Medical Records

In the past, physicians could physically secure and shield personal medical records from disclosure, absent consent from their patients. Electronic databanks changed all that (as foretold by the Supreme Court in Whalen, above). Patchy and varied state laws involving doctor-patient confidentiality left much to be desired. With the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (which encouraged electronic transmission of patient data), Congress passed concurrent legislation for uniform protection of medical records and personal information. In December 2000, the Department of Health and Human Services (HHS) published its Privacy Rule (65 Fed. Reg. 82462), which became effective on April 14, 2001. The regulation covers health plans, health-care clearinghouses, and health-care providers that bill and transfer funds electronically. The regulation mandates a final compliance date of April 14, 2003 (small health plans have until April 14, 2004 to comply.) The Privacy Rule includes provisions for the following:

  • Ensuring patient access to medical records, ability to get copies and/or request amendments
  • Obtaining patient consent before releasing information. Health care providers are required to obtain consent before sharing information regarding treatment, payment, and health care operations Separate patient authorizations must be obtained for all non-routine disclosures and non-health related purposes. A history of all non-routine disclosures must be accessible to patients
  • Providing recourse for violations through an administrative complaint procedure

Inside Medical Records