The Health Insurance Portability & Accountability Act of 1996:
The Health Insurance Portability and Accountability Act of 1996 has the strongest federal confidentiality protections ever enacted. The Act, which will be discussed in much more detail below, provides penalties for violations of patient confidentiality by those subject to the statute consisting of fines of up to $250,000 and/or ten years' imprisonment. It required Congress to enact a comprehensive patient confidentiality law by August 1999. If Congress failed to do so, as it did, the Secretary of Health and Human Services had to enact such regulations.

HIPAA Provisions Affecting Medical Records:
The Health Insurance Portability and Accountability Act of 1996, provides a framework for the establishment of nationwide security standards and the protection of the confidentiality of health information.

Title II of this Act requires the simplification of health claims. Subtitle F focuses on administrative simplification by creating standards for communications, including standards and requirement for the electronic transmission of health information. Section 262 addresses the need to protect the security, integrity, and authenticity of health information.

HIPAA - Requirement to Maintain Reasonable Safeguards:
Under the Act, health information is defined as:

Any information, whether oral or recorded in any form or medium, that
     (A)  is created or received by a health care provider*, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse**
     (B)  relates to the past, present, or future physical or mental health or condition of an individual, the provision or health care to and individual, or the past, present, or future payment for the provision of health care to an individual.

*   Healthcare providers include a provider of services, a provider of medical or other health services, and any other person furnishing health care services or supplies. [1320 (d) (3).]
** A health care clearinghouse is public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. [1320 (d) (1) (a).]

Under the Act, health plans, health care clearinghouses, and health care providers that maintain or transmit health information in connections with a transaction covered by HIPAA are required to maintain reasonable and appropriate administrative, technical, and physical safeguards to:

  1. Ensure the integrity and confidentiality of the information. Those transactions comprise the transmission of data between two parties to carry out financial or administrative activities related to health care, including the following types of information transmissions:
    • Health Care claims or equivalent encounter information.
    • Health care payment and remittance advice.
    • Coordination of benefits.
    • Health care claims status.
    • Enrollment and disenrollment in a health plan.
    • Eligibility for a health plan.
    • Health plan premium payments.
    • Referral certification and authorization.
    • First report of injury.
    • Health claims attachments.
    • Other transactions that the Secretary may prescribe by regulations.
  2. Protect against reasonably anticipated:
    • Threats or hazards to the security of the information.
    • Unauthorized uses or disclosures of the information.
    • Ensure compliance by their officers and employees.

In addition, health care clearinghouses must have policies and security procedures that isolate the activities of the health care clearinghouse with respect to processing information in a (way) that prevents unauthorized access to such information by (a larger organization of which it is part).

The Sensitive Nature of Medical Information:
Medical Records contain a vast amount of personal information, such as the following:

  • Demographic information, such as age, sex, race, and occupation.
  • Financial information, such as employment status, income, disabilities, and participation in federal or state programs.
  • Social information, such as family, sexual relationships, and lifestyle choices.

In short, health information is probably the most intimate, personal, and sensitive of any information collected and maintained on an individual.
The sensitive nature of such information raises three concerns for patients:

  1. That known parties, such as employers and insurers, will learn information that patients do not want them to have and use it in specific, foreseeable, adverse, ways, such as to deny employment or to deny insurance coverage.
  2. That known parties, such as a government agency, may use the information in an unforeseeable, adverse way.
  3. That inaccurate information may become part of the patient's record and cause an unwarranted adverse action, such as denial of employment or insurability.

Confidentiality of Electronic Medical Records:
First, we should define electronic medical records. In one sense, they are nothing more than an alternate medium for medical records in general. In another sense, they are much more than an electronic substitute for a piece of paper. According to the Institute of Medicine, a computer-based patient record is an electronic patient record that resides in a system specifically designed to support users by providing accessibility to complete and accurate data, alerts, reminders, clinical decision support systems, links to medical knowledge, and other aids.

In one sense, no difference exists between the confidentiality of electronic medical records and confidentiality of paper or other forms of medical records. In another sense, the nature of automated patient records causes a greater challenge to providers to keep them confidential.

Are the Legal Requirements Different for Electronic Records?
With regard to the legal requirements to keep medical records confidential, at present, little or no difference exits between electronic and paper records. The law generally does not differentiate between them. Rather, it merely requires providers to keep them confidential without regard to what medium contains the confidential information. However, with the new federal proposed regulations, we will see different legal requirements of records maintained or transmitted in an electronic format when those regulations become effective. On the other hand, the nature of automated records may make a breach of confidentiality more likely, and patient concern about such breaches is one of the barriers to the automation of patient records. That led to the question why patients fear confidentiality breaches so much more with regard to automated medical records than paper ones.

Confidentiality Concerns with Automated Records:
Among factors inherent in automated patient records that raise confidentiality concerns are:

  • Providers may collect more personal health care information from patients.
  • Providers may collect more sophisticated health information, such as genetic information.
  • The industry will see increasing commercial use of personal health care information, such as for marketing.
  • More financial and insurance data will be collected and stored.
  • Computers increase the ability to access, transmit, and copy large volumes of data quickly.
  • Computers increase the ability to combine data from different sources quickly.
  • Computers increase the difficulty of policing disclosure and redisclosure.
  • The risk of a harmful transmission of information rise exponentially as the number of people who have access to that information rises.
  • Computers decrease the ability of patients and providers to control the disclosure of confidential medical information.

One of the problems with the confidentiality of computer-based patient records is the lack of uniformity among the states concerning confidential medical information. In fact, the confidentiality requirements may vary even within a state, such as where hospital confidentiality requirements differ from those of health maintenance organizations. In addition, if providers transmit confidential patient date across state lines, the law is unclear as to which state’s confidentiality laws apply in the event of a dispute over the disclosure of data. This problem has led the federal government to start the process of developing national standards in the Health Insurance Portability and Accountability Act of 1996.

HIPAA - Criminal Penalties for Violating Confidentiality:
HIPAA contains a broad range of penalties, ranging from civil fines to criminal penalties. The statute punishes noncompliance with the security standards with a civil penalty of $100 per violation up to a maximum of $25,000 per person for all identical violations in a calendar year.

As to criminal penalties, if a person knowingly obtains or discloses individual identifiable health information, the statute establishes a fine up to $50,000 and/or imprisonment up to one year as potential penalties. If the offender commits such offenses under false pretenses, the fine goes up to $100,000 and the imprisonment may be for as much as five years. HIPAA reserves the most draconian penalties for those offenses when the offender has the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. In such cases the maximum fine is $250,000 and the maximum period of imprisonment is ten years.