New Medical Privacy Rules Take Effect
New federal government regulations affecting medical records took effect recently. The regulations create national standards to protect individual health information and medical records privacy.
These regulations provide certain confidentiality protections for individuals and create responsibilities for organizations that handle individual medical records or health information.
Referred to as the Privacy Rule, the Standards for Privacy of Individually Identifiable Health Information were promulgated by the US Department of Health and Human Services. The Privacy Rule, which became effective April 14, 2001, implements requirements specified under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The compliance deadline is April 14, 2003.
Affected organizations include health plans, health care clearing houses and health care providers or other organizations dealing with individually identifiable health information. This can include physicians, medical practices or clinics, hospitals, insurance companies, medical claims processing or billing companies, pharmacies, and employers who maintain employee medical records or provide services resulting in the handling of employee medical records.
The Privacy Rule requires covered organizations to provide patients with a clear written explanation of medical records privacy protections including a statement about how their information may be used and what disclosures of their information have been made. The rule also requires that the medical record holder obtain patient consent before releasing medical information to others. A provision in the rules permits a patient to request to see and obtain a copy of his/her medical record.
Organizations handling medical records are subject to certain accountabilities. Health information must not be used for non-health purposes. For example, individual health information may not be disclosed to employers for personnel decisions or to financial or marketing organizations without explicit authorization from the individual. Further, and disclosure of health information should be limited to the minimum information necessary for the purpose of the disclosure.
Entities covered by the Privacy Rule must establish certain safeguards to ensure the security of personal health information. These entities are responsible to adopt written privacy procedures specifying how the organization will protect information privacy, limit access, document authorization and control disclosures.
Covered entities are responsible to provide training for employees who handle medical records, and to designate a privacy officer to oversee organizational compliance with regulations.
An individual who believes that his or her medical records privacy protections were violated may file a formal complaint with the organization handling the medical records. In addition a complain may be filed with the Department of Health and Human Services.
Violations of the Privacy Rule may be subject to civil and criminal penalties. Civil penalties are $100.00 per violation up to $25,000.00 per person per year. Federal criminal penalties can go as high as $250,000.00 and ten years in prison for serious violations.
A free fact sheet on the medical privacy rules is available from Hubbartt & Associates. Contact this Newspaper or Hubbartt & Associates at www.Hubbartt.com.
### ###
William S. Hubbartt is president of Hubbartt & Associates, a St. Charles, IL consulting firm specializing in employee compensation, employee handbooks, personnel policies and supervisory training. (www.Hubbartt.com) Mr. Hubbartt is author of The New Battle Over Workplace Privacy, published by AMACOM Books.
