In 1996, HIPAA, the Health Insurance Portability Accountability Act was passed by the US Congress. It is administered by the US Department of Health and Human Services and is intended to protect patients' medical records.
HIPAA calls those records "protected health information." It sets forth policies and standards for how patient information, including doctors' notes, medical test results, lab reports, and billing information may be shared. Included are policies about security, and the use of electronic equipment to store and transfer records.
Despite the fact that these rules have been in effect for going on two decades, there is still confusion over their application. Providers fear the fines they will be forced to pay if they share the information with someone or some entity outside the rules, so they often over-protect patient information.
Patients get frustrated trying to gain information for themselves and loved ones, some of whom are excluded from obtaining access without written permission from the patient.
Patients are often surprised to learn just who is allowed by law to access their records. Payers, the government, sometimes employers and many others have access to medical records.
Empowered patients or their advocates make themselves familiar with HIPAA basics. Understanding those basics will give them the confidence they need to discuss any hurdles they encounter when requesting records from their providers.
Should you feel your rights under HIPAA have been violated, there is a procedure available from the Department of Health and Human Services to make a complaint.
A series of easy to understand brochures describing HIPAA basics have been developed by the Department of Health and Human Services. The brochures are available for download from the HHS website.