Part 3: Uses and Disclosures (FAQ 55 of 65)

55. Does HIPAA Really Restrict Use and Disclosure of My Health Records?

This is a tough question to answer in a simple way. The answer depends in part on your perspective. If you thought that your health records would never be disclosed without your consent, then you won't think much of the HIPAA use and disclosure provisions.

One answer is that HIPAA regulates all uses and disclosures. If the rule does not allow a use or disclosure, then the only way that a covered entity can use or disclose the record is with your written authorization. If you think that sounds good, you should keep reading because the rule allows a large number of uses and disclosures without your consent. By the way, a use of information occurs when a covered entity makes a record available to someone within the organization that maintains the record. A disclosure occurs when a record is shared with someone outside the organization.

A second answer is that HIPAA allows many uses and disclosures to occur without any need for your approval. Typically, these are disclosures made so a covered entity can be paid for services, manage its operations, provide treatment, or comply with government reporting requirements.

It is genuinely difficult to count the number of categories of permissible uses and disclosures. Much depends on how you do the counting. The number of government and private institutions that can ask for and receive health records without your permission numbers in the tens of thousands. A covered entity can make nearly all permissible uses and disclosures without your consent or authorization. Indeed, with only a few exceptions, a covered entity can make most allowable uses and disclosures even over your express written objection.

A third answer is that HIPAA did not really change the practice for most covered entities regarding use and disclosure. Instead, HIPAA established universal standards and procedures for covered entities. The universal standards and procedures were new. However, the uses and disclosures that HIPAA allows are largely those that became routine in the last half of the twentieth century. Even many health care providers were not aware of how widespread the use and disclosure of health records had become. Before HIPAA, many providers thought that they only disclosed patient records with the consent of the patient, but it just wasn't true. HIPAA made everyone pay attention to and learn about privacy, often for the first time.

The biggest drivers for the sharing of medical records are:

Growth of third party insurance (including Medicare)
Pressures for increased controls on the cost of health care
Development of quality controls for medical practice
Growth of health care fraud and fraud investigations
Increase in public health activities
Expansion of records-based health research.

All of these activities and others contributed to the demand for access to individually identifiable medical records. Most of these activities serve important public or personal purposes, and it is not always easy to dismiss the HIPAA rule's policies as anti-privacy. Disclosure often serves another significant but competing goal. Protecting privacy is only one objective in the health care system.

SIDEBAR:

Some health activities can be and are conducted with records that do not include any identifying data about individual patients. However, use of anonymous or non-identifiable records doesn't meet all the needs for health information for several reasons. First, some activities really do require records with identifiers. For research that tracks the course of disease over years, the only way to link records may be with the use of identifiers.

Second, too many activities that could have used non-identifiable records started at a time when few paid attention to privacy or to alternatives to the use of identifiable records. Methods that might have increased use of non-identifiable records do not always exist because nothing forced their development.

Third, it is increasingly difficult to talk about non-identifiable records. As the amount of data recorded and available throughout society increased, the domain of truly non-identifiable records diminished. It is easier and easier to identify records even though overt identifiers have been removed. To make the point, more than 85% of the population of the United States can be uniquely identified just by date of birth, gender, and five-digit zip code. All records, no matter how they may have been edited, may be potentially identifiable with enough time, effort, and other data. Powerful modern computers make it easier to link records and to re-identify records that have been "de-identified."

SIDEBAR:

Another interesting and important part of the rule tries to limit use and disclosure to the minimum amount of information necessary to accomplish the purpose of the use or disclosure. This is a fine principle, but its implementation is complex and controversial. All uses and disclosures to a health care provider for treatment purposes are exempt from the minimum necessary rule. It's a big exception to the principle, but it is one that makes sense to us. Providers need broad access to records for treatment. Disclosures pursuant to a patient's authorization are also exempt, which is a reason that a patient should be careful when signing any authorization for disclosure of his or her records. If you sign an authorization for the disclosure of "any or all" of your records, your entire medical history can be disclosed.

Part 3: Uses and Disclosures (FAQ 55 of 65)

55. Does HIPAA Really Restrict Use and Disclosure of My Health Records?

SIDEBAR:

SIDEBAR:

Jump to list of FAQs 1-65 | See all of Part 3