Understanding Health Information Privacy (HIPAA)

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. 

Your Health Information Is Protected By Federal Law

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

What Information Is Protected

• Information your doctors, nurses, and other health care providers put in your medical record
• Conversations your doctor has about your care or treatment with nurses and others
• Information about you in your health insurer’s computer system
• Billing information about you at your clinic
• Most other health information about you held by those who must follow these laws

Who Can Look at and Receive Your Health Information

The Privacy Rule sets rules and limits on who can look at and receive your health information

To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:

• For your treatment and care coordination
• To pay doctors and hospitals for your health care and to help run their businesses
• With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
• To make sure doctors give good care and nursing homes are clean and safe
• To protect the public’s health, such as by reporting when the flu is in your area
• To make required reports to the police, such as reporting gunshot wounds

Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:

• Give your information to your employer
• Use or share your information for marketing or advertising purposes
• Share private notes about your health care

Who Must Follow This Law?

• Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers.
• Health insurance companies, HMOs, most employer group health plans.
• Certain government programs that pay for health care, such as Medicare and Medicaid.

Providers and health insurers who are required to follow this law must comply with your right to:

1. Ask to see and get a copy of your health records.
   You can ask to see and get a copy of your medical record and other health information. You may not be able to get all of your information in a few special cases. For example, if your doctor decides something in your file might endanger you or someone else, the doctor may not have to give this information to you.
   • In most cases, your copies must be given to you within 30 days, but this can be extended for another 30 days if you are given a reason.
   • You may have to pay for the cost of copying and mailing if you request copies and mailing.
2. Have corrections added to your health information.
   You can ask to change any wrong information in your file or add information to your file if it is incomplete. For example, if you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file.
   • In most cases the file should be changed within 60 days, but the hospital can take an extra 30 days if you are given a reason.
3. Receive a notice that tells you how your health information is used and shared.
   You can learn how your health information is used and shared by your provider or health insurer. They must give you a notice that tells you how they may use and share your health information and how you can exercise your rights. In most cases, you should get this notice on your first visit to a provider or in the mail from your health insurer, and you can ask for a copy at any time.
4. Decide whether to give your permission before your information can be used or shared for certain purposes.
   In general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for.
5. Get a report on when and why your health information was shared.
   Under the law, your health information may be used and shared for particular reasons, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or making required reports to the police, such as reporting gunshot wounds. In many cases, you can ask for and get a list of who your health information has been shared with for these reasons.
   • You can get this report for free once a year.
   • In most cases you should get the report within 60 days, but it can take an extra 30 days if you are given a reason.
6. Ask to be reached somewhere other than home.
   You can make reasonable requests to be contacted at different places or in a different way. For example, you can have the nurse call you at your office instead of your home, or send mail to you in an envelope instead of on a postcard. If sending information to you at home might put you in danger, your health insurer must talk, call, or write to you where you ask and in the way you ask, if the request is reasonable.
7. Ask that your information not be shared.
   You can ask your provider or health insurer not to share your health information with certain people, groups, or companies. For example, if you go to a clinic, you could ask the doctor not to share your medical record with other doctors or nurses in the clinic. However, they do not have to agree to do what you ask.

8. File complaints.
   If you believe your information was used or shared in a way that is not allowed under the privacy law, or if you were not able to exercise your rights, you can file a complaint with your provider or health insurer. The privacy notice you receive from them will tell you who to talk to and how to file a complaint. You can also file a complaint with the U.S. Government.

Other Privacy Rights

You may have other health information rights under your state’s laws. When these laws affect how your health information can be used or shared, that should be made clear in the notice you receive.

For More Information

This is a brief summary of your rights and protections under the federal health information privacy law. You can ask your provider or health insurer questions about how your health information is used or shared and about your rights. You also can learn more, including how to file a complaint with the U.S. Government, at the website at www.hhs.gov/ocr/hipaa or by calling 1-866-627-7748. The phone call is free.