medical privacy


New Medical Privacy: You Pay For Care, You Control Who Sees The Record

medical files


As of Sept. 23, a new provision of the federal law on patient rights and medical privacy — affectionately known as HIPAA — takes effect, and it’s sure to please the paranoiac in all of us. It allows patients who pay for a treatment out of pocket to limit access to the medical record of it — and that includes barring your health insurer from seeing it, if you choose.

Now, this may not excite you if you don’t expect to need treatment for a sexually transmitted disease any time soon. But some people feel deeply protective of their medical records — and may not have warm and trusting feelings toward their insurers or employers. For an explanation of the new privacy provision, I spoke with Matt Fisher, chair of the Health Law Group at Mirick O’Connell, a law firm with offices in Worcester, Boston and Westborough. Our conversation, lightly edited:

So this new HIPAA rule that takes effect on Sept. 23 basically says that if the patient pays for their care, they can keep it from the knowledge of their health plan?

The patient can request that services or items provided, that they paid for out of pocket in full, that access to that information be restricted to specific individuals or providers. So that means that they can say, ‘Don’t share it with this insurance company,’ which request previously could be ignored by a provider.  This change modifies the existing rule that a patient can ask for information to be restricted, but doing so is at the provider’s discretion.  It is now not optional with regard to health plans.

So how does this differ from what we already had?

Attorney Matt Fisher (Courtesy)

Attorney Matt Fisher (Courtesy)

You already had protection from just general disclosure of the information, but there were permitted disclosures that can be made between what are called covered entities: a physician, a hospital or an insurance company. So absent the request that the information not be shared if the services are paid for out of pocket, that information can be shared with insurers without the patient’s authorization, if it’s for payment or health care operations. Those three broad categories allow providers and insurers to interact and each perform their functions. So it makes sense you wouldn’t require authorization for that type of sharing.

But the new provision says that if the patient has paid for it out of pocket, now you can say, ‘Don’t share it with my insurer — they don’t need to know about it because they’re not paying for it.’ Or there could be some other reason you don’t want it shared.

Can you paint a couple of scenarios of how you expect this to be used once people know about it?

One example I’ve heard about a lot is if an individual goes in for a treatment of a sexually transmitted disease — so there might be a feeling of some type of social stigma or some other instance where you might have the feeling of not wanting it shared.

So anything with stigma? Continue reading