Medical confidentialityMedical confidentiality is a set of rules that limits access to information discussed between a person and their healthcare practitioners. With only a few exceptions, anything you discuss with your doctor must, by law, be kept private between the two of you and the organisation they work for. This is also known as doctor–patient confidentiality. When you go to a new doctor, you can choose whether to share your previous medical records with them by giving your written consent to your other doctors, so that they can send your new doctor the information in your medical file.
Privacy in healthcarePrivacy in a healthcare situation means that what you tell your healthcare provider, what they write down about you, any medication you take and all other personal information is kept private. You have a legal right to this privacy, and there are laws that guide health service providers in how they collect and record information about your health, how they must store it, and when and how they use and share it. You can give any of your health professionals your consent to share your health information, for example, when you change doctors and you want your new doctor to have access to your medical history. You also have a legal right to access your health information. The Victoria Health brochure ‘Your Information, It’s Private’ should be available from your healthcare professional or you can download it. It is also available in languages other than English.
Definition of health informationHealth information is any information about a person’s health or disability, and any information that relates to a health service they have received or will receive. Health information is sensitive and personal, which is why there are laws to protect your rights to keep your health information private.
How health services collect, store and share informationIn Victoria, a health service is any organisation that collects information about people’s health, such as:
- doctors’ surgeries or clinics
- specialist clinics
- dental surgeries
- public and private hospitals
- sexual health clinics
- disability services
- nutrition services, such as dietitians and nutritionists
- maternal and child health clinics
- allied health services, such as optometrists and physiotherapists
- naturopaths, chiropractors, massage therapists and other complementary medicine providers
- fitness providers, such as gyms, fitness trainers and weight loss services
- healthcare workers in childcare centres, schools, colleges and universities.
Exemptions to privacy lawsThere are two types of situations where a health service may use or share your health information without your consent. These are:
- when your or someone else’s health or safety are seriously threatened and the information will help, such as if you are unconscious and paramedics, doctors and nurses need to know if you are allergic to any drugs
- when the information will reduce or prevent a serious threat to public health or safety, for example, if you have a serious contagious illness and the public needs to be warned.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.
HIPAA, also known as Public Law 104-191, has two main purposes: to provide continuous health insurance coverage for workers who lose or change their job, and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include combating abuse, fraud and waste in health insurance and healthcare delivery and improving access to long-term care services and health insurance.
HHS expanded the act when it put the HIPAA omnibus rule in place in 2013 to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These guidelines concern the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
The HHS Office for Civil Rights (OCR), which enforces HIPAA, issued guidance in 2016 clarifying that cloud service providers and other business associates of healthcare organizations are covered by the HIPAA privacy, security and breach notification rules. HIPAA violations can prove quite costly for healthcare organizations.
The HIPAA Breach Notification Rule within the omnibus set of regulations requires covered entities and any affected business associates to notify patients following a data breach.
In addition to the notification costs, healthcare organizations can encounter fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights. Providers could also face criminal penalties stemming from violations of the HIPAA privacy and security rules.
In 2010, the Federal Trade Commission extended the breach notification rule and its enforcement to healthcare organizations not covered by HIPAA, including vendors of electronic health records (EHRs) and EHR-related systems.OCR undertook its first round of HIPAA audits of healthcare organizations in 2012 and 2013. Those pilot audits carried no fines or penalties.
A considerably wider, formal round of desk and in-person audits of about 200 healthcare-covered entities and business associates began in 2016 and continued into 2017. These audits were expected to carry fines or corrective plans.OCR further strengthened the HIPAA security rule in 2016 by releasing a crosswalk between aspects of the National Institute of Standards and Technology's Cybersecurity Framework to identify cybersecurity gaps and align HIPAA with national cybersecurity standards.
Organizations can lower their risk of regulatory action through HIPAA compliance training programs. OCR has six educational programs on complying with privacy and security rules. A number of consultancies and training groups offer programs, as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization's current HIPAA privacy and security policies, the HITECH Act, mobile device management processes and other applicable guidelines.
While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States and globally to protect patients' personal or protected health information (PHI).