Insurers, medical providers, and technology corporations must follow privacy rules when using information on a patient’s health record, known as protected health information, or PHI.
Imagine that you are receiving infertility treatment and hope for a promotion. You might not want your employer to know you plan to have a child. If anyone could ask insurance companies for medical records, without your permission, you would lose control over who learned your history. People might be reluctant to seek care, for fear that their story would fall into the wrong hands.
Under federal law, Americans have a right to privacy, but it is limited. That’s why we have more specific rules about how patient records are used.
What is Personal Health Information (PHI)?
The Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996, includes rules to protect patients’ privacy. It covers all health information that could identify you — in other words, your PHI is tied to you personally by your name, birth date, Social Security number, home address, and other information specifically about you.
The rules cover electronic communication, paper records, and talking that refers to your health, both now and in the past and future. Mental healthcare is also covered. The rules set boundaries for when and how much information can be shared.
Who must follow rules protecting personal health information (PHI)?
The rules apply to health plans, any healthcare provider, and clearinghouses or other contractors who handle personal health information, including large teach corporations like Google and Amazon that are mining and using your PHI to develop technology to simplify healthcare and advance diagnostic and treatment options. There are exceptions — for example, a group health plan with fewer than 50 participants established and run by an employer. But any organization that provides, bills, or pays for healthcare services must follow these rules, even if they use a billing service or third party for electronic transactions.
Can personal health information be shared, without my permission?
The privacy rules do not give you complete control. Healthcare providers can communicate about you within an organization or outside it, with other providers, if necessary to provide care. Insurance companies can receive information from providers, for example when a hospital calls to get prior authorization for a procedure. Technology companies can purchase your PHI legally, and there is some concern it may not be truly anonymous if other data can be tracked to specific people.
The HIPAA law, however, seeks to minimize disclosure — the protected health information shared should be only what’s necessary to meet a specific need. Sometimes disclosure is required by law, for instance, under a court order, but the privacy rules set a boundary that providers must not go beyond those requirements.
Healthcare providers can communicate with government authorities to report cases of abuse, neglect, or violence. They must cooperate with the courts and can provide information to the police if your information is relevant to a possible crime. They can provide information “to prevent or lessen a serious and imminent threat to a person or the public” — such as plans for a suicide or murder.
Why do medical providers ask me to sign privacy forms?
The forms you routinely get in doctor’s offices or from insurance companies describe the privacy rules. They contain a promise to follow the rules or ask you for permission to reveal certain information. They also tell you how to file a complaint.
What is de-identified health information?
There are no restrictions on the use or disclosure of de-identified health information, when your name and other way of identifying you is removed. This is the kind of PHI technology companies are using in their efforts to improve healthcare.
May 26, 2020
Janet O’Dell, RN