This document discusses federal laws protecting patient medical record confidentiality, including the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The Privacy Rule establishes national standards to protect individuals' personal health information and gives patients rights over their health information. It requires covered entities like health plans, medical providers, and clearinghouses to limit use and disclosure of protected health information. The Office for Civil Rights enforces the Privacy Rule and Patient Safety Act to ensure privacy of health information and confidentiality of patient safety reporting. Organizations must implement policies like training, access controls, and audits to comply with these laws.

1. HIPAA and Patient Medical Record Confidentiality
Federal civil rights laws and the Health Insurance Portability and Accountability Act (HIPAA)
Privacy Rule, together protect your fundamental rights of nondiscrimination and health
information privacy. Civil Rights help to protect you from unfair treatment or discrimination,
because of your race, color, national origin, disability, age, sex (gender), or religion. Federal
laws also provide conscience protections for health care providers.
The Privacy Rule protects the privacy of your health information; it says who can look at and
receives your health information, and also gives you specific rights over that information. In
addition, the Patient Safety Act and Rule establish a voluntary reporting system to enhance the
data available to assess and resolve patient safety and health care quality issues and provides
confidentiality protections for patient safety concerns.

2. Civil Rights Health Information Privacy Rights
OCR helps to protect you from By enforcing the Privacy and Security
discrimination in certain health care and Rules, OCR helps to protect the privacy of
social service programs. Some of these your health information held by health
programs may include: insurers and certain health care providers
and health insurers. Some of these providers
Hospitals, health clinics, nursing and insurers may include:
homes
Medicaid and Medicare agencies Doctors and nurses
Welfare programs Pharmacies
Day care centers Hospitals, clinics, and nursing homes
Doctors’ offices and pharmacies Health insurance companies
Children’s health programs Health maintenance organizations
Alcohol and drug treatment centers (HMOs)
Adoption agencies Employer group health plans
Mental health and developmental Certain government programs that pay
disabilities agencies for health care, such as Medicare and
Medicaid
Learn more about civil rights>>
OCR also enforces the confidentiality
provisions of the Patient Safety Act and
Rule.
Learn more about health information
privacy>>
Health Information Privacy
The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of
individually identifiable health information; the HIPAA Security Rule, which sets national
standards for the security of electronic protected health information; and the confidentiality
provisions of the Patient Safety Rule, which protect identifiable information being used to
analyze patient safety events and improve patient safety.
The Standards for Privacy of Individually Identifiable Health Information (―Privacy Rule‖)
establishes, for the first time, a set of national standards for the protection of certain health
information. The U.S. Department of Health and Human Services (―HHS‖) issued the Privacy
Rule to implement the requirement of the Health Insurance Portability and Accountability Act of
1996 (―HIPAA‖).

3. The Privacy Rule
Standards address the use and disclosure of individuals’ health information—called ―protected
health information‖ by organizations subject to the Privacy Rule — called ―covered entities,‖ as
well as standards for individuals' privacy rights to understand and control how their health
information is used. Within HHS, the Office for Civil Rights (―OCR‖) has responsibility for
implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and
civil money penalties.
Organizational Policies and Regulations
All staff members should have training at least annually on confidentiality especially
when the staff has access to personal information; the training should include HIPAA
rules and regulations. Staff should know that there can be serious ramifications for
violating a patient’s privacy.
All employees that have access to personal information should be required to attend the
annual training. During the meeting they should be given an employee handbook that
address confidentiality and the employees should sign a copy for their personnel file.
Training should include a review of applicable Case Studies of various types of violations
of medical record confidentiality and HIPAA regulations.
Role playing exercises should be conducted to teach personnel what to do in the event
they witness violations and misuse of patient records.
Training should incorporate real life examples of potential confidentiality violations and
how to avoid mistakes.
A Privacy Officer should be used to monitor and to make sure that security measures are
maintained, that all the applicable state and federal laws are enforced, and that all
organizational policies and procedures are followed.
Security Measures
Background checks for all employees
Limited Access to Records
Login Authentication
Monitor Login Frequency
Maintain Chain-of-Custody
List of all Personnel Associated with Patient Care
Maintain Attendance Records
Record Login Dates and Time

4. Record all Data Transfer Date and Time
References
Summary of the HIPAA Privacy Rule (2012) – U. S. Department of Health and Human Services.
Retrieved June 28, 2012 from website:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html