For at least the short term, expect lots of confusion and surprises stemming from the medical privacy standards that took effect this week, say experts interviewed by the Reuters news agency.

Under the new rules set forth under the Health Insurance Portability and Accountability Act, or HIPAA, patients will receive notices from their providers describing their new rights.

While those rights include ability to examine your own medical records, they also give consumers limited new powers to prevent sensitive data from slipping into the wrong hands, Reuters reports. Among other things, they forbid healthcare providers from sharing identifiable health information with employers; and unless a patient has specifically granted his or her consent, providers may not sell lists of patients to companies for marketing purposes.

But experts like healthcare lawyer Robert Falk cautioned that there are "still a lot of gray areas here, and a lot of areas that are constantly popping up."

He cited a recent incident in which a patient's parole officer sent a release form requesting medical information from the patient's doctor. Because the release form did not meet the new privacy standards, the doctor won't be able to supply the requested information.

"We're going to be dealing with a lot of unintended consequences or transition issues here," Falk warned.

While many large hospitals, medical practices, insurers and pharmacy chains are ready for the changes, "a lot of the small providers probably don't know about it at all or are not prepared," he said.

The government has the power to wield stiff civil and criminal penalties to enforce the rules. Violators are subject to fines of $100 "per incident" up to a maximum of $25,000 per year for each breach of a privacy standard. Offenders who knowingly flout the law with malicious intent or for commercial or personal gain could face fines of up to $250,000 and up to 10 years in prison.

Despite the 24-month implementation phase, "misinformation and confusion" abound, say officials at the Health Privacy Project, a nonprofit health privacy information outfit based at Georgetown University.

For instance, many believe that hospitals will be barred from giving out patient information to the public, they said. The truth is hospitals may continue to share information about patients unless a patient specifically asks that the information be kept private.

Project leaders are also troubled by the continued ability of pharmacies to send health-related information about products and services to patients without consumers' knowledge that the information may have been paid for by a drug company.

Links

• Reuters article, via Yahoo!
• Penalties for non-compliance with HIPAA, as published in the Federal Register
• Department of Health and Human Services HIPAA page