HIPAA, electronic health records, and patient privacy


The Health Insurance Portability and
Accountability Act of 1996
(HIPAA)


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information.
Summary of the HIPAA Privacy Rule (Health & Human Services) Who is covered, what information is protected, and how protected health information can be used and disclosed. Because it is an overview of the Health Privacy Rule, it does not address every detail of each provision.
Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization? (HHS.gov) Answer: Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ protected health information (PHI) will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth on this website page, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
HIPAA experts: No need to request a waiver after Orlando shooting (Joseph Burns, Covering Health: Monitoring the Pulse of Health Care Journalism, 6-15-16)
HIPAA G02: HIPAA Guidance -- Safeguarding Patients’ Photographs and Recordings
Blog HIPAA (your source for news, ideas, and all things HIPAA)
No, HIPAA was not waived in Orlando, and here's why (Jacqueline Howard, CNN, 6-14-16)
Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations (HHS)
Orlando shooting: Why the mayor’s HIPAA waiver request is important for gay rights (Ariana Eunjung Cha, WaPo, 6-13-16)
HIPAA’s Use as Code of Silence Often Misinterprets the Law (Paula Span, NY Times, Health, 7-21-15). The privacy rules created under the Health Insurance Portability and Accountability Act, designed to keep personal health information private, apply "only to health care providers, health insurers, clearinghouses that manage and store health data, and their business associates." The "law does not prohibit health care providers from sharing information with family, friends or caregivers unless the patient specifically objects. Even if he or she is not present or is incapacitated, providers may use 'professional judgment' to disclose pertinent information to a relative or friend if it’s 'in the best interests of the individual.'"
HIPAA Criminal Prosecutions: Few and Far Between (PDF, Doreen Z. McQuarrie.Feb. 2007)
Nurse admits to privacy violation in HIPAA case (AP, 4-17-08)
Is HIPAA Creating More Problems Than It's Preventing? (Neil Chesanow, Medscape, 9-16-13)
Do Family, Friends' Photos Trigger HIPAA Violations? (John Commins, HealthLeaders Media, 3-8-2010). You should be able to take photos of your own child or other family member in the hospital, but you mustn't inadvertently catch another patient, or a medical health record, etc. If you are doing photographs for a story, you need a HIPAA release signed for every patient photographed. Hospital personnel may overreact about cell phone photos even of your own family members because HIPAA rules are not easy to master and personnel are duty-bound to observe them.
(St. Jude Children's Research Hospital)
HIPAA, electronic health records, medical privacy laws, and patient rights
[Back to Top]

Resolving issues with electronic health records (EHRs)
(especially privacy, safety, and security)

Patient access to health records in jeopardy amid health policy upheaval (Rebecca Vesely, Covering Health, AHCJ, 7-26-17) Amid the deep uncertainty over what changes Congress could make to the health care sector in the coming years, patients would benefit from having access to their own medical records. Insurance coverage losses, changes in insurance plans and cuts to provider networks could happen if the Affordable Care Act is repealed, repealed and replaced or is weakened because of lack of support from the Trump administration.
Lessons From More Than A Decade In Patient Portals (Terhilda Garrido, Brian Raymond, and Ben Wheatley, Health Affairs blog, 4-7-16) More than a decade of experience engaging patients online offered four key lessons.
1. Secure email supports improved outcomes and patient-centered care.
2. Patient portal use positively impacts patient loyalty to the health plan and member satisfaction.
3. Evidence of a relationship between secure email and other kinds of utilization is mixed.
4. Even with the best intentions, e-health disparities can emerge.
The medical chart is coming to an end. Here’s why. (Mike Sevilla, KevinMD, 8-29-14) Medical professionals "have lost the art of telling the story of our patients because of the digital record....Many believe that the electronic medical record is a way for “big brother” (whomever that is) to keep an eye on clinicians, and eventually find a way to compensate less." And with security breaches more common, one day patients will insist that certain things be left out of the medical record.
Medical Records: Top Secret (Elisabeth Rosenthal, NY Times 11-8-14) "In a digital age when we can transfer money to purchase a house online or view a college transcript by logging on to a secure website, why is it so often difficult for patients to gain access to their medical data? And who controls our health information? ...Although doctors and hospitals legally own their medical charts, patients have a right to have access in a timely manner — HIPAA requires a response within 30 days of a patient request — and at a reasonable processing cost."
Why Health Care Tech Is Still So Bad (Robert M. Wachter, NY Times, 3-21-15) "A 2013 RAND survey of physicians found mixed reactions to electronic health record systems, including widespread dissatisfaction. Many respondents cited poor usability, time-consuming data entry, needless alerts and poor work flows." "A recent study of more than one million medication errors reported to a national database between 2003 and 2010 found that 6 percent were related to the computerized prescribing system." "Whopping errors and maddening changes in work flow have even led some physicians to argue that we should exhume our three-ring binders and return to a world of pen and paper." But, Wachter concludes, we are still in a very early stage of digitization. We need better technology and better training on how to use it while still paying attention to the patient, instead of the keyboard.
Spread of Records Stirs Patient Fears Of Privacy Erosion (Theo Francis, WSJ, 12-26-06). Ms. Galvin's Insurer Studies Psychotherapist's Notes; A Dispute Over the Rules. "As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files -- data that now can be transmitted with the click of a computer mouse."
Stop the privatization of health data (John T. Wilbanks and Eric J. Topol, Nature, 7-20-16) Tech giants moving into health may widen inequalities and harm research, unless people can access and share their data, warn the authors.
How Mayo Clinic Is Using iPads to Empower Patients (David J. Cook, Jeffrey E. Thompson, Joseph A. Dearani, and Sharon K. Prinsen, Harvard Business Review, 2-24-14) Empowering patients and setting their expectations requires effectively providing them with "A plan of stay" (which includes a "plan of day"), modular educational materials ("just in time" materials relevant to the day's needs and expectations), gaining strength modules (that set daily expectations for physical activities such as walking and breathing exercises and provide patients with tools to self-assess and report things like pain and mobility), and recovering planning information (on wound care, exercise and diet, activity restrictions, follow-up appointments, and potential complications and how to recognize them).
How close are we to meeting the promise of electronic health records? (Carla K. Johnson, Covering Health, 3-6-15) "Smooth patient handoffs, data-driven performance improvement and real-time analytics are still mostly dreams, although those ambitions have been talked about for years," said specialists on health information technology, at a panel on the topic, summarized here.
Hazards tied to medical records rush (Christopher Rowland, Boston Globe, 7-20-14) Subsidies given for computerizing, but no reporting required when errors cause harm. The explosion in the use of the electronic records has created the potential for efficiencies and safety benefits but also new risks for patients, the scope of which still is not fully understood.
Electronic health records ripe for theft (David Pittman, Politico 7-13-14)
Six months after the Target security breach, report says cases of identity theft are increasing (Teresa Dixon Murray, The Plain Dealer, 7-9-14). "Medical providers are particularly vulnerable to data breaches because health records generally contain detailed desirable personal information such as Social Security numbers, but the offices of doctors and other medical providers generally don't have the same firewalls and levels of protection that banks do."
Major medical records breaches pass 1,000 milestone as enforcement ramps up (Joseph Conn, Modern Healthcare June 2014)
Breaches Affecting 500 or More Individuals (HHS, Health Information Privacy)
3 Approaches to the EHR Patient Control Debate (Power Your Practice), about the Patricia Galvin case.
The HiTech Act of 2009

UT Southwestern Medical Center (example of a secure online health management tool that the patient also has access to)
10 things to know about Epic (Erin Dietsche, Becker's Health IT & CIO Review)
Spread of Records Stirs Patient Fears Of Privacy Erosion (Theo Francis, WSJ, 12-26-06) Patricia Galvin's Insurer Studies Psychotherapist's Notes; A Dispute Over the Rules. "The U.S. Department of Health and Human Services implemented standards in 2003 for guarding patient privacy, supplementing a patchwork of state laws. The federal standards, which grew out of the 1996 Health Insurance Portability and Accountability Act, single out psychotherapy notes for extra protection. Critics claim that loopholes in the rules have left patient privacy under threat." Galvin's "experience offers a look at how increasingly complex confidentiality issues are affecting patients and their insurance coverage." "As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files -- data that now can be transmitted with the click of a computer mouse."
[Back to Top]

Patient privacy and related issues

HIPAA Guide for the Newsroom (Pennsylvania News Media Association) The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. The Act also requires “covered entities” to protect the privacy of individuals’ medical information, and imposes significant penalties on those entities that violate the law.
When a Patient’s Death is Broadcast Without Permission ( Charles Ornstein, Pro Publica, 1-2-15) The ABC television show “NY Med” filmed Mark Chanko’s final moments without the approval of his family. Even though his face was blurred, his wife recognized him. “I saw my husband die before my eyes.” An intelligent discussion of an important case.
New York Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients (Charles Ornstein, NY Times, 4-21-16) "NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said on Thursday that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward."
Here's Looking at You: How Personal Health Information Is Being Tracked and Used (Jane Sarasohn-Kahn, California Healthcare Foundation, July 2014)
HIPAA Helper: Who is Revealing Your Private Medical Information? (Charles Ornstein, Annie Waldman and Mike TigasPro Publica, 12-29-15) For the first time, you can easily search whether your hospital, clinic, pharmacy or health insurer has been named in patient privacy complaints, breaches or violations.
Journal; Capital Shrink Rap (Frank Rich, NY Times, 10-7-98) "Washington's fear and ignorance of mental illness has led to private local tragedies (the untreated Vincent Foster's suicide) and shoddy public policy, which then leads to preventable national tragedies...I wonder if today's Washington would even muster the same outrage once provoked by one of the most unsavory incidents of Watergate -- the White House ''plumbers'' break-in to the Beverly Hills office of Daniel Ellsberg's therapist in a failed effort to burglarize his psychiatric files."
Secret video: Mercy guard threatened photo-taking mom (Sarah Okeson, News-Leader 7-19-14) Woman who took photo of her son to post on Facebook was taken to an office where she was questioned by a security guard "The idea is not to prohibit patients from capturing personal memories," said Mercy spokeswoman Sonya Kullmann. "However, we want to ensure that we protect everyone's right to privacy. That includes other patients, visitors, co-workers and providers who may not want to appear in someone else's photograph, video or recording." There is such a thing as carrying things too far.
Can medical records be released without consent? Supreme Court refuses case. (Warren Richey, Christian Science Monitor, 10-3-11) The US Supreme Court turned aside an appeal involving the scope of privacy protections for a patient’s medical records when a state agency seeks to force a doctor to disclose those records without first obtaining a patient’s consent. (Eist v. Maryland State Bd. of Physicians) Issues of case, on SCOTUSblog: (1) Whether a state may restrict a patient's federal constitutional right to privacy by compelling a physician to disclose confidential patient records without notice to and authorization by the patient and in conflict with the physician's ethical obligations; (2) whether a state agency may simultaneously serve as investigator, prosecutor and adjudicator with respect to a licensee under its jurisdiction without amending the state's constitution which explicitly separates legislative, executive and judicial powers; and (3) whether a physician may be disciplined by a state's medical licensing board if: (a) the relevant statutory language - “fails to cooperate with a lawful investigation” - is unconstitutionally vague; (b) the board never notified the patients it was seeking their confidential medical records; or (c) the board's simultaneous roles as investigator, prosecutor and adjudicator deprive petitioner of his right to due process.
Medical privacy (summary of info and links to more on breaches of privacy, damages and alternatives, electronic systems, many releases that are allowed by law, comparison of lists of data breaches)
Medical privacy
Baby Pictures at the Doctor’s? Cute, Sure, but Illegal (Anemona Hartocollis, NY Times, 8-9-14). Letters to the Editor, in responseWhen Baby Pictures Offend the Law
Secret video: Mercy guard threatened photo-taking mom (Sarah Okeson, News-Leader 7-19-14) Woman who took photo of her son to post on Facebook was taken to an office where she was questioned by a security guard "The idea is not to prohibit patients from capturing personal memories," said Mercy spokeswoman Sonya Kullmann. "However, we want to ensure that we protect everyone's right to privacy. That includes other patients, visitors, co-workers and providers who may not want to appear in someone else's photograph, video or recording."
VA uses patient privacy to go after whistleblowers, critics say (Joe Davidson, Washington Post, 7-17-14) A registered nurse was threatened with suspension and stripped of managerial duties after she complained about how a veteran was treated.
Spread of Records Stirs Patient Fears Of Privacy Erosion (Theo Francis, WSJ, 12-26-06--behind a paywall, for subscribers only, but you may be able to read it at the library).
Could photographing an ED patient get you sued? (PDF, ED Legal Letter April 2009) Without consent, you are asking for a lawsuit.
[Back to Top]