Whether you have gallstones
or kidney stones, cancer or
diabetes, a heart murmur
or pneumonia, it’s nobody’s business but
your own. And no one should share information
about your condition or treatment
with anyone without your permission.
That is the policy of every reputable
doctor and hospital in the country.
It is also the law.
States have long had laws protecting
the privacy of patient information, but
they were inconsistent, and some laws
were more restrictive than others. Under
a federal law that went into effect in
April 2003, the same rules apply to all
health care providers across the land.
The privacy section of the Health
Information Portability and Accountability
Act (HIPAA) spelled out the rights that
patients have regarding their health care
“The law not only protects the security
and confidentiality of information,
it also gives patients more control over
their information,” says Cassina Hunt,
FirstHealth’s privacy officer and director
of Health Information Management
(formerly Medical Records.) “It allows
patients to access their health information
within guidelines, to obtain copies of
their records and to request amendments
if they feel that any of the information is
One provision of the federal privacy
law has made it easier for health care providers
to share patient information when
necessary for the continuation of care. If
a doctor needs the hospital records of a
patient who has come to his or her office
for treatment, the hospital can release
that information without the patient’s
written permission after a treatment relationship
has been confirmed.
“Changes in how care providers
share information were prompted by
past concerns that the manner in which
some organizations controlled access to
information could be an impediment to
prompt treatment,” Hunt says. “These
changes were based on the assumption
that care may have been delayed in some
cases while organizations were waiting to
obtain written authorizations.
“Even with the Privacy Act, if there is
any question whatsoever about the validity
of a request, FirstHealth will not release
patient information without the specific
approval of the patient or without further
follow-up to confirm the appropriateness.”
Health care organizations are required
to establish procedures for protecting the
confidentiality of patient information and
to train their staffs to strictly follow those
procedures. Organizations also are obligated
to investigate any complaints about
the improper disclosure of information
and to correct any weaknesses they find
in their security system.
Patients can file complaints with a
health care organization’s privacy officer.
If they aren’t satisfied with the organization’s
response, they can appeal to the
federal Office of Civil Rights.
Patients’ medical information used to
be kept on paper charts in manila folders
that followed them around the hospital.
Once the patient was discharged, the
chart was filed along with everyone else’s
in a locked room.
Now, in many hospitals, including
the three FirstHealth hospitals, patient
information is entered into computers.
Electronic charts have largely replaced
paper charts. That is far more efficient. It
also makes a patient’s medical information
much more secure, Hunt says.
“The ability to monitor, control and
audit access to patient information is
enhanced in an electronic world,” Hunt
says. “Access can be restricted to the
patient’s entire file or select documents or
to select individuals.”
Security was generally good with paper
records, but if there was a breach of confidentiality,
it was much more difficult to
determine exactly who might have looked
at a patient’s chart.
“With electronic records, most systems
not only track who accesses information,
they also tell us the date, time and the
length of time spent looking at the documents,”
According to Hunt, FirstHealth continuously
monitors its patient information
system to look for weaknesses and even
hires outside consultants to test the system’s
“We have so many safeguards and levels
of security that it would be extremely
difficult for anyone who isn’t authorized
to get into the system,” she says. “Since
going live with electronic records in July
2004, we have been able to manage and
control access better than was ever possible
with paper records.”