EHRtoday.org - FAQ Consumers

Those organizations that are required to abide by the Health Insurance Portability and Accountability Act (HIPAA) are called Covered Entities. Covered Entities, such as physicians, hospitals and other organizations are required to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information.

Insurance companies need health information to pay for health care and review the quality of the health care provided to its members. Insurance companies have no greater access to electronic information than to information stored on paper. Information that identifies you, as well as, your diagnosis, procedures, medications, supplies used, and charges are examples of information needed by insurance companies.

Can I prevent unauthorized access to my EMR?

No, the Covered Entity has the responsibility to prevent unauthorized access to your EMR.

What does “need to know” access mean?

Need to know access refers to a minimum necessary standard reflected in the HIPAA regulations. This standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information.

Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacrificing the quality of health care.

Are substance abuse and HIV records handled with special security measures? Can I prevent this kind of sensitive diagnosis from following my chart forever?

Unlike paper records, systems that maintain electronic health data often give providers the ability to conceal individual data items. Since the features of each electronic system differ, your health care provider will be able to discuss the options available to them.

Federal and state laws provide for some additional protection for HIV (R.S. 40:1300.14) and genetic test results (R.S.40:1299.6), psychiatric, and substance abuse records (42 C.F.R ) In some cases providers must obtain your authorization to release this information. However, there are circumstances that allow health care providers to release this information without your authorization. You may request that your health care provider restrict access to any of your health information. However, providers are not required to agree to a request for restriction and in some cases are required to release information.

For example: Health care providers may disclose your health information to public health or legal authorities charged with preventing or controlling disease, injury, disability, or to avert a serious threat to health or safety. Health information may be disclosed to another provider for treatment, payment for services, or health care operations. Providers may release information about decedents as requested by the coroner, medical examiners, or funeral directors. Information may be released to officials regarding abuse or neglect, health oversight activities, workers compensation, and organ donation. There are some instances where providers may release information for judicial and administrative proceedings, law enforcement activities, military and national security/intelligence activities, or as required by law.

Can I get copies of my records on a CD or a flash drive?

You can request a copy of your health information on CD or a flash drive. The provider will make the determination in which media the copy will be produced, normally a paper copy.

Is unauthorized access to my EMR punishable by law?

HIPAA provides for both civil and criminal penalties. The civil monetary penalty for violating transaction standards is up to $100 per person per violation and up to $25,000 per person per violation of a single standard per calendar year.

While the penalties are clear-cut, provisions were made for the Secretary of Health and Human Services to have some leeway in determining if there were extenuating circumstances not taken into account under the letter of the law. For example, if a violation is not due to willful neglect, the Secretary may lower the amount of a fine or waive it completely, providing the entity corrects the problem within 30 days.

Federal criminal penalties can also be placed upon covered entities that improperly disclose or obtain information. Penalties would be higher for actions designed to generate monetary gain. HIPAA establishes the following criminal penalties for misuse of unique health identifiers or individually identifiable health information:

A fine up to $50,000 and/or imprisonment of not more than one year
If misuse is under false pretenses, a fine up to $100,000 and/or imprisonment of not more than five years
If misuse is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000 and/or imprisonment of not more than 10 years.

Do I have the right to “opt-out” of having my records kept in EMR format?

No, you do not. The conversion from a paper to EMR format is considered a normal function of daily business operations. You always have the right to change from a provider that is using an EMR to one who does not.

Do viruses ever invade medical records?

The HIPAA standards require covered entities to safeguard protected health information (Medical Records.) These safeguards reduce the risk of viruses and other threats to electronic information. However, just as paper records are vulnerable to disasters, such as fires and floods; electronic records can also be vulnerable to viruses and other forms of attack if the proper safeguards are not in place.

All electronic systems, not just electronic health care systems, are vulnerable to threats such as:

Systems can be taken down or vandalized

Information can be stolen

Data can be misused

Can I get my EMR corrected if I find a mistake in it?

Yes, you have the right to request a change to information in your medical record. The provider does not have to change the information.

If a mistake in your medical record is found, contact the health care provider in writing and request the information be corrected. It is important to provide information to support why the information should be corrected. Your health care provider will review the information submitted and determine if the information should be corrected. Most electronic systems provide features to amend information. Amendments allow for the original incorrect information and the corrected information to be seen. Providers are not required to accept a request for correction in the following instances:

The information was not created by the health care provider.
The information is not part of the providers designated record set.
The information is accurate and correct.
The information is not available for inspection under section 164.524 of HIPAA Privacy Rule

What happens if my doctors electricity goes out or the computer goes down? Do they still have access to my records?

No, there is no power unless they have a backup generator. Physicians are able to print out a paper chart, though, so if that occurred before the power failure, the physician will still have access to your records.

Who has access to my records?

The HIPAA Privacy Rule recognizes that the Covered Entity is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the covered entity can develop role- based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes.

As a patient you have access to your own health information. You may also give others authorization to access your health information. However, there are circumstances where your permission to access health information is not required. It is important to understand that there are many reasons access may be granted to your health information. Each person or entity may have access to different types and amounts of information. The HIPAA Privacy Rule requires that access to your health information be limited to the minimum amount a person needs to perform their job. Here are some of the most common reasons and types of entities that would have access to your health information.

TREATMENT: Providers of health care such as physicians, nurses, pharmacists, medical students, and technicians need access to your medical information to provide the best possible care. Support staff in physicians offices, hospitals, pharmacies, and clinics, such as receptionists, billing clerks, and medical coders also need access to health information.

PAYMENT: Insurance companies and other third-party payers such as Medicare or Medicaid need access to information to pay for health care and to review the quality of health care provided.

HEALTH CARE OPERATIONS: Health care providers use health information in their day-to-day operations and functions. Members of the Quality Assessment team may use information to evaluate the care provided and your response to that care. A hospital may contract with a business associate to provide services. These business associate may have access to some of your health information. Some examples of business associates include record storage facilities, accreditation organizations (JCAHO), and software and hardware (computer system) vendors.

RESEARCH: Researchers may have access to your health information in the course of conducting research studies. For example, a research project may compare the response of patients receiving two different treatments for the same condition.

CORONERS, MEDICAL EXAMINERS, FUNERAL DIRECTORS: Health information is given out to these individuals to identify a deceased person, determine the cause of death, or to carry out necessary duties such as filing death certificates.

MARKETING: Your information may be used to let you know about treatments and other health-related benefits and services.

PUBLIC HEALTH OR TO AVERT A SERIOUS THREAT TO HEALTH OR SAFETY:
Preventing or controlling disease, injury, or disability all require access to certain amounts of health information. Information regarding births, deaths, abuse, neglect, or violence are also examples of reasons your information may be given to public health authorities. Examples of these agencies include the Louisiana Office of Vital Records, parish health units, Food and Drug Administration (FDA), and Centers for Disease Control (CDC.)

CORRECTIONAL INSTITUTIONS: If you are an inmate of a correctional institution, health information necessary to protect your health or the health of other individuals may be given to that institution.

LEGAL PROCEDINGS: Providers may be required to give health information in response to a court order or subpoena.

LAW ENFORCEMENT: Health information may be accessed for law enforcement purposes. For example: Health information may be given to help law enforcement identify the victim of a crime.

ORGAN AND TISSUE DONATION: Health providers may release information necessary to help with organ donation or organ transplant. Example: Louisiana Organ Procurement Agency (LOPA) would receive health information necessary to carry out these functions.

MILITARY AND VETERANS: If you are a member of the armed forces, information about you as required by military command authorities may be released.

WORKERS COMPENSATION: These programs provide payment and benefits for work-related injuries or illness and require medical information to carry out their services.

FAMILY: Information may be given out to family members to assist in notifying them of your location or your condition. Callers, who ask for you by name, may be given your location in a health care facility. You may ask that health care providers not disclose any information to family or callers.

For more information about access and privacy rights, you can go to www.privacyrights.org/fs/fs8-med.htm#c

Can I access my EMR from my home computer?

Because the features of each EMR system are different, the amount of information available to you will differ with each health care provider. Some providers may be able to offer you individual test results or summaries of your health care data from your home or office computer, while other providers may not be able to provide any electronic access to your EMR. Speak to your health care provider about the information available to you electronically.

Does the government have access?

No. The HIPAA Privacy Rule does not create such a government database or require a physician or any other covered entity to send medical information to the Federal government for a government database or similar operation.

Covered entities could use and disclose protected health information without individual Authorization for the following national priority activities:

Oversight of the health care system, including quality assurance activities
Public health and in emergencies affecting life or safety
Research
Judicial and administrative proceedings
Law enforcement
To provide information to next-of-kin
For government health data systems
For identification of the body of a deceased person or the cause of death
For facilities (hospitals, etc.) directories
In other situations where the use of disclosure is mandated by other laws

Do all doctors and hospitals use the same type of EMR system?

No. Each health care provider can choose the EMR system that works best for them. Physicians in the same office or multi-hospital system are more likely to use the same EMR.

Will my records eventually be used to determine my insurance rates?

Providers generate claims for payment based on the care they give you. Those claims are among various factors that drive the cost of health insurance. Insurance companies can request additional information about your care to validate the claims they receive. Their right to access that information is no different whether your health information is kept in paper charts or in an electronic health record system.