In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which among other things offers protection for personal health information, including electronic medical records. HIPAA requirements and security rules give patients more control over their health information, set limits on the use and release of their medical records, and establishes a series of privacy standards for health care providers which provides penalties for those who do not follow these standards.

HIPAA requirements grants patients several key privacy rights over their medical records, as outlined in this PDF, which impose obligations on health care providers. The most recent HIPAA requirements for certain health care administrative transactions, such as claims, remittance, eligibility, and claims status requests and responses are identified in American National Standards Institute (ANSI) 5010 Accredited Standards Committee (ASC) X12 version, which went into effect January 1, 2012 for all covered entities. The Center for Medicare & Medicaid Services outlines these requirements in a PDF here. Note that the use of ANSI 5010 is also a prerequisite to meeting the ICD-10 claims formatting deadline of October 1, 2013, as the current HIPAA transaction standards cannot support the ICD-10 code formats.

Patients have the right to ask for a written notice about how their health information is used and shared, and to view their medical records. They can request a copy of their file, and also request that any mistakes be corrected. In most cases, health care providers must produce these documents within 30 days of receiving the request, but may charge reasonable fees to cover any expenses associated with making copies, if these are requested by the patient. They may also use HIPAA compliant outside services to produce these copies on their behalf. Health care providers who specialize in mental health are specifically exempted from the requirement to disclose patient information. In most cases, patients have to be notified if their files are leaked or stolen, but there are some exemptions to these rules. Certain parties are exempted from HIPAA requirements, which means some medical information may be shared without a patient’s knowledge in limited circumstances.

With respect to HIPAA and electronic medical records (EMR), these systems typically use data encryption to protect patient medical records stored on the EMR. Data encryption technology protects EMR while they are stored and while they are being transferred, ensuring that only the intended recipients are able to view them. There are other HIPAA data security systems that are typically installed on health care computer systems and networks, including firewalls to prevent unauthorized access, and electronic auditing systems which require users to identify themselves and which log specific records that are accessed by them. Many health care providers find it useful to have HIPAA data security audits of their systems performed on a regular basis. These examinations and reports, if addressed properly, can serve to ensure a high level of compliance and also to mitigate penalties for inadvertent problems.

While many of these HIPAA privacy issues are outside most health care providers area of expertise, they need to be prepared to answer patients questions and address concerns about confidentiality of their medical records and the methods used to protect patient records.

Many providers also express concern about their ability to share information in any fashion without incurring potential legal liability, unless they receive explicit patient permission. HIPAA electronic medical records privacy rules allow health care providers to use or disclose patient health information, such as diagnostic images, laboratory tests, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who themselves are not covered entities (as defined by HIPAA), to aid in the treatment of a different patient, or to refer the patient to a specialist. Formal HIPAA regulations are quite complex and are detailed here.

  • William Ricks

    Is it legal for a medical facility to destroy electronic medical records from a government agency that is the property of a private party.

  • Leonardo Park

    Thoughtful post – my company this month came across to share pdf , It’s relatively efficient to get the hang of and it’s handy . I learned that they are offering a 30 day promotion ongoing

  • kimmie0
  • Zac

    Is legal for one facility to require another facility to pay a fee for the release of medical records necessary for continuation of care for a patient?

  • Marie

    How long do medical keep records on file before destroying them?