OK, I know that HIPAA precludes an American’s medical records from being given out willy-nilly to non-medical people that person doesn’t know. But does every physician that person sees have complete access to their records? Does a podiatrist have complete access to their psychiatric records? Can a cardiologist find out they had an abortion from reading their records? What if a physician outright refuses to treat anyone who has had an abortion in the past? If they’ve ever been prescribed psychiatric medication?
Your questions seem to presume the existence of some centralized repository of medical records for the patient. I’ve never seen such a thing.
I just started seeing a new doctor. For them to get any of my previous medical records, I need to fill out a ‘release of information’ form, and give that form to any previous doctor that I want records released from.
This form details the records I want released, and whom I want them released to.
I’m not a HIPAA expert, but I did write a large part of the security code for an electronic medical record software application.
Here’s what I remember:
-
Your primary care physician has access to your records. If he’s part of a group practice, the other physicians in his group can easily get access to your records.
-
If you’re admitted to the hospital, the nurses on the floor where you are staying have access to your records.
-
If you go to a specialist, you fill out a form, and the specialist can see your records.
-
Psychiatric and substance abuse records do not follow the above rules - you pretty much have to always fill out a form giving the doctor access to those types of records.
-
You can specify that a certain person is never allowed access to your records by filling out a form.
In theory, your records are only accessible to health care specialists who need to see them to give you adequate care. That’s what the above rules try to do. The software I wrote kept track of everyone who accessed a patient’s records, and one of the first screens everyone saw when they pulled up someone’s records was a history of who accessed them. There was a “report” button that anyone could use to alert the higher-ups if anyone thought that someone who shouldn’t be looking saw someone’s records.
This worked pretty well. But as with all secure information, there are ways around it. If I had wanted, I’m pretty sure I could have gotten into medical records that I shouldn’t have - but that was because I was the one writing the software, and it would have taken some work on my part. In general, the rank and file medical workers would have a hard time getting access to something they shouldn’t, and if they did, there would be records of it.
People really don’t understand HIPAA.
I’ve tried to educate folks about this before, but most just don’t seem to get the concept.
This is from Health & Human Services itself: http://www.hhs.gov/ocr/Healthcare-Provider-letter.pdf
My State spells it out specifically in their legislative code:
From: Wisconsin State Statutes
Bottom line? If you’re my patient, I don’t need your signature or your consent to obtain your medical records from your previous providers. (exceptions: Psychiatric, alcoholism/addiction, & HIV records.)
How strict is the ‘requires the records’ bit? Do you need to actually furnish proof that you believe condition X which you’re treating the patient for is related to condition Y that a different doctor saw them for previously? Or is it just generally assumed that you need the record?
It’s generally assumed that if I (or my staff) is requesting the record, we need it.
Frankly, what often gets put down as the reason for needing the record is “continuing care”.
I see many requests returned without records, and the reason is “patient not one of ours” or “couldn’t find record” etc.
I’ve never seen a request come back stating that our request wasn’t valid.
Yeah, sure there isn’t a federal mandate that requires consent for records to be shared with a physician who requests it, but in my experience, most hospitals will give you a hard time if you don’t send a form.
However, I’m pretty sure that a patient could sue you under HIPAA for that if they felt that the reason was insufficient. I doubt that most would bother, but they may if one of the hypotheticals in the OP happened.
The simplified US Health and Human Resources text of the regulations, including exclusions and penalties, can be found here (pdf). Note that due to the preemption clauses, this overrules all state laws that are not stricter than it. To summarize, that federal law most definitely exists. If your records are being released, they NEED to have a form, or fall into one of many very specific exclusions. (Some of which are amusing reading - your coroner has pretty much a free pass, for instance.)
I’ve not gotten a hard time from any hospitals due to lack of signed consent from the patient when requesting records.
And working at an intake facility, we have 8000 new patients come in a year, and request a hell of a lot of old records. And I end up reviewing the Lion’s Share of the records we receive.
All requests are made on an official state records request form. Nowhere on the form is there even room for a patient signature. A separate form, with a spot for patient signature, is used for requesting HIV/mental health/chem dep records.
Anyone can sue for anything, but legally their case would be very, very tenuous. IMHO.
The hypotheticals put together in the OP wouldn’t fall under HIPAA in my estimation, but rather under denial of care statutes.
I suspect you may fall under pages 59 - 61 of the above document (judicial and criminal exclusions).
I’m finding the general lackadaisical approach to compliance described in this thread very alarming. Rest assured my company takes HIPAA compliance very seriously, mostly because our lawyers have a lobbyists talking to the people in Washington about these laws, and THEY take them very seriously.
It’s possible that they’d get hit with the denial of care suit first, but the law about improper release of information is very clear.
Then again, I’m not a lawyer. I may be gun shy, because a programming mistake we made got my client sued for COBRA violations (and they lost). The government take those VERY SERIOUSLY. I can’t imagine that in the current political climate that they’d take HIPAA less seriously.
Risha can you point me to the section of that pdf you linked where it states that hospitals, clinics etc are required to have signed consent from a patient to share their records with a physician who is requesting them?
Well, our State Dept. of Justice lawyers reviewed the requirements and our forms (which don’t have patient consent on them) and found them wholly satisfactory for obtaining medical records.
And these forms have been sent out to many health care providers around the nation, and have been successful in getting records sent to us from hospitals/clinics/physicians from across the nation.
I really don’t get why people still insist that medical records can’t be released unless the patient signs for their release.
But arguments like this are why I no longer post any extended anecdotes about clinical encounters with patients. Someone always declares I am violating HIPAA by doing so. Despite proper anonymization on my part, which frankly exceeds the anonymization required by HIPAA, someone makes a crusade of this so-called violation.
I don’t believe Risha will be able to. Such a requirement is not a part of HIPAA.
Yeah, it was more of a challenge than a true request. I still get Medical Records clerks asking me to fax over a patient consent when I call a nearby hospital to find out information about a patient. It can really make a huge difference in taking care of a patient in the ER too!
Hm. OK, I’ve just reviewed the document you linked again, and I see where you’re coming from. I think that maybe the different slant on the regulations that my company is teaching us is because we’re administrators releasing information generally to other administrators and insurance companies.
I also never meant to imply that all releases of information to other doctors required a signature, only the non-urgent ones of wholesale record exchange. I must not be the only one misreading those regs, because my doctor required my signature to get my information from my old doctor, and also when they were sent to two different specialists.
I still think that any misuse of that information would get you sued to hell and back though. The whole point of the legislation is to prevent personal information about yourself from going to anyone you don’t want it to go to. The maxim we live under today is to provide the absolute minimum required information to the person who needs it. We would no more tell your spouse who called up who your PCP is than we would tell a telemarketer.
By the way, I miss the personal-but-disguised anecdotes, which are obviously not a violation since it doesn’t identify anybody, so I apologize if I’ve added to that stress. 
Reasons why not to get into arguments on the internet: now I feel just terrible about accidentally passing on misinformation.
It would also violate patient confidentiality, medical ethics, and, in some circumstances the state and federal criminal codes.
I understand my responsibilities as a physician. And I understand my rights and privileges as one too.
One of those rights is to get the information I feel I need in order to care for my patient. Regardless of signed permission (save in the 3 exception areas I noted previously.)
It is my privilege and responsibility to use that information to the patient’s benefit.
Thank you for your thoughtful reflection on my points.