By Martha A. Simpson, D.O., M.B.A.
Assistant Professor of Family Medicine
Ohio University College of Osteopathic Medicine

HIPAA PROTECTS PATIENT’S RIGHTS WITH “HIPPO-SIZED” PAPERWORK

Question: What is all this I’m hearing about a new law, with a name something like “hippo,” that will keep my health information private. Hasn’t my information always been confidential? Hasn’t my doctor always had to protect it?

Answer: Yes, your health information has always been considered confidential, and most health-care professionals take pride in the proper handling of all medical information entrusted to them. But, a new law called the Health Insurance Portability and Accountability Act will make the “old” seem like something “new.” This law -- known by the acronym “HIPAA” -- does sound a lot like “hippo” and involves a mound of paperwork as big as this African animal.

Congress enacted this law in 1996, but its provisions are just now going into effect. The purpose of the act is to comprehensively reform the insurance market and simplify the administration of health care, and it covers many health policy issues in the areas of insurance, administration and records. The privacy regulations are in a section of the law dealing with administrative simplification.

The new administrative simplification rules set standards for the electronic exchange of your health-care information between doctors, hospitals and insurance companies as well as other persons and organizations that may have a legitimate need for your information. The privacy section of this rule was developed to further protect your medical information as electronic records replace paper records. In fact, most insurance claims are already being sent from doctor’s offices and hospitals electronically rather than as paper claims through the mail. The pace of this transition is accelerating. In October 2003, for example, Medicare will require all claims to be sent electronically.

The new privacy rules standardize the handling of your medical information, which is now called “Protected Health Information” (PHI). These rules set up specific procedures for requesting access to your records, amendments to your medical records, and confidential communications from your doctor’s office or health plan. They require health-care entities to release your medical information only after receiving your signed authorization. There are certain exceptions. For instance, if you have a reportable disease, this information must be sent to the appropriate public health authority. To safeguard your rights, however, the provider is required to keep a log of all disclosures, and you are entitled to a copy of it.

Finally, there is a specific legal mechanism to make a formal complaint if you feel your information has been improperly handled. This gives you “legal muscle” and means that a health-care provider could be fined for an unlawfully disclosing your PHI.

On your first visit after April 14, 2003, your health-care provider is required to give you a written notice of his or her privacy practices, and you will need to acknowledge receipt of this information with your signature. Each organization has a privacy officer if you have questions or concerns. Please read and keep your notice, as it will answer most, if not all, of your questions about PHI and HIPAA.

Family Medicine® is a weekly column. To submit questions, write to Martha A. Simpson, D.O., M.B.A., Ohio University College of Osteopathic Medicine, P.O. Box 110, Athens, Ohio 45701. Past columns are available online at http://www.FamilyMedicineNews.org.