HIPAA Related FAQ’s
- What is HIPAA?
- How did the Amended HIPAA Rule eliminate my right to medical privacy?
- Will drug companies be able to find out what medications I take for marketing purposes?
- Will drug companies will be able to find out about my health problems and market new medications or disease management programs to me?
- Will the rule prevent me from picking up a spouse’s or neighbor’s prescriptions?
- If a friend of mine loses consciousness and I take him to the emergency room, will the physician be able to tell me what’s going on?
- If I lose consciousness and am taken to an emergency room in Alaska, will the physician be able to access my electronic medical records?
- Do the rules allow teenagers to keep their medical information secret from their parents?
- Will I be able to find out whether a friend or relative is in the hospital?
- Can hospital employees see my medical records?
A: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a 1500 page complex set of rules enacted by Congress which began as a “portability act” to help individuals keep their health insurance coverage as they moved from one job to another.
HIPAA evolved to include much more than portability, to cover medical privacy and the use of information technology to transfer your medical records.
A: It eliminated the traditional rights and expectations of individuals not to have their personal health information used or disclosed without their consent.
See our webpage: HIPAA, the Intent v. the Reality.
In place of upholding our privacy rights, HIPAA only gives us the right to “request” restrictions on the use and disclosure of our personal identifiable health information.
It does NOT guarantee that we can restrict who can see and use our medical records. Section 164.522(a) (1). The new Rule is quite specific that “a covered entity is not required to agree to a restriction” requested by an individual. Section 164.522(a) (1) (ii). Accordingly, the “right to restrict” is really a “right to beg” for restrictions.
Covered entities will have a disincentive to grant requests for restrictions on use and disclosure because, because if they agree, they must abide by those agreements and then could be sued for violating the agreements. Section 164.522(a)(iii)
Further, covered entities, such as physicians and other direct treatment providers, are unlikely to be able to enter into such agreements even if they wanted to, because such agreements will conflict with policies and procedures imposed by health insurers who require the full disclosure of all health information regardless of the individual’s wishes.
The demands of health insurers will be very difficult for physicians to oppose since insurers were granted “regulatory permission” by the federal government to use and disclose our personal health information for all “routine” purposes.
Example: It is unlikely that a depressed person would have the presence of mind, after having attempted suicide, to ask the hospital and physicians to restrict the use and disclosure of his/her health information. It is likely that a depressed person, like most other Americans, would assume that their medical records would never be used or disclosed without his/her consent. (This is a “common belief” among citizens today, according to the original Rule. 65 Fed. Reg. at 82,472.)
Even if a depressed person had requested that the use and disclosure of his/her sensitive medical treatment records be restricted, the hospital and physicians would have been under no obligation to agree to any such restriction.
A: Yes. Marketing that is health related and done on behalf of a covered entity is permitted under the Amended Privacy Rule. Section 164.501.
Example: The Amended Rule permits drug companies to conduct unlimited marketing of drugs and other health related items to patients for an unlimited period of time without their permission (and even over their objections) as long as the marketing is conducted on behalf of a covered entity like a pharmacy or health plan. If you take Prozac, you could get samples of Wellbutrin in the mail without your doctor’s knowledge or permission.
A: Yes. The Amended Rule provides regulatory permission for pharmacies to obtain virtually any information about an individual without his knowledge or consent if they can assert that they need the information for treatment, payment or health care operations.
The pharmacy may then disclose the health information to any drug company (or any other entity) that “performs or assists in the performance of a function or activity involving the use or disclosure of identifiable health information” on behalf of the pharmacy. Section 160.103
Example: A depressed patient’s pharmacy can obtain the information about his/her depression and attempted suicide and disclose it to a drug company if it is in the context of some “function or activity” performed by the drug company for the pharmacy.
A: No. Pharmacies are supposed to make sure the person picking up the prescription was actually sent by the patient.
The Original Privacy Rule allows others to pick up patient prescriptions with written consent. In cases where written consent could not be obtained, such as where the pharmacy did not have a prior relationship with the individual, others could pick up prescriptions if the individual’s consent was “clearly inferred from the circumstances”. 65 Fed. Reg. at 82,810.
A: Yes. This information is available under either the Original Rule or the Amended Rule. The difference, however, is that it would appear to be disclosable under the Amended Rule regardless of the patient’s wishes.
For example, if two people got into a fist fight and one was knocked unconscious, he would be unable to prevent the person he was fighting with from finding out about his condition under the Amended Rule.
A: Yes. Your electronic medical records will be used and disclosed in emergency situations to save your life.
This falls under “routine purposes”. However, your electronic medical records will also be used and disclosed to an unlimited number of covered entities for all “routine” purposes without your knowledge or consent, purposes that have nothing to do with your medical care or with emergencies.
How would you like:
- a pharmacist to read your mental health records?
- your dentist to read about your breast cancer?
- an accounting clerk to read about your sexual orientation or that you have a sexually transmitted disease?
- a medical records clerk in Pakistan to transcribe your identifiable information, such as social security number and address?
Those are all “routine” and legally permitted uses of your personal health information under the Amended HIPAA Privacy Rule.
A: No. Not unless stronger state laws exist. The Amended Rule eliminates any right that teenagers have to keep their health information private from their parents unless state law prohibits such disclosures. Section 164.502(g) (3).
This is a change from the Original Rule which would have permitted teenagers to exercise their right to privacy with respect to their parents if state law permitted them to consent to medical treatment without a parent’s approval. 65 Fed. Reg. at 82,806
As with uses and disclosures of health information for routine purposes, this change in the Amended Rule reverses the presumption that teenagers have a right to medical privacy where the state recognizes a right of consent to treatment, and replaces it with a presumption that teenagers have no right to medical privacy unless it is expressly granted by state law. Here again, the individuals’ rights to medical privacy are curtailed by the Amended Rule.
Example: a 17 year old girl would not be able to obtain a clinical test to determine whether she had contracted a venereal disease without having the results of the test disclosable to her parents under the Amended Rule. The likely result is that the test will not be requested, the diagnosis will not be made, and the parents may never be grandparents, if the infection causes sterility.
A: Yes. Hospitals can give out basic information — generally a one-word description of the person’s condition, sometimes a room number — to callers asking about a patient by name. However, the hospital must give the individual an opportunity to object to certain “directory “information being given out. Section 164.510(a).
A: Yes. The Amended Rule permits an unlimited number of hospital employees to have access to an unlimited amount of health information about you without your knowledge or consent as long as they can say they reviewed the information for purposes of treatment, payment or health care operations.
Example 1: “A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital’s employees. (The Boston Globe, August 1, 2000)”. 65 Fed. Reg. at 82,467
Example 2: A hospitalized depressed patient can rely on the fact that, under the Amended Rule, countless individuals employed by the hospital, the hospital’s “business associates” (including lawyers, accountants and consultants), employees of the physician practices from whom he received treatment, and employees of the pharmacies where he had prescriptions filled (and their business associates) will all have access to the health information concerning his/her attempted suicide and hospitalization for an indeterminate period into the future. This individual would have to live in a very large city in order for his attempted suicide and hospitalization to not become common knowledge in the community.
Under the Amended Rule, he/she has the opportunity to feel “violated” each day for the rest of his/her life simply because he/she sought desperately needed health care. One can only imagine the effect this will have on his/her depression.