What is the HIPAA Privacy Rule?
Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a federal law that is part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), gives you rights over your protected health information (PHI) and sets rules and limits on who can look at and receive your PHI.
The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.
The Privacy Rule is located in the Code of Federal Regulations at 45 CFR Part 160 and Subparts A and E of Part 164.
What Does the HIPAA Privacy Rule Do?
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
• And it strikes a balance when public responsibility supports disclosure of some forms of data—for example, to protect public health.
For patients—it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
• It empowers individuals to control certain uses and disclosures of their health information.
Who Must Follow These Laws
The entities that must follow the HIPAA regulations are known as “covered entities.”
Covered entities include:
• Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
• Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
• Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
In addition, business associates of covered entities must follow parts of the HIPAA regulations.
Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. These entities are known as “business associates.” Examples of business associates include:
• Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
• Companies that help administer health plans
• People like outside lawyers, accountants, and IT specialists
• Companies that store or destroy medical records
Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule (see below).
Who Is Not Required to Follow These Laws
Many organizations that have health information about you do not have to follow these laws.
Organizations that Do Not Have to Follow the Privacy and Security Rules
Some organizations are not required to follow the Privacy and Security Rules. These exempt organizations include:
• Life insurers
• Employers
• Workers’ compensation carriers
• Most schools and school districts
• Many state agencies like child protective service agencies
• Most law enforcement agencies
• Many municipal offices
What Information Is Protected
• Information your doctors, nurses, and other health care providers put in your medical record
• Conversations your doctor has about your care or treatment with nurses and others
• Information about you in your health insurer’s computer system
• Billing information about you at your clinic
• Most other health information about you held by those who must follow these laws
How This Information Is Protected
• Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
• Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
• Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
• Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
What Rights Does the Privacy Rule Give Me over My Health Information?
Health insurers and providers who are covered entities must comply with your right to:
• Ask to see and get a copy of your health records
• Have corrections added to your health information
• Receive a notice that tells you how your health information may be used and shared
• Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
• Get a report on when and why your health information was shared for certain purposes
• If you believe your rights are being denied or your health information isn’t being protected, you can
o File a complaint with your provider or health insurer
o File a complaint with the U.S. Department of Health and Human Services (HHS)
You should get to know these important rights, which help you protect your health information.
You can ask your provider or health insurer questions about your rights.
Who Can Look at and Receive Your Health Information
The Privacy Rule sets rules and limits on who can look at and receive your health information.
To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:
• For your treatment and care coordination
• To pay doctors and hospitals for your health care and to help run their businesses
• With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
• To make sure doctors give good care and nursing homes are clean and safe
• To protect the public's health, such as by reporting when the flu is in your area
• To make required reports to the police, such as reporting gunshot wounds
Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:
• Give your information to your employer
• Use or share your information for marketing or advertising purposes or sell your information
Employers and Health Information in the Workplace
The Privacy Rule controls how a health plan or a covered health care provider shares your protected health information with an employer.
Employment Records
The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.
If you work for a health plan or a covered health care provider:
• The Privacy Rule does not apply to your employment records.
• The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.
Requests from your employer
Your employer can ask you for a doctor’s note or other health information if they need the information for sick leave, workers’ compensation, wellness programs, or health insurance.
However, if your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so.
Generally, the Privacy Rule applies to the disclosures made by your health care provider, not the questions your employer may ask.
See 45 C.F.R. §§ 160.103 and 164.512(b)(1)(v).
For employer issues, contact:
• Department of Labor: (866) 4-USA-DOL
• Equal Employment Opportunity Commission: (800) 669-4000
If I Believe My Privacy Rights Have Been Violated When Can I File a Complaint?
By law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, “covered entities”) had until April 14, 2003, to comply with the HIPAA Privacy Rule. (Small health plans had until April 14, 2004, to comply).
• Activities occurring before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions.
• After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically.
• This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.
• The Secretary may waive this 180-day time limit if good cause is shown. See the Code of Federal Regulations at 45 CFR 160.306 and 164.354.
In addition, after the compliance dates above, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.
If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?
Yes. If you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care. Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object. In any of these cases, your health care provider may discuss only the information that the person involved needs to know about your care or payment for your care.
Here are some examples:
• An emergency room doctor may discuss your treatment in front of your friend when you ask that your friend come into the treatment room.
• Your hospital may discuss your bill with your daughter who is with you at the hospital and has questions about the charges.
• Your doctor may talk to your sister who is driving you home from the hospital about your keeping your foot raised during the ride home.
• Your doctor may discuss the drugs you need to take with your health aide who has come with you to your appointment.
• Your nurse may tell you that he or she is going to tell your brother how you are doing, and then your nurse may discuss your health status with your brother if you did not say that he or she should not.
BUT:
• Your nurse may not discuss your condition with your brother if you tell your nurse not to.
Can I have another person pick up my prescription drugs, medical supplies, or x-rays?
Yes. HIPAA allows health care providers (such as pharmacists) to give prescription drugs, medical supplies, X-rays, and other health care items to a family member, friend, or other person you send to pick them up.
If I am unconscious or not around, can my health care provider still share or discuss my health information with my family, friends, or others involved in my care or payment for my care?
Yes. If you are not around or cannot give permission, your health care provider may share or discuss your health information with family, friends, or others involved in your care or payment for your care if he or she believes, in his or her professional judgment, that it is in your best interest. When someone other than a friend or family member is asking about you, your health care provider must be reasonably sure that you asked the person to be involved in your care or payment for your care. Your health care provider may share your information face to face, over the phone, or in writing, but may only share the information that the family member, friend, or other person needs to know about your care or payment for your care.
Here are some examples:
• A surgeon who did emergency surgery on you may tell your spouse about your condition, either in person or by phone, while you are unconscious.
• A pharmacist may give your prescription to a friend you send to pick it up.
• A doctor may discuss your drugs with your caregiver who calls your doctor with a question about the right dosage.
BUT:
• A nurse may not tell your friend about a past medical problem that is unrelated to your current condition.
Can my health care provider discuss my health information with an interpreter?
Yes. HIPAA allows your health care provider to share your health information with an interpreter who works for the provider to help communicate with you or your family, friends, or others involved in your care. If the interpreter is someone who does not work for your health care provider, HIPAA also allows your provider to discuss your health information with the interpreter so long as you do not object.
If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?
HIPAA does not require proof of identity in these cases. However, your health care provider may have his or her own rules for verifying who is on the phone. You may want to ask your provider about her or his rules.
The Security Rule
The HIPAA Security Rule is a federal law that establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Security Rule is located in the Code of Federal Regulations at 45 CFR Part 160 and Subparts A and C of Part 164.
In Texas, as in all states, the HIPAA Privacy Rule is a federal mandate that provides a baseline of protection for the privacy of individual health information (PHI). This rule applies to health plans, healthcare providers, and healthcare clearinghouses, as well as their business associates. It establishes national standards for the protection of medical records and personal health information, giving patients the right to access and control their PHI, setting limits on its use and release, and requiring entities to implement safeguards to ensure privacy. Violations of the HIPAA Privacy Rule can result in penalties. The Rule allows for the disclosure of PHI without patient consent for public health purposes and as required by law, but generally prohibits sharing information with employers or for marketing purposes without explicit patient authorization. The HIPAA Security Rule complements the Privacy Rule by specifically focusing on the protection of electronic PHI. Complaints regarding HIPAA violations can be filed with the U.S. Department of Health and Human Services. It's important to note that while the HIPAA Privacy Rule is a federal law, Texas may have additional privacy laws and regulations that further govern the handling of PHI within the state.
