More Testing of Your Knowledge
By Matt Fisher
Twitter: @matt_r_fisher
Last week I posted five common HIPAA myths, with the promise of more to follow. That promise is now being kept with more common myths to test your knowledge. Hopefully everyone is on top of their HIPAA game and will not be tricked by these issues. Now onto the myths, with numbering continuing from last week.
Myth #6 – When an individual requests their medical record, a provider is obligated to provide the entire medical record.
This is FALSE. An individual has the right to access their protected health information that is maintained in a designated record set. As may be expected, designated record set is a defined term under HIPAA. A designated record set is a group of records maintained for a defined purpose, which generally relates to medical and billing records or records maintained for a health plan. Further, certain records are specifically exempted from access, including psychotherapy notes, information compiled in reasonable anticipation of or for a court or administrative action or proceeding, or certain information pertaining to labs (though the new rule governing access to lab information should be reviewed). It is also possible for a request to be denied, though the requesting individual may appeal the denial. Accordingly, an individual does not have a right to access their medical record.
Myth #7 – HIPAA protects all protected health information no matter who possesses the information.
This is FALSE. HIPAA only applies to protected health information held by a covered entity or a business associate. Covered entities, generally, are health plans, health care providers or health care clearinghouses. A business associate is an entity or individual that acquires, uses, handles or otherwise interacts with protected health information on behalf of a covered entity. The context in which information that may constitute protected health information is held or created is very important. For example, information provided to a life insurance company is not covered by HIPAA. Information provided to an employer in the context of work functions, but not a health plan administered by an employer is not information protected by HIPAA. Therefore, pay close attention to when health information is being created or used to determine whether HIPAA applies.
Myth #8 – HIPAA prevents protected health information from being used for marketing purposes.
This is PARTIALLY TRUE. If an entity acquires authorization from an individual, then protected health information may be used for marketing purposes. Obtaining an authorization generally allows most uses to occur that may otherwise not be permissible. For marketing though, the Privacy Rule excludes refill reminders and certain communications about treatment or health care operations. If the entity making the communication receives any remuneration though, then the communication is likely no longer permissible. The refill reminder exception has generated a significant amount of debate since the Omnibus Rule was promulgated in January 2013, with additional guidance even being offered by the Department of Health and Human Services. Marketing is definitely one area that requires extra attention to ensure compliance.
Myth #9 – Patients can sue providers for HIPAA violations.
This is FALSE. HIPAA does not contain a private right of action. Only the federal government or a state attorney general can bring an action for a purported HIPAA violation. However, that does not mean individuals are left without recourse. Even though HIPAA may not allow an individual to sue, an allegedly improper disclosure may run afoul of state law or there may be a state law that ties into HIPAA. As with many things, looking at just HIPAA (or one law) does not necessarily tell the whole story.
Myth #10 – HIPAA can be used as a general excuse by health care providers or others to deny access or for other reasons.
This is FALSE. A lack of understanding HIPAA’s requirements should not be used to deny access to medical records or prevent parents from accompanying their children for an appointment. While HIPAA does impose many complicated and counterintuitive requirements, it does not always impose burdens or restrict access. While HIPAA is designed to protect an individual’s privacy that does not mean access is always denied. There are many instances where protected health information can be freely shared without needing to offer an opportunity for approval. It is the obligation of covered entities and business associates to know these requirements.
As these myths demonstrate, covered entities, business associates, individuals and others should educate themselves about HIPAA to fully understand what it does. Knowledge can help defuse a lot of complicated situations and avoid hassles that do not need to be created.
About the author:  Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA.  Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.  This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.