal law that took effect nationally in April 2003.
The Health Insurance Portability and Accountability Act (HIPAA) imposes new restrictions on the way medical institutions share information with the public and each other. Fines or imprisonment may ensue for violations.
The law was enacted in part because of abuses of medical records, including instances in which the careless or malicious release of information by health care providers or the unauthorized access to records by outside parties cost patients their privacy, insurance coverage, or jobs.
All sectors of the health care market have been required to respond to the new law, including hospitals, clinics, nursing homes, and pharmacies.
The most practical effect of the new law in Marietta will be that clergy, media, public, and even family members could find it harder to identify individual hospital patients and learn their condition.
Until now, patient information has been considered a matter of public record, meaning a hospital could release a patient’s name, age, extent of injuries, and a one-word statement listing the patient’s condition.
Beginning April 14, patients must be given the choice about whether to release any information about themselves. If the patient opts for confidentiality, no information will be released to anyone, including media or law enforcement, even the fact that the patient is in the hospital.
If the patient chooses to allow the hospital to release information, the information will be limited to a one-word statement about the patient’s condition, such as critical, serious, fair, or good. However, the inquirer must know and be able to state the name of the patient they are calling about in order to hear the one-word statement of condition.
If the patient also chooses to provide religious affiliation on admission, this information will be disclosed to clergy upon inquiry. And, even if clergy does not ask for the patient by name, the hospital may disclose the name and the patient’s location in the facility.
The hospital must rely on the patient to name any family members, relatives, close friends, or other persons whom the patient wishes to have the hospital locate, notify, and inform. The information to be released is limited to the patient’s location and general condition.
In case a patient is incapacitated, or in an emergency when it is impractical for a patient to object to notifying family, the hospital staff may exercise professional judgment to act on its own in making notification if disclosure is in the patient’s best interest.
All hospital patients will be given a “Notice of Health Information Practices” document outlining how their medical information will be guarded and what they can do if that confidentiality is broken.
Both in the emergency wing of the hospital and in the waiting room of the clinic, architectural changes are under way to develop consultation areas where physicians or other staff members may confer with patients with less likelihood that their conversations will be overheard by others.
The Board of Control of the hospital/clinic has approved a series of policies to comply with HIPAA, and all hospital and clinic staff members have been trained and tested in their use.
The policies cover privacy and security. The privacy rules make sure that a patient’s personal information is not given to outsiders without permission. The security rules make sure a patient’s personal information is stored safely.
“Computers have made it very easy to collect and use health care data. Until HIPAA, there were no good laws to protect a person’s health information. HIPAA requires that personnel follow the privacy rules and that the hospital has a privacy program to protect patient health information,” the training manual states.
The confidential information requiring protection includes patient’s name, medical condition, and diagnosis, as well as medical and billing records. The information is to be protected whether it is on paper, in a computer, or spoken out loud.
The rules caution workers not to discuss patient information in public areas, such as the hallway, cafeteria, or front office, or to leave information lying open on desks, or leave a computer alone without logging out. Penalties apply to violations of the rules.
The new law does not preclude the hospital or clinic from supplying patient information to insurance companies for billing purposes or to companies who have sent employees to the emergency room to determine if work-related injuries have occurred. The hospital will continue to comply with search warrants or court orders for specific records.
The hospital’s visitation hours remain the same for patients who have opted for visitors.
“Our staff has worked hard to understand and implement these new privacy policies required by HIPAA. We hope the public will be understanding when we are not able to provide information about patients that may have been permitted in the past. The privacy rules are there to put the patient in charge of what he or she wants released, and we will do our best within the law to honor those requests and guard patient information from unauthorized disclosure,” said Richard Barker, hospital administrator.