1. CONSUMER CONTROL OVER HEALTH INFORMATION
- Patient education on privacy protections. Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information.
- Ensuring patient access to their medical records. Patients must be able to see and get copies of their records, and request amendments. In addition, a history of most disclosures must be made accessible to patients.
- Receiving patient consent before information is released. Patient authorization to disclose information must meet specific requirements. Health care providers who see patients are required to obtain patient consent before sharing their information for treatment, payment, and health care operations purposes. In addition, specific patient consent must be sought and granted for non-routine uses and most non-health care purposes, such as releasing information to financial institutions determining mortgages and other loans or selling mailing lists to interested parties such as life insurers. Patients have the right to request restrictions on the uses and disclosures of their information.
- Ensuring that consent is not coerced. Providers and health plans generally cannot condition treatment on a patient's agreement to disclose health information for non-routine uses.
- Providing recourse if privacy protections are violated. People have the right to complain to a covered provider or health plan, or to the Secretary, about violations of the provisions of this rule or the policies and procedures of the covered entity.
2. BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
- With few exceptions, an individual's health information can be used for health purposes only.
- Ensuring that health information is not used for non-health purposes. Patient information can be used or disclosed by a health plan, provider or clearinghouse only for purposes of health care treatment, payment and operations.
- Health information cannot be used for purposes not related to health care - such as use by employers to make personnel decisions, or use by financial institutions - without explicit authorization from the individual.
- Providing the minimum amount of information necessary. Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the transfer of medical records for purposes of treatment, since physicians, specialists, and other providers need access to the full record to provide best quality care.
- Ensuring informed and voluntary consent. Non-routine disclosures with patient authorization must meet standards that ensure the authorization is truly informed and voluntary.
3 . ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
- Adopt written privacy procedures. These must include who has access to protected information, how it will be used within the entity, and when the information would or would not be disclosed to others. They must also take steps to ensure that their business associates protect the privacy of health information.
- Train employees and designate a privacy officer. Covered entities must provide sufficient training so that their employees understand the new privacy protections procedures, and designate an individual to be responsible for ensuring the procedures are followed.
- Establish grievance processes. Covered entities must provide a means for patients to make inquiries or complaints regarding the privacy of their records.