What is a Medical Privacy Act?

A medical privacy act is a state or federal law designed to ensure the privacy and confidentiality of patient medical information. HIPAA, which applies at the national level, is the most well-known medical privacy act. A number of states also have a medical privacy act. Examples of a state medical privacy act are discussed in greater detail below.

What Does a State Medical Privacy Act Cover?

A state medical privacy act regulates how healthcare providers and insurers may use and disclose confidential patient information. Many states have a medical privacy act that provides patients with a number of privacy rights. For example, Nebraska, Pennsylvania, Virginia, and Washington  each have a comprehensive state medical privacy act. The acts address different areas, including the right of access, restrictions on use and disclosure, the right to file a private right of action, and notices of information collection practices.

The Nebraska state medical privacy act contains, among other provisions, a right of access provision. Nebraska law grants patients the right of access to medical records maintained by providers, including physicians, psychologists, chiropractors, dentists, hospitals, clinics, and any other licensed or certified healthcare practitioner or entity. “Medical records” are defined as a provider’s record of a patient’s health history and treatment rendered. Under the Nebraska medical privacy act, upon receiving a patient’s written request to examine his or her medical records, a provider must, as promptly as required under the circumstances but no later than 10 days after receiving the request:

• Make the medical records available for examination during regular business hours; 
• Inform the patient if the records do not exist or cannot be found; 
• If the provider does not maintain the records, inform the patient of the name and address of the provider who maintains such records, if known; or 
• If unusual circumstances have delayed handling the request, inform the patient in writing of the reasons for the delay and the earliest date, when the records will be available for examination. Even if there is a delay, access must be given within 21 days after receiving the request.

The Pennsylvania state medical privacy act contains, among other provisions, provisions for reporting of communicable diseases. Physicians must report people who have or who are suspected of having a communicable disease to the local department of health. To protect patient privacy, state and local health authorities may not disclose these reports or any records maintained as a result of any action taken in response to the report to anyone outside the department of health, except where necessary to control or prevent communicable disease.

Virginia’s medical privacy act gives patients the right to access their medical records held by a health plan, and the right to have the health plan amend those records if they are inaccurate or incomplete. The Virginia medical privacy act, unlike other state medical privacy acts and HIPAA, allows an individual whose rights are violated under that act by a health plan, to file a lawsuit seeking equitable relief (non-monetary relief, such as a court order requiring a provider to release records, or an injunction).

The state of Washington’s medical privacy act contains a requirement that patients be notified of how healthcare providers use or disclose their health information. In Washington, a healthcare provider who maintains a record of a patient’s healthcare information, must place a copy of the notice of privacy practices in a conspicuous place in the healthcare facility, on a consent form, or with a billing or other notice provided to the patient. The notice must generally advise a patient that the facility will not disclose the patient’s information unless authorized by the patient or permitted by law.

What Else Does a State Medical Privacy Act Cover?

A state medical privacy act may also contain provisions for accounting of PHI disclosures, for when PHI may be used for research, sale, or marketing purposes, and for when pharmacies may use and disclose protected health information. A state medical privacy act may also contain provisions for when a mental health provider may use or disclose confidential information about a patient, and for whether a patient is entitled to access the provider’s psychotherapy notes.