New HIPAA regulations give patients easier access to their health records, more protections

Patients will have significantly more privacy protections and greater access to their medical records under new regulations issued by the U.S. Department of Health and Human Services. The rules, the HIPAA Omnibus rules issued January 2013, create sweeping changes to the 1996 Health Care Portability and Accountability Act. Medical providers have until Sept. 26, 2013, to come into compliance. The intent of the rules is to modernize HIPAA for today's environment in which medical information is stored electronically, and to bolster the public's confidence that their personal health records can be safely and securely maintained in electronic format.

The rules provide more severe penalties for providers who breach privacy, require the encryption of data, tighten controls on the personal health data that may be shared or sold for marketing or fundraising purposes, compel notification of patients if a breach of their data has occurred, and extend the regulations to any vendors or other business associates who may have access to' patient health records.

From a patient perspective, the following changes are the most notable:

• A patient has the right to request his/her personal health records in electronic format. Physicians must furnish the records within 30 days, with one 30-day extension permitted. Copies must be furnished in the format requested by the patient if the record can be reproduced in the requested format; if not, other electronic readable formats may be offered.

• If the patient wants an electronic record sent to a third party such as a caregiver, physician or mobile app, the request must be made in writing.

• A patient who pays out-of-pocket for a treatment may request that his/her insurance company not be notified, and the request must be honored.

• If a patient's privacy has been breached, the patient must be notified within 60 days. Prior to the omnibus rules, a breach required disclosure only if was determined to cause significant "harm" to the patient.

• Family members and caregivers of deceased patients will have greater access to the deceased patient's medical records, although the physician is required to release them only to the extent with which the requesting party was involved with the decedent's medical care. Records may not be released if prior to death the patient request that they not be shared.

The new rules do not change our attorneys' recommendation that clients include HIPAA waivers in their estate planning documents. A HIPAA waiver should be included in your Health Care Power of Attorney. That way, the person you have empowered to make your medical decisions will have access to your health providers and be able to discuss your situation with them. Even if you have signed a HIPAA waiver in your doctor’s office, it may be unavailable or inadequate to meet your needs with other doctors, hospitals, pharmacies, or health insurance companies. If you have an existing Health Care Power of Attorney that does not include the HIPAA waiver, you should either have it modified, or execute a separate HIPAA waiver.

A HIPAA waiver should also be included in your Revocable Living Trust. If you become disabled and your trustee must manage the assets in the trust, he/she will need to provide documentation of your disability to your financial institutions. A HIPAA waiver for your trustee relieves your medical providers of liability and enables your trustee to secure the needed information from them. 

More information about the new HIPAA rules is available at US Dept. of Health and Human services website.