The Privacy Rule was one of the first examples of legislation in the United States that enhanced patient rights. This rule is the first addition to HIPAA, and it continues to shape how medical records are handled. In this post, we will cover what you need to know to be compliant with the Privacy Rule.
For a general overview of HIPAA, click here.
WHAT IS HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to improve the safety and privacy of medical information following the advent of electronic health records (EHR). Before this, there weren’t federal laws to regulate the protection and exchange of medical records.
Instead, these were fairly lawless times in this regard. While most healthcare providers would act reasonably, there were plenty of issues. For example, patients couldn’t always get copies of their medical records. Their employers, however, could acquire them via their health insurance provider.
Additionally, because EHR technology was fairly new, it was not a guarantee that these services were constantly updated for security. In many cases, there was little stopping these companies from using mediocre security measures to save money on development.
These issues and more continued until The Department of Health and Human Services (HHS) intervened by creating HIPAA. This defined important terms like protected health information (PHI) and set regulatory baselines for how medical information can be disclosed.
It’s difficult to estimate the number of people impacted by medical record breaches. Without protections to safeguard medical information, personal issues could easily become public.
For example, consider an employer asking for medical records to learn more about a new hire. In these records exists information that patients were willfully vulnerable in sharing with their healthcare provider.
The provider shares the records, and something in them leads the employer to turn down their application. Now the patient’s information is in the wrong hands. In this case, their boss can use these records to impact their employment. In future appointments, this could lead the patient to withhold information from their doctor, potentially causing major complications.
That’s one of many reasons why HHS developed the Privacy Rule.
WHAT IS THE PRIVACY RULE
The Privacy Rule was the first addition to HIPAA. This rule went through many proposals that sought to balance patient privacy and medical information sharing. While the final changes were passed in 2002, discussion about possible regulations to improve patient information protection began almost immediately.
From 1996 to 1999, Congress was tasked with creating privacy guidelines for protected health information (PHI). When this three-year deadline passed, the task was passed to the Department of Health and Human Services (HHS).
HHS provided its proposal for the Privacy Rule in 1999, and it was passed in 2000. After a comment period following this legislation, the final update was made to this rule in 2002. All rules and regulations of HIPAA apply to both covered entities and their business associates.
While some HIPAA regulations are flexible to accommodate varying healthcare organization resources, the Privacy Rule is an exception. The requirements for lawful disclosure of medical information outlined in this rule are stringent and specific.
Ensuring compliance with this rule hinges on understanding the requirements and uses of the authorization form required for the release of information (ROI).
WHAT ARE THE AUTHORIZATION FORM REQUIREMENTS?
HIPAA requires covered entities to respond to medical records requests within 30 days, and some states have even shorter deadlines. covered entities aren’t required, however, to provide records for every request.
If an authorization form is missing any essential details, it’s the covered entity’s responsibility to return the request as incomplete. Also provide an explanation for the return, such as “missing signature.”
When creating or responding to a HIPAA-compliant authorization form, remember that specificity is key. The minimum necessary standard requires covered entities to provide the minimum records necessary to fulfill a request and leave out any that aren’t specifically requested.
A HIPAA-compliant authorization form is required for every disclosure of protected health information that isn’t otherwise permitted by HIPAA. For example, healthcare professionals don’t need signed authorization forms to exchange PHI for the care of current patients.
A valid authorization form requires the following “core elements:”
- A description of the specific information requested.
- The name/specific identifier for the individual(s) making the request.
- The name/specific identifier of the individual(s) to whom the requested information can be disclosed.
- A description of how the information will be used.
- An expiration date and/or event (for example, one could write “Until I rescind authorization”).
- The individual’s signature and the date of signing.
Additionally, the form must adequately inform the requestor of their rights to revoke the authorization, exceptions to these rights, and their protections and risks. You must present this information in plain language to ensure the requestor understands these points.
When a covered entity requests that a patient sign an authorization form, they must provide a copy of the completed form to the patient for their own record.
WHEN DOES THE PRIVACY RULE PERMIT DISCLOSURES?
Without a signed authorization form, healthcare providers can still use and disclose protected health information for select purposes. These are separated into 6 distinct categories:
- To the Individual (unless required for access or accounting of disclosures).
- Treatment, Payment, and Health Care Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for the purposes of research, public health, or health care operations.
“To the Individual” is straightforward, as it essentially allows CEs to discuss a patient’s PHI with that patient. Healthcare providers may still request an authorization form before releasing records to an individual for accountability purposes.
“Treatment, Payment, and Health Care Operations” allow CEs to use PHI internally for purposes specific to the organization. For example, when an organization discloses PHI to a health plan as part of a claim for payment.
“Opportunity to Agree or Object” determines how informal permission can be utilized. For example, this rule allows pharmacists to provide medication to an individual on behalf of the patient.
“Incident to an otherwise permitted use and disclosure” allows incidental disclosures. These are unintentional disclosures that occur during an authorized disclosure. These are only acceptable when the CE has adopted “reasonable safeguards” and adheres to the “minimum necessary” rule.
“Public Interest and Benefit Activities” determines the 12 national priority purposes that allow CEs to disclose PHI without authorization:
- Required by Law
- Public Health Activities
- Victims of Abuse, Neglect, or Domestic Violence
- Health Oversight Activities
- Judicial and Administrative Proceedings
- Law Enforcement Purposes
- Cadaveric Organ, Eye, or Tissue Donation
- Serious Threat to Health or Safety
- Essential Government Functions
- Workers’ Compensation
“Limited Data Set…” allows CEs to use PHI stripped of certain identifying features if the patient has signed a data use agreement promising appropriate safeguards.
WHAT ARE THE PATIENT RIGHTS PROVIDED IN THE PRIVACY RULE?
While the Privacy Rule primarily discusses the regulation of protected health information while under the care of covered entities, it also advanced patient rights in regards to accessing and reviewing their medical information.
It’s important to note the Privacy Rule only extends to covered entities and, after the Omnibus Final Rule, business associates. This means that if a patient requests their medical records, they are responsible for their protection.
The Privacy Rule also doesn’t apply to patient information that has been de-identified. This essentially means the data has been stripped of any identifying features such as name, date of birth, and more.
According to the Privacy Rule, individuals gain many rights regarding their PHI that they did not have before. They now have the right to:
- Obtain documentation for medical records disclosures made with their PHI over the previous 6 years.
- Submit a request to amend inaccurate or incomplete information within their medical records.
- Review and obtain copies of their own medical records and other such PHI.
- Place a complaint about the covered entity’s compliance with privacy policies, procedures, and the Privacy Rule.
- Protection against retaliation from a covered entity for exercising these rights, assisting in an HHS (or similar) investigation, etc.
- Receive notice of privacy practices, including anticipated uses or disclosures that covered entities can make without patient authorization.
- Request alternative means or location for receiving PHI.
While this rule allows patients to seek their own protected health information, there are limitations. These limitations include:
- Psychotherapy notes
- Information compiled for legal proceedings
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
- Information held by certain laboratories
Covered entities are also responsible for declining the release of information in cases where releasing PHI to an individual could harm them or other individuals.
PRIVACY RULE AND MEDICAL RESEARCH
When HHS was working on the Privacy Rule, they took medical research into consideration. Progress can’t happen without data, and these real-life experiences and responses to treatments are a goldmine for medical advancement. Unfortunately, they can also be a goldmine for cybercriminals seeking to steal a patient’s identity.
The U.S. General Accounting Office (GAO) prepared a report in 1999 to help develop medical privacy legislation. This report noted that the Common Rule lacked effective confidentiality regulations.
In the report, GAO also cited a National Institute of Health (NIH) and Institutional Review Board (IRB) study. This study found that privacy and confidentiality complaints were the most common among research subjects.
HHS considered requiring covered entities to acquire authorization for every research situation but determined this would severely hinder future research. By analyzing their own research and research done by other organizations, they found ways to balance medical research with privacy requirements.
HHS also considered trying to extend the Common Rule to apply to non-federal researchers. Unfortunately, the limited scope of their authority did not extend this far.
When the rule was finalized in 2002, HHS ruled that research authorization forms must specify how PHI will be used. With this ruling, “future research” was determined to be too broad a reason.
Rather, researchers must say, for example, “2022 Research Study on Heart Disease” rather than just “Research” to receive medical records. Additionally, researchers must inform the patient of any risks to their PHI that may result from its use.
Alternatively, if patients want to simplify the process, they’re within their rights to share their own PHI as they wish. We make it easy for patients to share their medical records instantaneously with “Subscribe and Share”
CHARTREQUEST HELPS GUARANTEE COMPLIANCE
ChartRequest complies with the many rules and regulations of HIPAA and all other relevant laws We aim to make medical records exchange quick, easy, and secure for healthcare professionals and their requestors.
To accomplish this, we provide our users with a centralized dashboard that shows all incoming and/or outgoing requests. Not only can you accomplish every aspect of the medical records exchange process online, but you can significantly decrease the number of phone calls and faxes your organization receives regarding medical records.
This is because we provide unprecedented levels of transparency throughout the process. Users can check for real-time status updates anytime and reach out digitally via our built-in provider chat function.
ChartRequest automates as much of the process as possible and streamlines the rest. Including time saved on phone calls and other manual patient communications, we save providers up to 2 hours per request.
In addition to the increased speed, our process also aims to eliminate errors with our “Double QA” process. In this process, either our team or your team performs a quality assurance check twice.
The quality assurance process ensures that retrieved records completely fulfill the bounds of the request without breaching the minimum necessary standard. This is useful for catching mistakes in the records such as:
- Retrieved records of the wrong patient
- The date(s) of treatment was incorrect
- The expiration time or event passed
- The nature of the treatment is not applicable to the specific request
- Much more
Don’t leave your organization’s compliance up to chance. Take the next step toward improving your patients’ privacy, and click here to learn what ChartRequest can do for you.