HIPAA and the Important Question of Medical Records Privacy

by | Last updated on Sep 9, 2023 | Published on Apr 17, 2019 | Medical Record Review

Medical records exist in paper and electronic formats, and in both cases compliance regulations as regards protected health information (PHI) exist. The medical chart is a legal record as well and it is required in a personal injury, workers’ compensation, or medical malpractice lawsuit for the purpose of medical records review and extraction of evidence.

The medical records custodian has to decide whether to release the record and whether it is admissible as legal evidence. Passed by the US Congress in the year 1996, HIPAA was initially intended to protect a patient’s access to insurance. However, security policies were added later on to cover the sharing of medical records. It also has clear-cut standards and policies regarding how patient data including doctors’ notes, tests and lab results, and medical billing information can be shared. Healthcare providers tend to be fiercely protective of the medical record, probably fearing that record sharing may eventually lead to data breach and hefty fines. It is important that more clarity is provided regarding who can access the medical records legally.

Here are some questions in this regard and their answers.

  • Can family members access the patient’s medical records? Yes, they can if the patient gives specific permission to do so. With the patient’s authorization, medical records can be shared with anyone the patient designates.
  • Are providers legally bound to provide all medical records to patients? Not necessarily. Some medical records such as mental health records could be withheld, especially if the provider or healthcare facility believes those could be harmful for the patient. Typically, such records are withheld if the provider believes the patient would inflict self harm because of their outcome. If the provider cannot release the medical records, patients are informed in writing that they won’t be receiving the records.
  • Can patients who are denied access to their medical records sue the provider or custodian to get the copies? No, they cannot. The HHS (Department of Health and Human Services) has a procedure patients can follow if they feel their rights have been violated under the HIPAA regulation. This process includes filing a formal complaint via an online process. If the violation is very serious, the HHS or the Department of Justice may penalize the violating entity. Fines could range from $25,000 to 10 years in jail and a $250,000 fine.
  • Does HIPAA cover privacy and security for all medical records? Yes, but only under certain circumstances. Apart from providers, facilities, and insurers, there are other entities who may have patient information and may not be regulated by HIPAA. For example, there are many web apps, mostly free ones, which encourage patients to upload their health and medical information for storage purposes. They persuade patients to avail of their service so that these personal health records would be convenient and available in an emergency. These organizations are not under any restriction from doing what they want to with that medical information though they claim the records are secure and confidential.
  • Can providers correct errors found in patient records? Yes, they may. Patients can request for changes to be made in their records, but it doesn’t follow that those corrections will be made. If the provider refuses to make the required changes, the patient may write a dispute letter about the mistakes he/she has identified. The healthcare facility/provider is required to include this letter in the patient’s file.
  • Can medical information be legally sold or used for marketing? Yes, it could be based on how that data will be shared and to whom. For instance, a hospital can use its patient list to inform patients of a new service they provide, of a new doctor who has joined the staff, or of a fundraising program. However, patient information or medical records cannot be shared without an additional authorization from the patient when an insurer who has obtained the details from one of the patient’s healthcare providers uses or sells that information to sell an additional insurance or another product to the patient.
  • Can parties involved in a lawsuit obtain or “discover” medical records relevant to the lawsuit? They can. Processes used in the legal discovery process include subpoenas, depositions, interrogatories, request for admissions, and production of documents. Now, paper is not the sole source of documentation to be disclosed. Computer files, erased files, and email can all be subpoenaed. The most common discovery method to discover EHRs or medical records is to serve the healthcare organization with a subpoena duces tecum.

It is important to understand the basics of HIPAA so that medical record custodians can release the records when required without having to face legal consequences. A medical review company is among the many entities that may require patient records for the purpose of medical record analysis in various cases. In most cases, the need for medical records is genuine and custodians must quickly determine whether they can release the records. Only if the records are made available as quickly as possible, can any legal process be initiated and followed through smoothly.

Disclaimer: The content in this blog is sourced from reliable internet resources and does not constitute the inference or opinion of MOS or any of its stakeholders. Please contact an attorney or other authorized personnel to obtain a professional opinion.

Discover our medical record review solutions and partner with us for your next case.

Related Posts