http://www.webmd.

com/healthy-aging/news/20030422/hipaa-rules-explained

HIPAA Rules Explained

New Medical Privacy Rules Meant to Protect Your Health Records
By Daniel J. DeNoon
WebMD Health News

April 22, 2003 -- HIPAA forms. You got them from your doctor. You got them from your pharmacist. You
got them from your insurance company and maybe even from your employer. What's up?

Blame a deadline for the flurry of forms. On April 14, 2003, healthcare providers had to comply with
HIPAA rules. On that date, everybody with access to your medical records had to be able to prove they
had a plan for keeping those records private.
You had to sign a form agreeing that they told you they had a plan, and that they'll show it to you if you
want to see it. And if you work for a company involved in keeping medical records, you had to show that
you understood the new HIPAA rules.
Other than the forms, what's truly new? Don't look to the name for an explanation. HIPAA stands for the
Health InsurancePortability and Accountability Act of 1996. The original idea was to force the healthcare
industry to save money by computerizing paper records. That led to concerns over privacy -- and new
privacy regulations from the Department of Health and Human Services (HHS).
Here's the bottom line: HIPAA rules give you new rights to know about -- and to control -- how your health
information gets used.

• Your healthcare provider and your insurance company have to explain how
they'll use and disclose health information.
• You can ask for copies of all this information, and make appropriate
changes to it. You can also ask for a history of any unusual disclosures.
• If someone wants to share your health information, you have to give your
formal consent.
• You have the right to complain to HHS about violations of HIPAA rules.
• Health information is to be used only for health purposes. Without your
consent, it can't be used to help banks decide whether to give you a loan,
or by potential employers to decide whether to give you a job.
• When your health information gets shared, only the minimum necessary
amount of information should be disclosed.
• Psychotherapy records get an extra level of protection.

WebMD asked Kimberly Rask, MD, PhD, director the center on health outcomes and quality at Emory
University's Rollins School of Public Health, to put HIPAA rules into perspective.
Q: What does HIPAA mean to the average person? What has changed?

Rask: The intent is to protect the privacy of your health information. What's different is that HIPAA puts
some very specific rules in place about when, how, and what kind of information can be shared. Also, it
makes sure that the person whose information is being shared is aware of that possibility.
Q: What will happen when we see our doctors?
Rask: There are two things patients will see. First, doctors' offices will ask patients to sign papers saying
they are aware the office has privacy policies in place. They can review those policies if they like. Second,
patients may be asked to sign forms that authorize sharing of medical information with other healthcare
providers involved in their care. They may be required to sign separate forms for each provider.
Q: Is this really going to make our medical records more private?
Rask: I think actually, from a privacy perspective, having these regulations in place guarantees a higher
level of privacy. I don't think there's a downside here.
Q: What's not to like?

Rask: Where there is a downside is in bigger issues that don't relate to individual patients. Example one:
In order to comply, many doctors, hospitals, etc. are spending enormous amounts [of money] to become
compliant. Dollars that go to this are not dollars that go elsewhere. It is important to think about the costs
of making this paperwork trail. At a time when we are having so much trouble providing minimal
healthcare to so much of our population, I would like to see more of an emphasis on care than on
paperwork. But that is a trade-off we are making to ensure better privacy.
The second problem I have is that we aren't just concerned with the care given to an individual patient.
We also are concerned about the quality of care we provide and about patient safety. For these larger
issues, researchers need to be able to look at patient information. We need to be able to tell when things
went wrong and when they went right. The more we restrict this research, the more we restrict our ability
to describe and improve what is going on in the healthcare system. That is a trade-off, too. Some people
would feel that the privacy of an individual outweighs any other benefit. On the other hand, it is very
difficult to change or improve healthcare if we can't look at what is being done.
Q: Are computerized records really more secure than paper records?
There are very good ways to protect data electronically. Although it sounds scary, it makes data more
protected than current paper records. For example, think about someone looking at your medical chart in
the hospital. It has a record of all that is happening -- lab results, doctor consultations, nursing notes,
orders, prescriptions, etc. Anybody who opens it for whatever reason can see all of this information. But if
the chart is an electronic record, it's easy to limit access to any of that. So a physical therapist writing
physical therapy notes can only see information related to physical therapy. There is an opportunity with
electronic records to limit information to those who really need to see it. It could in many ways allow more
privacy than current paper records.

Q: What else needs to be done?

We need discussion of why it might be useful -- for all of us-- to do some sharing of health information for
the broader purpose of monitoring and improving the quality of healthcare. There is a value to this. The
crux of the issue is how do you balance this? How do you make sure that the specific information
researchers want to know is available while preventing inappropriate access to personal information?
HIPAA is trying to protect us from inappropriate use of our medical records. In doing that, it also restricts
some appropriate uses.