Q&A with Karen Rieger
Medical facilities can face fines
for patient data breaches
Q: There have been recent breaches of patient data at medical facilities. What rights do patients have to the security of their medical records?
A: Many. The federal Health Insurance Portability and Accountability Act limits the ability of health care providers and insurance companies to use and disclose patient health information without the patient's authorization, except as necessary for purposes of treatment, payment and certain health care operations. Oklahoma also has a number of laws and regulations that protect sensitive health information.
Q: What recourse do they have, should that information be leaked?
A: Patients can't bring lawsuits, but violations may be reported to the Office of Civil Rights (OCR), which can impose fines and penalties on health care providers and insurance companies that violate the law. We have seen an increase in enforcement activities by the OCR over the past several years, in light of several well-publicized cases in which health information of celebrities and other high-profile individuals was inappropriately leaked. Patients also may bring a claim based upon invasion of privacy, breach of contract or other legal grounds, depending upon the facts of a particular case.
Q: How will the security of patient information change with the introduction of electronic medical records?
A: Encryption is strongly encouraged, and many health care providers are installing encryption systems to protect electronic health information. Also, health care providers and insurance companies are required to notify both the OCR and the patients affected in situations in which unencrypted health information is erroneously disclosed. This notification requirement is expected to make health care providers and insurance companies more diligent about protecting this sensitive information.
PAULA BURKES, BUSINESS WRITER