Facility Medical Records
Medical records contain much detailed information that is required by statute, regulation or JCAHO standards. For example, federal regulations mandate the use of a Resident Assessment Instrument (RAI) and Minimum Data Set (MDS) in federally certified nursing homes. Such records are technically the property of the facility. Historically, privacy protection of such records has been a state concern.
Federal concern over privacy protection arose in the context of concerns over the more widespread use of electronic records, which were specifically encouraged under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA included provisions for administrative simplification and standards for health care electronic data exchange. In the context of wide variation across states in the scope and stringency of privacy protections and concerns about the security/privacy of electronic data in particular, HIPAA therefore also included a third major component to address health information security requirements, thereby establishing national standards that effectively set a national floor on privacy as it relates to medical records. The Duke Center for Health Policy has developed a draft working paper assessing the cost and benefits of medical records regulation in the U.S., including both HIPAA privacy rules and state privacy regulations.
- Privacy Rule. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
- Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information, and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. This link summarizes the Privacy Rule’s protection of the privacy of individually identifiable health information, the rights granted to individuals, OCR’s enforcement activities, and how to file a complaint with OCR.