MUSCMedical LinksCharleston LinksArchivesMedical EducatorSpeakers BureauSeminars and EventsResearch StudiesResearch GrantsCatalyst PDF FileCommunity HappeningsCampus News

Return to Main Menu

HIPAA Privacy Rule protects private health information


by Mike Wheeler
University Privacy Officer
As mentioned in an previous article (The Catalyst, Jan. 10 or online at http://www.musc.edu/catalyst/archive/2002/co1-10hipaa.htm), the Health Insurance Portability and Accountability Act (HIPAA), set forth in 45 Code of Federal Regulations Parts 160 and 164, are entitled “Standards for Privacy of Individually Identifiable Health Information” or commonly called “the Privacy Rule.”

The Privacy Rule provides a federal law to protect privacy and confidentiality by preventing a release of an individual’s private health information. The Privacy Rule defines an individual’s private health information as “Protected Health Information (PHI).” Under the Privacy Rule, individuals (our patients) have six rights. 

The MUSC organization must comply with the HIPAA Privacy Rule and uphold these six individual rights.  An overview of these rights will help provide an understanding of the how the Privacy Rule protects an individual’s privacy and confidentiality.

1) The right to request restriction on certain uses and disclosures of Protected Health Information (PHI). 

For example, an individual with health insurance coverage may request they pay for a service “out-of-pocket” and not file with their health insurance company.  This is a reasonable request we would grant. Other requests can be complex so consideration must be given to:

  • To ensure the restriction would be in the best interest of the individual; and
  • How the restricted PHI is used or disclosed in an emergency.
The MUSC organization reserves the right to terminate any accepted request after providing advance notice to the individual.

2) The right to receive confidential communications of PHI (billing information, appointment reminders, etc.). For example, an individual may request billing information or appointment reminders sent to a post office box in lieu of their home address. This is also a reasonable request we would consider granting.  The MUSC organization reserves the right to terminate any accepted confidential communication request after providing advance notice to the individual.

3) The right to inspect and copy PHI (medical records).  The MUSC organization must provide action within 30 days of the receipt of a request, or 60 days if the information needing accessed is stored at an offsite location. 

However, circumstances exist where the MUSC organization may deny an individual access to their medical records. 

For example, individuals can be denied access in the following circumstances:

  • A licensed health care professional has determined, in the exercise of professional judgment, that the access requested, by an individual or an individual’s personal representative, is reasonable likely to endanger the life, physical safety, or cause substantial harm to the individual or another person;
  • If the request is for access to psychotherapy notes; or
  • If the request is for access to information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
4) The right to amend PHI. The MUSC organization must provide action on an individual’s request for amendment within 60 days of receiving the request.  A request to amend a record can be denied if:
  • The information was not created by the MUSC organization;
  • The information is not available for inspection (psychotherapy notes, information compiled for civil or criminal actions/proceedings); or
  • The information is accurate and complete.


If the request to amend is accepted, the information in question may be appended or flagged to the location of the amendment. However, information in medical records will not be deleted as a result of an accepted request for amendment.

5) The right to receive an accounting of disclosures of PHI (an accounting of non-MUSC entities reviewing the PHI). 

The following are not included in this accounting of disclosures:

  • For treatment, payment, or health care operations;
  • Disclosures of PHI to or authorized by the individual;
  • Incidental to a permitted use or disclosure (someone overhearing a conversation at a nursing station);
  • Facility directories;
  • For national security;
  • To law enforcement officials; or
  • Disclosures that occurred prior to the HIPAA Privacy Rule implementation date of April 14.
6) The right to obtain a paper copy of the MUSC organization’s Notice of Privacy Practices.  A Notice of Privacy Practices is a summary of how the MUSC organization uses PHI to perform payment, treatment, and health care operations.  The notice also informs the individual about the six Privacy Rule rights. 

The MUSC organization has continually emphasized the ethical importance of protecting privacy and confidentiality and is in the process of generating a set of policies and procedures to specify the actions necessary to uphold these six individual rights. 
 

Catalyst Online is published weekly, updated as needed and improved from time to time by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, catalyst@musc.edu. Editorial copy can be submitted to Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to petersnd@musc.edu or catalyst@musc.edu. To place an ad in The Catalyst hardcopy, call Community Press at 849-1778.