Whether they are medical billers, coders, electronic medical technicians, or patients, people should be familiar with medical records laws. These regulations pertain to the records themselves as well as access and patient rights. As primary documentation of the medical history and treatment of a patient, medical records are extremely important, so they must be handled with care.
Medical records are created and housed by healthcare providers, whereas personal health records are created and maintained by patients. Medical record security and privacy has received much attention due to the personal details it contains. Issues surround accuracy, access, storage, and disposal. With the conversion from paper to electronic medical records, additional concerns have arisen regarding security and viewing permissions.
The federal Health Insurance Portability and Accountability Act (HIPAA) pertains to the privacy, security, and ownership of medical records. It establishes that the patient, not the provider, owns the information contained in the medical record. The entity maintaining the record owns the media on which this information is stored. As owners of their records, patients have rights to access the information, ensure that details are correct, and grant consent to another entity to view the record.
Most states also have laws regarding medical records and these afford certain rights to patients. Issues addressed by these regulations include access, record retention, and how much a provider may charge to provide patients with copies of their medical records. Some state laws also govern patient rights regarding record amendment, complaint filing, and how to handle being denied access. Gaps left by HIPAA statutes are often filled by state laws and in most cases, state regulations complement federal guidelines.
In addition to medical record ownership and access, HIPAA features a privacy standard. This establishes guidelines for disclosing protected health information, which includes details regarding patient demographics, health, payments, and treatment. Patients must grant authorization to anyone needing access to this information for purposes other than processing insurance claims. Information that is disclosed must be treated as confidential. Monetary penalties for violating the HIPAA privacy standard range from $100 per person, per violation to $250,000 and up to ten years in prison, depending on the infraction.
Security provisions under HIPAA complement the privacy requirements. While the privacy guidelines pertain to protected health information, security laws cover electronic information. They offer guidance for creating and implementing policies that protect against and deal with security compromises. Three compliance categories, physical, technical, and administrative, are defined by HIPAA security standards. Safeguards, use, and controls are offered for each of these.
Due to the ever-evolving nature of the healthcare industry and the conversion to electronic medical records, changes to HIPAA privacy rules have been proposed by the federal government. These new medical records laws would grant a patient the right to view a report indicating who has accessed their electronic medical and billing records and other information used to make treatment or payment decisions. They add requirements to existing HIPAA regulations and are authorized under the HITECH Act included in the 2009 stimulus package.