FRIDAY, May 5, 2006 (HealthDay News) -- As a patient, you've probably scribbled your name on countless forms over the years. One of them is an acknowledgement that you have received a copy of your medical provider's privacy policy.
But do you have any inkling what that so-called "Notice of Privacy Practices" actually says?
"I think generally with a lot of notices people simply don't read them because they may be several pages long and sometimes they're rather complex," said Tena Friery, research director of the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy group based in San Diego.
Still, people's lack of familiarity with the details of that policy doesn't diminish its importance, advocates insist.
In general, the notice patients receive describes their rights under the federal Health Insurance Portability and Accountability Act (HIPAA), the law that established the nation's first-ever standards for protecting the privacy of Americans' medical records.
Before HIPAA, people relied on a patchwork of state laws that may or may not have afforded them sufficient rights and protections. But since April 14, 2003, doctors, hospitals, health plans and pharmacies have had to abide by a single national standard. While HIPAA establishes a basic level of protection, state laws that provide additional or more stringent protections continue to apply.
The federal law establishes certain patient privileges, including the right to obtain a copy of their medical records. "That is one of the fundamental and most important rights conveyed by HIPAA," Friery said.
Patients may be required, though, to pay for copying and postage. Providers are allowed to charge a "reasonable" fee for preparing and delivering that document, she noted.
People also have the right to request corrections to information that is wrong or incomplete in their medical record.
While HIPAA seeks to guard against inappropriate disclosures, the law does allow a patient's information to be used and shared for purposes of treatment, payment or health-care operations.
There are other exceptions, as well. A hospital may use a patient's information to report incidents of flu to public officials, for instance, or to report a gunshot wound to the police. Patients, on the other hand, may request a report listing who has received this personal information in the past year and for what reason.
The law, however, prohibits providers from using or sharing patients' medical information with people or organizations not related to their health care, such as marketing and advertising companies, without explicit patient consent.
"So no longer should patients be getting marketing letters from pharmaceutical companies saying things like, 'Now, we know you have diabetes, so we think you should consider this diabetes medicine,'" said D'Arcy Gue, executive vice president of Phoenix Health Systems, an information technology and consulting firm that co-sponsors an annual survey on HIPAA compliance within the health-care industry. That prohibition has been quite effective, she noted.
And in the event of some problems, such as a breach of privacy, patients have the right to file a complaint with their health provider or insurer. The privacy notice that patients receive describes how to file a complaint.
From a patient perspective, HIPAA is mostly positive, Gue said.
"The only negative is that many patients don't understand HIPAA -- it's a very, very complex set of regulations," Gue explained. "So they don't understand why they're being asked to sign these forms at the beginning of a health encounter."
But signing on the dotted line simply acknowledges that you've received a copy of the provider's privacy policy; not that you consent to it, Gue said.
More information
To learn more about HIPAA, visit the U.S. Department of Health and Human Services.
