April 22, 2003 -- HIPAA forms. You got them from your doctor. You got them from your pharmacist. You got them from your insurance company and maybe even from your employer. What's up?
Blame a deadline for the flurry of forms. On April 14, 2003, healthcare providers had to comply with HIPAA rules. On that date, everybody with access to your medical records had to be able to prove they had a plan for keeping those records private.
You had to sign a form agreeing that they told you they had a plan, and that they'll show it to you if you want to see it. And if you work for a company involved in keeping medical records, you had to show that you understood the new HIPAA rules.
Other than the forms, what's truly new? Don't look to the name for an explanation. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The original idea was to force the healthcare industry to save money by computerizing paper records. That led to concerns over privacy -- and new privacy regulations from the Department of Health and Human Services (HHS).
Here's the bottom line: HIPAA rules give you new rights to know about -- and to control -- how your health information gets used.
- Your healthcare provider and your insurance company have to explain how they'll use and disclose health information.
- You can ask for copies of all this information, and make appropriate changes to it. You can also ask for a history of any unusual disclosures.
- If someone wants to share your health information, you have to give your formal consent.
- You have the right to complain to HHS about violations of HIPAA rules.
- Health information is to be used only for health purposes. Without your consent, it can't be used to help banks decide whether to give you a loan, or by potential employers to decide whether to give you a job.
- When your health information gets shared, only the minimum necessary amount of information should be disclosed.
- Psychotherapy records get an extra level of protection.
WebMD asked Kimberly Rask, MD, PhD, director the center on health outcomes and quality at Emory University's Rollins School of Public Health, to put HIPAA rules into perspective.
Q: What does HIPAA mean to the average person? What has changed?
Rask: The intent is to protect the privacy of your health information. What's different is that HIPAA puts some very specific rules in place about when, how, and what kind of information can be shared. Also, it makes sure that the person whose information is being shared is aware of that possibility.
Q: What will happen when we see our doctors?
Rask: There are two things patients will see. First, doctors' offices will ask patients to sign papers saying they are aware the office has privacy policies in place. They can review those policies if they like. Second, patients may be asked to sign forms that authorize sharing of medical information with other healthcare providers involved in their care. They may be required to sign separate forms for each provider.
Q: Is this really going to make our medical records more private?
Rask: I think actually, from a privacy perspective, having these regulations in place guarantees a higher level of privacy. I don't think there's a downside here.
Q: What's not to like?
Rask: Where there is a downside is in bigger issues that don't relate to individual patients. Example one: In order to comply, many doctors, hospitals, etc. are spending enormous amounts [of money] to become compliant. Dollars that go to this are not dollars that go elsewhere. It is important to think about the costs of making this paperwork trail. At a time when we are having so much trouble providing minimal healthcare to so much of our population, I would like to see more of an emphasis on care than on paperwork. But that is a trade-off we are making to ensure better privacy.
The second problem I have is that we aren't just concerned with the care given to an individual patient. We also are concerned about the quality of care we provide and about patient safety. For these larger issues, researchers need to be able to look at patient information. We need to be able to tell when things went wrong and when they went right. The more we restrict this research, the more we restrict our ability to describe and improve what is going on in the healthcare system. That is a trade-off, too. Some people would feel that the privacy of an individual outweighs any other benefit. On the other hand, it is very difficult to change or improve healthcare if we can't look at what is being done.
Q: Are computerized records really more secure than paper records?
There are very good ways to protect data electronically. Although it sounds scary, it makes data more protected than current paper records. For example, think about someone looking at your medical chart in the hospital. It has a record of all that is happening -- lab results, doctor consultations, nursing notes, orders, prescriptions, etc. Anybody who opens it for whatever reason can see all of this information. But if the chart is an electronic record, it's easy to limit access to any of that. So a physical therapist writing physical therapy notes can only see information related to physical therapy. There is an opportunity with electronic records to limit information to those who really need to see it. It could in many ways allow more privacy than current paper records.
Q: What else needs to be done?
We need discussion of why it might be useful -- for all of us -- to do some sharing of health information for the broader purpose of monitoring and improving the quality of healthcare. There is a value to this. The crux of the issue is how do you balance this? How do you make sure that the specific information researchers want to know is available while preventing inappropriate access to personal information? HIPAA is trying to protect us from inappropriate use of our medical records. In doing that, it also restricts some appropriate uses.