Your Health Information Is Protected By Federal Law Under HIPAA
Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information.
Who Is Not Required to Follow This Law
Many organizations that have health information about you do not have to follow this law.
Examples of organizations that do not have to follow the Privacy Rule include:
- Life insurers
- Workers compensation carriers
- Many schools and school districts
- Many state agencies like child protective service agencies
- Many law enforcement agencies
- Many municipal offices
What Information Is Protected
- Information your doctors, nurses, and other health care providers put in your medical record
- Conversations your doctor has about your care or treatment with nurses and others
- Information about you in your health insurer’s computer system
- Billing information about you at your clinic
- Most other health information about you held by those who must follow this law
How Is This Information Protected
- Covered entities must put in place safeguards to protect your health information.
- Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
- Covered entities must have contracts in place with their contractors and others ensuring that they use and disclose your health information properly and safeguard it appropriately.
- Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
What Rights Does This Law Give Me Over My Health Information
Health Insurers and Providers who are covered entities must comply with your right to:
- Ask to see and get a copy of your health records
- Have corrections added to your health information
- Receive a notice that tells you how your health information may be used and shared
- Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
- Get a report on when and why your health information was shared for certain purposes
- If you believe your rights are being denied or your health information isn’t being protected, you can
- File a complaint with your provider or health insurer
- File a complaint with the U.S. Government
You should get to know these important rights, which help you protect your health information.
You can ask your provider or health insurer questions about your rights.
What Other HIPPA Information is Relevant?
A covered health care provider or health plan may disclose protected health information required by a court order, including the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order.
A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order. A covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met. Before the covered entity may respond to the subpoena, the Rule requires that it receive evidence that reasonable efforts were made to either:
- notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or to
- seek a qualified protective order for the information from the court.
Employers and Health Information in the Workplace
The Privacy Rule controls how a health plan or covered health care provider discloses protected health information to an employer, including your manager or supervisor.
The Privacy Rule does not protect your employment records, even if the information in those records is health-related. Generally, the Privacy Rule also does not apply to the actions of an employer, including the actions of a manager in your workplace.
If you work for a health plan or covered health care provider:
- The Privacy Rule does not apply to your employment records.
- The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.
Requests from your employer
The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs, or health insurance.
Generally, the Privacy Rule applies to disclosures made by your health care provider, not to the questions of your employer.
Family Members and Friends
The Privacy Rule does not require a health care provider or health plan to share information with your family or friends, unless they are your personal representatives. The law does permit providers and plans to share information with them in certain circumstances.
A provider or plan may also share relevant information with these persons if, using its professional judgment, it believes that you do not object.
- For example, if you send your friend to pick up your prescription for you, the pharmacist can assume that you do not object to their being given the medication.
- When you are not there or when you are injured and cannot give your permission, a provider may share information with these persons when it decides that doing so would be in your best interest.
Notice of Privacy Practices
Why you are receiving a Notice from your doctors and health plan
Your health care provider and health plan must give you a notice that tells you how they may use and share your health information and how you can exercise your health privacy rights. In most cases, you should get this notice on your first visit to a provider or in the mail from your health insurer, and you can ask for a copy at any time. The provider or health plan cannot use or disclose information in a way that is not consistent with their notice.
Why you are asked to “sign” a form
The law requires your doctor, hospital, or other health care provider you see in person to ask you to state in writing that you received the notice. Often, that means the doctor will ask you to sign a form stating that you received the notice that day.
- The law does not require you to sign the “acknowledgement of receipt of the notice.”
- Signing does not mean that you have agreed to any special uses or disclosures of your health records.
- Refusing to sign the acknowledgement does not prevent the entity from using or disclosing health information as the Rule permits it to do.
- If you refuse to sign the acknowledgement, the provider must keep a record that they failed to obtain your acknowledgement.
What is in the Notice
When and how you can receive a Notice of Privacy Practices
- Most covered health care providers must give notice to their patients at the patient’s first service encounter (usually at your first appointment). In emergency treatment situations, the provider must give the patient the notice as soon as possible after the emergency. It must also post the notice in a clear and easy to find location where patients are able to read it.
- A health plan must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request. A health plan can give the notice to the “named insured,” that is, the subscriber for coverage. It does not also have to give separate notices to any covered spouses and dependents.
- A covered entity must give a copy of the notice to anyone who asks for one. If a covered entity has a web site for customers, it must post its notice in an obvious spot there.