Back to FirstHealth Magazine Home
In This Issue
Message from the CEO
Your Letters
New Providers
Past Issues
Request A Hardcopy
FirstHealth of the Carolinas
Your right to privacy

Whether you have gallstones or kidney stones, cancer or diabetes, a heart murmur or pneumonia, it’s nobody’s business but your own. And no one should share information about your condition or treatment with anyone without your permission.

That is the policy of every reputable doctor and hospital in the country.

It is also the law.

States have long had laws protecting the privacy of patient information, but they were inconsistent, and some laws were more restrictive than others. Under a federal law that went into effect in April 2003, the same rules apply to all health care providers across the land.

The privacy section of the Health Information Portability and Accountability Act (HIPAA) spelled out the rights that patients have regarding their health care information.

“The law not only protects the security and confidentiality of information, it also gives patients more control over their information,” says Cassina Hunt, FirstHealth’s privacy officer and director of Health Information Management (formerly Medical Records.) “It allows patients to access their health information within guidelines, to obtain copies of their records and to request amendments if they feel that any of the information is inaccurate.”

One provision of the federal privacy law has made it easier for health care providers to share patient information when necessary for the continuation of care. If a doctor needs the hospital records of a patient who has come to his or her office for treatment, the hospital can release that information without the patient’s written permission after a treatment relationship has been confirmed.

“Changes in how care providers share information were prompted by past concerns that the manner in which some organizations controlled access to information could be an impediment to prompt treatment,” Hunt says. “These changes were based on the assumption that care may have been delayed in some cases while organizations were waiting to obtain written authorizations.

“Even with the Privacy Act, if there is any question whatsoever about the validity of a request, FirstHealth will not release patient information without the specific approval of the patient or without further follow-up to confirm the appropriateness.”

Health care organizations are required to establish procedures for protecting the confidentiality of patient information and to train their staffs to strictly follow those procedures. Organizations also are obligated to investigate any complaints about the improper disclosure of information and to correct any weaknesses they find in their security system.

Patients can file complaints with a health care organization’s privacy officer. If they aren’t satisfied with the organization’s response, they can appeal to the federal Office of Civil Rights.

Patients’ medical information used to be kept on paper charts in manila folders that followed them around the hospital. Once the patient was discharged, the chart was filed along with everyone else’s in a locked room.

Now, in many hospitals, including the three FirstHealth hospitals, patient information is entered into computers. Electronic charts have largely replaced paper charts. That is far more efficient. It also makes a patient’s medical information much more secure, Hunt says.

“The ability to monitor, control and audit access to patient information is enhanced in an electronic world,” Hunt says. “Access can be restricted to the patient’s entire file or select documents or to select individuals.”

Security was generally good with paper records, but if there was a breach of confidentiality, it was much more difficult to determine exactly who might have looked at a patient’s chart.

“With electronic records, most systems not only track who accesses information, they also tell us the date, time and the length of time spent looking at the documents,” Hunt says.

According to Hunt, FirstHealth continuously monitors its patient information system to look for weaknesses and even hires outside consultants to test the system’s security.

“We have so many safeguards and levels of security that it would be extremely difficult for anyone who isn’t authorized to get into the system,” she says. “Since going live with electronic records in July 2004, we have been able to manage and control access better than was ever possible with paper records.”