HIPAA, among other things, offers protection for personal health information, including medical records. The HIPAA law gave patients more control over their health information, set limits on the use and release of their medical records, and established a series of privacy standards for health care providers which provides penalties for those who do not follow these standards.
HIPAA grants patients several key privacy rights over their medical records, as outlined in this PDF, which impose obligations on health care providers. There is widespread industry expectation that HHS intends to intensify oversight of HIPAA compliance as part of the rollout of EMR systems.
Patients have the right to ask for a written notice about how their health information is used and shared, and to view their medical records. They can request a copy of their file, and also request that any mistakes be corrected. In most cases, health care providers must produce these documents within 30 days of receiving the request, but may charge reasonable fees to cover any expenses associated with making copies, if these are requested by the patient.
Certain parties are exempted from HIPAA requirements, which means some medical information may be shared without a patient’s knowledge in limited circumstances. Information shared with other providers in order to treat any patient is always exempted. Full HIPAA regulations are quite complex and are detailed here.
With respect to HIPAA and EHR / EMR requirements, these systems typically use data encryption to protect patient medical records stored on an EMR system. Data encryption technology protects electronic records while they are stored and while they are being transferred, ensuring that only the intended recipients are able to view them.
In addition, while the HIPAA deadline of October 1, 2013 for the transition from ICD-9 to ICD-10 encoding is for hospital treatment inpatient procedures only, integrated treatment plans will increasingly require ICD-10 use by most health care providers. Since Stage 3 meaningful use standards have not even been issued in preliminary rulings as of October 2012, it is unclear whether ICD-10 compliance will be required by all providers, but it remains a possibility.