Think your healthcare information is always confidential? Unfortunately, it ain’t necessarily so.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) introduced some important privacy protections for your personal and healthcare information, which, in HIPAA language, is called Protected Health Information, or PHI.
Among the HIPAA protections is a series of requirements that allow your healthcare providers to share your PHI — without — your authorization. They include all of the following circumstances:
— Uses and disclosures required by law
— Uses and disclosures for public health activities
— Disclosures about victims of abuse, neglect, or domestic violence
— Uses and disclosures for health oversight activities
— Disclosures for law enforcement purposes
— Uses and disclosures for coroners and medical examiners
— Uses and disclosures for cadaveric organ, eye, or tissue donation purposes
— Uses and disclosures for research involving minimal risk
— Uses and disclosures to avert a serious threat to health or safety
— Disclosures for Workers Compensation
Should your healthcare provider disclose your PHI for one of the above reasons, he or she is required to document, or “account” for the disclosure. You have the right to receive that accounting so that you will know to whom, if anyone, your healthcare provider has disclosed your PHI. You can exercise that right any time you want by simply asking your provider for an accounting of the disclosures of your PHI.
However, compliance with disclosure accounting is spotty, at best. Many healthcare staff and providers do not really know or understand how or why they can, or should, disclose your PHI. So, some of them do not account for such disclosures.
You may not necessarily know whether or not your PHI has been disclosed — your authorization is not required for these types of disclosures, and providers’ offices may not be compliant with the disclosure accounting rules.
More important, though, is the fact that once your provider does disclose your PHI, whether they account for the disclosure or not, whoever receives your PHI may or may not be required to comply with the HIPAA privacy rules.
For example, Sue Smith (named changed to protect the individual’s privacy) suffered a death in her family. Because of the circumstances, her family member’s PHI was provided to law enforcement. Fortunately, the healthcare provider followed the HIPAA privacy rules and accounted for the disclosures. But, her family member’s PHI was subsequently released to the press, including Social Security Number, date of birth, and diagnoses.
How the press got the information is a subject for the courts. The point is that the information was not protected once disclosed by the healthcare provider.
Your healthcare information may not be safe once disclosed by your provider, either.
What can you do to help ensure that you and your family’s protected healthcare information really is protected and remains confidential?
First: should you or your family member ever be involved in any circumstance, mentioned above, in which your healthcare provider discloses your PHI, exercise your right for an accounting of the disclosure by your healthcare provider.
Next, if no accounting is provided to you in writing within 30 days, file a complaint with your healthcare provider’s HIPAA Privacy Officer (all healthcare providers are required to have one), and if necessary, file a complaint directly with Health and Human Services’ Office of Civil Rights.
Then, make certain that you follow the chain of custody: who got the information, and what they did with it. Make sure that all of your requests for this information are in writing, and follow-up with phone calls.
Finally, always keep a log of your requests; you may need it.
The HIPAA privacy rules were designed to keep your protected health information confidential while it is in the custody of your healthcare provider. Once it is disclosed to other organizations that are not engaged in healthcare, it is no longer protected by HIPAA. It is up to you to keep track of your PHI, and make sure it is kept as protected and confidential as possible.