Medical Records: Protecting Patient Confidentiality
Maintaining the privacy and confidentiality of health information has been an expectation for decades and a regulatory requirement since the mid-1990s. Since the inception of the original privacy regulations, there have been significant advances in technology, particularly in the area of information management. It is imperative that health care organizations have strong practices in place to maintain confidentiality and protect their patients’ privacy.
Protecting patient privacy is vital to the physician-patient relationship. Patients need to feel confident that information they share with healthcare providers will not be disclosed without their consent. The fear of inappropriate disclosure of health information may result in patients withholding information critical to their care.
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) codified requirements for covered entities and their business associates to protect patients' health information.
Health information is considered protected when it is identifiable. A diagnosis alone is not protected, but if it is coupled with information that can identify a patient, it becomes protected health information (PHI). Examples of personal identifiers include things such as name, address, phone number, social security number, or medical record number. In addition, other information can make it easy to link a patient with a diagnosis or condition, such as a media report about an accident or even referring to "a gallbladder patient on the second floor" when this might identify a patient in a community hospital.
Minimum Necessary Requirement
Healthcare workers have always had access to patients' protected health information in paper records; however, access to this information has increased exponentially with the introduction of electronic health records. The Health Insurance Portability and Accountability Act (HIPAA) states that healthcare providers and their employees should access the minimum amount of protected health information necessary in order to accomplish the intended purpose.
Protecting Health Information in Your Practice
Healthcare organizations must institute practices to protect their patients' health information from unauthorized disclosure. According to HIPAA/HITECH, covered entities (CE) should conduct a risk analysis to identify the potential risks and vulnerabilities in their organization. After identifying risks, an organization should take steps to address any vulnerabilities.
To protect patients’ privacy organizations should:
- Evaluate office space and work areas. Do they provide privacy for patients? Can conversations be overhead by others? Are computer screens visible to others?
- Develop policies and procedures to guide staff in handling of PHI
- Provide staff with education on maintaining privacy of PHI
Notice of Privacy Practices
According to HIPAA, healthcare providers and health plans are required to provide their patients with a notice of privacy practices (NPP), which explains how they will use the patient’s protected health information, as well as the patient’s health privacy rights. Included in the notice should be:
- A statement that the organization may use the patient’s health information for treatment, payment, and operations.
- When required by state or federal law, the organization will disclose information without authorization:
- To report abuse or neglect.
- To persons authorized by law to act on the patient’s behalf, such as a guardian, health care power of attorney, or surrogate.
- For disaster relief purposes, such as to notify family about the patient’s whereabouts and condition.
- For public health activities such as reporting on or preventing certain diseases.
- To comply with Food and Drug Administration requirements.
- For health oversight purposes such as reporting to Medicare, Medicaid or licensing audits, investigations or inspections.
- Where required by U.S. Department of Health and Human Services to determine the entity’s compliance.
- In connection with Workers’ Compensation claims for benefits.
- To assist coroners or funeral directors in carrying out their duties.
- To comply with a valid court order, subpoena, or other appropriate administrative or legal request if the patient is involved in a lawsuit, or to assist law enforcement where there was a possible crime on the premises. The entity may also share the patient’s information where necessary to prevent or lessen a serious or imminent threat to the patient or others.
- If the patient is an inmate, the entity may release the patient’s information for their health or safety in the correctional facility.
- The entity may share the patient’s information with appropriate military entities if the patient is a member or veteran of the armed forces.
- The entity may be required to disclose information for national security or intelligence purposes.
- A statement that any other disclosure of PHI will only be made with patient authorization.
- The patient’s rights regarding their health information.
- The patient’s right to request restrictions on release of their PHI.
- This includes the right to restrict disclosure to their health plan if they pay out of pocket.
- How the patient can file a complaint with the organization and with the Department of Health and Human Services (DHHS).
If an organization choses to communicate with their patients electronically, they must take steps to ensure that these communications are conducted over secure networks. See our practice tip on e-Communication: Using email, texting, recordings, and portals to promote patient communication
Under certain circumstances, minors can consent to their own healthcare (see our practice tip Minors and the Right to Consent to Health Care Treatment). Assure that this protected health information is not released without the minor’s authorization and plan ahead for when the minor reaches 18 years of age and are able to control access to all of their health information. If a minor requests treatment and presents their parent’s insurance card, the minor should be informed that their parents will receive a notice of the visit. The practice can offer the option to pay out of pocket for the visit, thus avoiding the notification to their parents.
The individual's right to health information privacy survives after death.
Although the Final Rule permits (not requires) covered entities to disclose a decedent's PHI to family members and others who were involved in the care or payment for care of the decedent (unless doing so is inconsistent with any prior express preference of the individual), MMIC advises that an authorization to release protected health information be obtained from the individual who has legal authority to act on behalf of the deceased or the estate. Note: some state statutes may allow the surviving spouse access to the deceased spouse's medical record unless prior to death the deceased spouse indicated otherwise, e.g., NH.
The Final Rule requires compliance with the HIPAA Privacy Rule with regard to protected health information of a deceased individual for a period of 50 years following the date of death. Individually identifiable health information of a person who has been deceased for more than 50 years is not protected health information under the HIPAA Privacy Rule.
Subpoenas, Court Orders, and Search Warrants
Subpoena. A subpoena alone is not sufficient to compel the release of protected health information without authorization from the patient. However, a subpoena cannot be ignored. If the practice receives a subpoena requesting protected health information:
- Notify legal counsel and your malpractice carrier as soon as possible to seek guidance. Contact must be made with the Clerk of the Court or the attorney who acted as an officer of the court if the practice does not intend to comply.
- Determine the patient's position on releasing the protected health information requested in the subpoena. If the patient agrees to the release, obtain a signed authorization.
Court Order or Search Warrant. A court order carries more weight than a subpoena and may compel the release of protected health information (45 C.F.R. 164.512(e)). When presented with a court order or search warrant that demands protected health information:
- Inform the process server of your intent to comply.
- Determine the time frame of the request: is this an immediate demand or has time been given to produce the records.
- Request the opportunity to seek legal advice and contact your attorney/legal counsel as soon as possible.
- Notify your malpractice carrier when appropriate.
Requests for Records
Other uses and disclosures of protected health information, not permitted by law, require the patient’s written authorization. Organizations should use an Authorization to Release Protected Health Information.
Information regarding mental health, substance abuse and HIV is subject to more stringent privacy protections. The patient has the option to restrict the release of this information. The Authorization to Release Protected Health Information must specify whether or not release of such information is permitted.
Authorization for release of protected health information is not required for releases related to official requests for information for workers' compensation purposes to the extent such release is necessary to comply with the workers' compensation laws (45 CFR 164.512(l)).
Educate staff upon hire and at least annually regarding patient privacy and protected health information. Maintain documentation of staff education. Include:
- Office policies and procedures.
- Identification of the patient privacy officer (name and contact information).
- Patients' rights under HIPAA (review your notice of privacy practices).
- How to respond to requests for records.
- Minors’ rights.
- Password and computer security.
- What is meant by "need to know" and "protected health information" in terms of each job position.
- Who to ask if they have questions (identification of the privacy officer).
- How to report a breach or potential breach of confidentiality.
- How to respond to subpoenas, court orders, and search warrants.
Organizations should develop policies and procedures outlining the steps they will take in the event of a breach of protected health data.
Covered entities (CE) are required to notify an individual within a reasonable time not to exceed 60 days following the discovery that there has been a breach of their “unsecured” protected health information. According to the HHS.Gov website, the notification must include (to the extent possible) the following:
“A brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”
If the breach involves more than 500 individuals, the entity must also place a notice in a prominent media outlet.
In addition, organizations must provide a notice to the Secretary of HHS. This is completed electronically on the HHS website (Submitting Notice of a Breach to the Secretary: https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html).
HHS Guidance on Risk Analysis: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
HHS Breach Notification: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Minimum Necessary Requirement: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html
Medical Mutual Insurance Company of Maine's "Practice Tips" are offered as reference information only and are not intended to establish practice standards or serve as legal advice. MMIC recommends you obtain a legal opinion from a qualified attorney for any specific application to your practice.