One basic privacy right is the right to seek correction of personal information that is incorrect or incomplete. This is a difficult area for health records because health care providers do not like to change records, and they strongly resist removing information from a record. Often, the resistance is reasonable. For example, a preliminary diagnosis may turn out to be wrong, but the record of the diagnosis must remain in the record to explain a particular test or treatment.
Under HIPAA, if a consumer wants to authorize a covered entity to disclose her records, she will usually be obliged to sign an authorization form. The HIPAA rule prescribes the content of the authorization form and its scope. That rule provides some protections because it makes it harder for a consumer to unknowingly sign a form authorizing the disclosure of health records. For example, if a consumer signs a one-sentence form authorizing anyone with records about the consumer to disclose the records to the bearer of the form, it is unlikely that any doctor or hospital would or should honor that form.
Version 1: October 16, 2007 The World Privacy Forum, as part of its ongoing in-depth research into medical identity theft issues and responses, has outlined 8 best-practice responses to the crime by the health care sector. These best practices are based on interviews with victims, providers, and other stakeholders. These 8 best practices are