Patients have six fundamental rights:
1. The right to receive a notice about your privacy policies. This notice will be similar to the form credit card companies or banks currently send to customers, indicating specifically how they use their personal information. The notice must include information about patients’ rights under HIPAA, including the right to access the information you maintain about them and the right to complain if they feel their rights have been violated. Although you do not have to obtain a patient’s consent to use his or her PHI for treatment, you must at least make a good faith effort to acquire the patient’s acknowledgement that he or she received notice of your privacy policies. A copy of the acknowledgment should be kept in the patient’s file.
2. The right to access the medical information you maintain about him or her. On request, you may provide a summary of the patient records or the records themselves, but you must do so within a specified time period. If you provide a copy of records, you may charge the patient a reasonable price for reproducing them.
There are some exceptions under which you may deny patients access to their records. However, if you do this, your decision must be reviewed by another licensed professional whom you have designated in your privacy policies and procedures.
3. The right to limit the uses and disclosure of medical information. This includes limitations that can cause significant practical problems. For example, a patient may not want her diagnosis of cancer disclosed to a payer out of fear the information could reach her employer. If she is estranged from her family, she may not want any information (e.g., her phone number) disclosed to her siblings.
A patient could also refuse to allow you to report data to his health plan for quality assurance purposes (which is otherwise protected under the definition of “operations” for which you do not need consent). Although this is a patient’s right under HIPAA, reporting such data is also a requirement of most managed care contracts and something you will have to take into account during future negotiations.
You are not obligated to agree to patients’ restrictions, nor must you care for patients whose restrictions would interfere with their treatment. The real problem arises when a patient with whom you have an established relationship restricts use or disclosure. If you agree to the restrictions, you must document them and abide by them. If you don’t agree to them, the patient will either have to relinquish the request or look elsewhere for care. If the patient chooses the latter, you will have to adhere to your basic common law responsibilities of non-abandonment.
4. The right to request amendments to the medical record. The privacy notice you give to patients must specify how they should make requests to amend their records (e.g., in writing). You may refuse such a request for several reasons, including that the patient’s record is accurate and complete. However, the patient does have the right to appeal. If you agree to amend the patient’s record, you must notify the individual and others to whom you have provided the information that it has been amended.
5. The right to revoke or limit authorization. If your practice uses or discloses PHI for any reason other than TPO, you must obtain a specific “authorization” from the patient. This is a form that states what information will be disclosed and how it will be done. Special rules apply for clinical trials or research data. Psychotherapy notes may only be disclosed subject to authorization. Parental access to minors’ medical records will continue to be controlled by state law.
6. The right to an accounting of disclosures of PHI. According to the privacy rule, patients can ask to see what disclosures have been made during the past six years only.