HIPAA and Medical Records

As a business owner, you are asked to hand over medical records that you have. What should you do? The answer turns on HIPAA.

What is HIPAA?

“HIPAA” commonly refers to the federal health data privacy and security laws enacted under the Health Insurance Portability and Accountability Act of 1996. Primarily, HIPAA created vague standards for health data protection, with Congress telling the U.S. Department of Health and Human Services (“HHS”) to create regulations or “rules” protecting the privacy and security of electronic health data. As Congress instructed, HHS issued privacy and security rules that are now called HIPAA.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule (1) establishes Individual (capitalizing HIPAA defined terms) rights with respect to covered Health Information, (2) defines and limits the circumstances in which a Health Plan or Health Care Provider may use or disclose Protected Health Information (“PHI”), and (3) requires Health Plans and Health Care Providers to adopt safeguards to protect the confidentially of PHI. The HIPAA Privacy Rule is found at Part 160 and Part 164, Subparts A and E.

What is the HIPAA Security Rule?

The HIPAA Security Rule established standards to protect Individuals’ electronic PHI that a Health Plan or Health Care Provider creates, receives, uses, or maintains. It requires appropriate administrative, physical, and technical safeguards to protect PHI’s confidentiality, integrity, and security. The Security Rule is found at 45 C.F.R. Part 160 and Part 164, Subparts A and B.

What Does HIPAA Protect?

HIPAA protects Health Information that identifies an individual or can be used to identify an individual and is created or received by a Health Plan or a Health Care Provider. Such information is defined as Protected Health Information or “PHI.”

HIPAA protects almost all information about an Individual’s health. For example, whether Jane Doe is or is not Dr. Smith’s patient. As an exception, a Health Care Provider can have a facility directory with an Individual’s name and location within the facility. Otherwise, any Health Information is PHI protected by HIPAA.

Who Must Comply with HIPAA?

HIPAA’s privacy and security rules apply to Health Plans and Health Care Providers. While the rules apply only if a Health Plan or Health Care Provider conducts certain health care transactions electronically, as a practical matter today, all Health Plans and Health Care Providers do so.

If you are a Business Associate of a Health Plan or Health Care Provider and receive Protected Health Information in that role, HIPAA requires you, the Business Associate, to protect the PHI like a Health Plan or Health Care Provider.

Unless you are a Health Plan or a Health Care Provider, or a Business Associate of a Health Plan or a Health Care Provider, HIPAA does not apply to Health Information you have. For example, if you, as an employer, have detailed Health Information as part of a workers’ compensation claim, HIPAA does not directly apply to that Health Information.

On the other hand, HIPAA now provides the privacy standard that is expected for medical records. In addition to litigation risks of common law invasion of privacy claims, if you are an employer that does not safeguard medical records or other personal private information, you could expect turmoil among your employees. So, your best practice is generally to treat all medical records like they are protected by HIPAA.

What Does HIPAA Prohibit?

HIPAA prohibits the use or disclosure of Protected Health Information, except as an Individual authorizes or as the HIPAA Privacy Rules allow. In addition, when using or disclosing PHI, reasonable efforts are required to limit the PHI used, disclosed, or requested to the Minimum Necessary.

Generally, the HIPAA Privacy Rules permit the use or disclosure of PHI for Treatment, Payment, and Health Care Operations. For Psychotherapy Notes and for Marketing, a specific patient authorization is required.

HIPAA allows, without an individual’s Authorization or agreement, a Health Plan or Health Care Provider to disclose PHI when Required By Law. These Disclosures include Health Information gathered to prevent or control diseases, to compile public health statistics, or to report victims of abuse, neglect, or domestic violence.

HIPAA allows, as to judicial and administrative proceedings, a Health Plan or Health Care Provider to disclose PHI in response (a) to an order of a court or administrative tribunal that expressly authorizes that Disclosure or (b) to a subpoena or discovery request, if a qualified protected order has been entered or requested, or (c) as authorized by and to the extent necessary to comply with workers’ compensation laws.

What Does HIPAA Require?

HIPAA requires a Health Plan or Health Care Provider to disclose to an Individual his or her own Protected Health Information and requires a Health Plan or Health Care Provider to disclose PHI to HHS’s Secretary (i.e., the federal government) when it is investigating a complaint related to or compliance with HIPAA. HIPAA also requires many Health Plans and all Health Care Providers to give patients detailed Notices of their privacy rights.

Is That All I Need to Know About HIPAA?

If you are a Health Plan, a Health Care Provider, or a Business Associate of a Health Plan or a Health Care Provider, the above general summary is not all you need to know about HIPAA. HIPAA has many detailed requirements, especially as to the HIPAA Security Rule. If you have questions, hire a healthcare lawyer familiar with HIPAA.