| Think your healthcare information is always | | | | providers' offices may not be compliant with the |
| confidential? Unfortunately, it ain't necessarily so. | | | | disclosure accounting rules. |
| The Health Insurance Portability and Accountability | | | | More important, though, is the fact that once |
| Act of 1996 (HIPAA) introduced some important | | | | your provider does disclose your PHI, whether |
| privacy protections for your personal and | | | | they account for the disclosure or not, whoever |
| healthcare information, which, in HIPAA language, | | | | receives your PHI may or may not be required to |
| is called Protected Health Information, or PHI. | | | | comply with the HIPAA privacy rules. |
| Among the HIPAA protections is a series of | | | | For example, Sue Smith (named changed to |
| requirements that allow your healthcare providers | | | | protect the individual's privacy) suffered a death in |
| to share your PHI -- without -- your authorization. | | | | her family. Because of the circumstances, her |
| They include all of the following circumstances: | | | | family member's PHI was provided to law |
| -- Uses and disclosures required by law | | | | enforcement. Fortunately, the healthcare provider |
| -- Uses and disclosures for public health activities | | | | followed the HIPAA privacy rules and accounted |
| -- Disclosures about victims of abuse, neglect, or | | | | for the disclosures. But, her family member's PHI |
| domestic violence | | | | was subsequently released to the press, including |
| -- Uses and disclosures for health oversight | | | | Social Security Number, date of birth, and |
| activities | | | | diagnoses. |
| -- Disclosures for law enforcement purposes | | | | How the press got the information is a subject |
| -- Uses and disclosures for coroners and medical | | | | for the courts. The point is that the information |
| examiners | | | | was not protected once disclosed by the |
| -- Uses and disclosures for cadaveric organ, eye, | | | | healthcare provider. |
| or tissue donation purposes | | | | Your healthcare information may not be safe |
| -- Uses and disclosures for research involving | | | | once disclosed by your provider, either. |
| minimal risk | | | | What can you do to help ensure that you and |
| -- Uses and disclosures to avert a serious threat | | | | your family's protected healthcare information |
| to health or safety | | | | really is protected and remains confidential? |
| -- Disclosures for Workers Compensation | | | | First: should you or your family member ever be |
| Should your healthcare provider disclose your PHI | | | | involved in any circumstance, mentioned above, in |
| for one of the above reasons, he or she is | | | | which your healthcare provider discloses your PHI, |
| required to document, or "account" for the | | | | exercise your right for an accounting of the |
| disclosure. You have the right to receive that | | | | disclosure by your healthcare provider. |
| accounting so that you will know to whom, if | | | | Next, if no accounting is provided to you in writing |
| anyone, your healthcare provider has disclosed | | | | within 30 days, file a complaint with your |
| your PHI. You can exercise that right any time | | | | healthcare provider's HIPAA Privacy Officer (all |
| you want by simply asking your provider for an | | | | healthcare providers are required to have one), |
| accounting of the disclosures of your PHI. | | | | and if necessary, file a complaint directly with |
| However, compliance with disclosure accounting is | | | | Health and Human Services' Office of Civil Rights. |
| spotty, at best. Many healthcare staff and | | | | Then, make certain that you follow the chain of |
| providers do not really know or understand how | | | | custody: who got the information, and what they |
| or why they can, or should, disclose your PHI. So, | | | | did with it. Make sure that all of your requests for |
| some of them do not account for such | | | | this information are in writing, and follow-up with |
| disclosures. | | | | phone calls. |
| You may not necessarily know whether or not | | | | Finally, always keep a log of your requests; you |
| your PHI has been disclosed -- your authorization | | | | may need it. |
| is not required for these types of disclosures, and | | | | |