igforum.bio
/
patient-s-guide-to-hipaa-how-to-use-the-law-to-guard-your-health-privacy-world-privacy-forum
-
144805
J
% Patient s Guide to HIPAA How to Use the Law to Guard your Health Privacy World Privacy Forum Skip to Content Javascript must be enabled for the correct page display Home Connect With Us: twitter Vimeo email Main Navigation Hot Topics
visibility
850 views
thumb_up
43 likes
A
Department of Health and Human Services, and Dr. Lewis Lorton, health technology and privacy expert contributed to the first edition of the Guide. Robert Gellman and the World Privacy Forum take responsibility for the judgments and accuracy of information in this guide.
thumb_up
44 likes
H
Nothing in this guide constitutes legal advice. Patient’s Guide to HIPAA
World Privacy Forum
www.worldprivacyforum.org 2019 Robert Gellman, Pam Dixon All rights reserved.
www.worldprivacyforum.org 2019 Robert Gellman, Pam Dixon All rights reserved.
thumb_up
0 likes
N
No portion of this book may be reproduced in any form without permission from the publisher, except as permitted by U.S. copyright law.
thumb_up
7 likes
S
Cover by John Emerson
Ebook/Digital: ISBN-13: 978-0-9914500-0-8 Hide
Ebook/Digital: ISBN-13: 978-0-9914500-0-8 Hide
How to Use This Guide
This guide is for patients. It offers a roadmap through the thicket of health privacy laws and rules that patients confront everyday.
thumb_up
4 likes
A
The purpose of this guide is to help patients understand how to make health privacy laws work to protect their privacy and recognize the limits of those laws. The guide focuses mostly on the federal health privacy rule known as HIPAA. This federal privacy rule establishes a baseline of protection that applies to health care providers and health care insurers throughout the United States.
thumb_up
27 likes
I
The guide also discusses other federal laws that cover some health records. This guide does not offer detailed, technical explanations for every provision and every nuance of HIPAA.
thumb_up
23 likes
I
Instead, this guide concentrates on those parts of HIPAA that will are likely to be most helpful to real people. This guide does not review state law, and you need to know that a stronger state law can provide additional privacy protections. If you work at a covered entity, this guide will still be useful to you, but it will not tell you everything you need to know to carry out your HIPAA responsibilities.
thumb_up
7 likes
A
It still offers a good introduction to the things that most patients care about. You can read this guide cover-to-cover or you can use the index to Frequently Asked Questions (FAQs) to jump to the part of the guide that covers your particular question or problem.
thumb_up
35 likes
S
In some places, we include a sidebar to offer an illustration, explanation, or comment. From time to time, you will also find a “rule of thumb” offering a simple way to understand complex issues.
thumb_up
36 likes
E
Hide
Quick Start
For a list of all FAQ questions, please see the complete list in the HIPAA Guide Index. If you have general questions about HIPAA, jump to Part I, Learning about HIPAA. If you have questions about the seven patient rights of privacy, jump to Part II, Basic Patient Rights.
thumb_up
3 likes
H
If you have questions about signing consent forms and other forms at your doctor’s office or at a hospital, jump to Part III, What You Should Know About Uses and Disclosures. Hide
Navigation tips
You can navigate through the HIPAA Guide several ways.
thumb_up
27 likes
N
Use the HIPAA Guide Index as your starting page. This page lists all of the frequently asked questions about HIPAA that the Guide covers.
thumb_up
8 likes
H
To get to the information, click on any question you see in the index. At the top of each FAQ, you will find a link to the Index of FAQs so you can jump quickly through the guide.
thumb_up
4 likes
K
Hide
Document History
The Patients Guide to HIPAA was originally published March, 2009. Since then, it has received two major updates.Changes in the revised 2019 edition
This guide is up to date with the HIPAA health privacy rule as of January 1, 2019.
thumb_up
6 likes
A
Changes include minor updates and edits throughout; updating of Internet links, with additional links to HHS guidance; coverage of immunization registries; discussion of blocking robocalls; consideration of privacy and adult children covered under parental health insurance; and a discussion of the 21st Century Cures Act relating to mental health treatment of adults and communication with their caregivers.
Changes in the revised 2013 edition
This guide reflects the HIPAA health privacy rule in effect as of September 23, 2013. It includes the changes that the Department of Health and Human Services adopted early in 2013 and that took effect on September 23, 2013.
thumb_up
34 likes
L
These changes cover amendments made by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and by the Genetic Information Nondiscrimination Act of 2008 (GINA). Notice the big gap between the dates of these laws and the effective date of the implementing regulation.
thumb_up
17 likes
D
It takes a long time to convert new laws into working rules. In December we updated FAQ 52, Pay Out of Pocket.
thumb_up
42 likes
V
Hide
Introduction and Purpose
The purpose of this guide is to help you understand how to make health privacy laws work to protect your privacy and to recognize the limits of the law. We don’t offer detailed technical explanations for every provision and every nuance.
thumb_up
46 likes
A
Instead, this guide concentrates on those parts of health privacy laws and rules that will be most helpful to real people. Even so, this guide is not short.
thumb_up
4 likes
H
We encourage you to use the summary and list of questions to find what you want. If you view this guide on the WPF web site, you can also use the menu to navigate to different parts of the guide.
thumb_up
30 likes
N
The most important acronym we use here is HIPAA, which stands for the Health Insurance Portability and Accountability Act. HIPAA has several important parts, but the health privacy rule is the main focus here.
thumb_up
48 likes
M
The federal Department of Health and Human Services issued the HIPAA rules. The health privacy rule establishes a minimum set of health privacy practices for physicians and health plans. We will remind you repeatedly that other state and federal laws that provide stronger privacy protections remain in effect.
thumb_up
43 likes
D
The HIPAA rule may not be the only place to look. There are other HIPAA rules beyond the privacy rule. One covers security requirements, and is called the HIPAA security rule.
thumb_up
6 likes
J
(http://www.hhs.gov/hipaa/for-professionals/security/index.html) One covers reporting of data breaches to the Secretary of HHS by HIPAA-covered entities, which is called the HIPAA breach notification rule: (http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html) Another HIPAA rule covers enforcement procedures, the HIPAA enforcement rule: (http://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html) This guide focuses on the HIPAA privacy rule: (https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html). Because the other rules are of less interest to individuals, we don’t explain them here in detail.
thumb_up
26 likes
A
In this guide, we talk about laws, rules, regulations, act, and statutes. Lawyers can find real and technical differences between these terms, but the differences don’t matter much to patients. For our purposes, the terms are generally interchangeable references to legally binding policies or obligations.
thumb_up
18 likes
L
In order to keep this guide streamlined, we mostly avoid lengthy explanation of minutiae, unless absolutely necessary. This means that some sections may not describe every possible detail of a rule.
thumb_up
7 likes
C
One way to tell that we have streamlined a discussion is use of the word generally. That word signals that there are more details, exceptions, explanations, etc., in the text of the rule or elsewhere. When we can, we offer a rule of thumb that cuts through the legalisms.
thumb_up
6 likes
A
Our rules of thumb are correct but may not be complete. They may leave out details, exceptions, and special cases not of great importance to the majority of people.
thumb_up
21 likes
C
We also look outside the formal rules and suggest other ways to accomplish reasonable privacy goals. You can always read the full rule itself to find out what we left out. You can find the full HIPAA privacy rule here: (http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html).
thumb_up
36 likes
I
However, those who aren’t used to “bureaucratese” may find the rule daunting. Everyone will find it to be long. There’s a “redline” version of the HIPAA privacy rule with the 2013 changes posted by a law firm; this is available at: (http://www.jdsupra.com/legalnews/be-prepared-redline-version-of-the-hipa-44999/).
thumb_up
8 likes
G
The redline shows the changes from the previous version of the rule. Another website has the current version of the privacy rule without any marking of the 2013 changes, and this may be easier for some to use. (http://www.hipaasurvivalguide.com/hipaa-regulations/164-501.php) Feel free to look around the HHS website at (http://www.hhs.gov/ocr/privacy/).for other helpful materials.
thumb_up
43 likes
Z
HHS has its own FAQ on HIPAA at (http://www.hhs.gov/hipaa/for-professionals/faq). Many of the questions there provide answers for those who have responsibility for implementing the law, but patients may learn something useful as well.
thumb_up
47 likes
S
There are also useful guidance materials at (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html). Hide
1 What is the World Privacy Forum
The World Privacy Forum is a nonprofit, non-partisan, 501(c)(3), public interest research group.
thumb_up
15 likes
B
The WPF focuses on privacy, and health privacy is one of our key areas of work. You can find out more about our work at: (https://www.worldprivacyforum.org).
thumb_up
7 likes
D
The World Privacy Forum provides a wide variety of consumer and policy advice as well as resources relating to privacy matters. The WPF wrote the first report ever done on medical identity theft, a subset of identity theft, coining the term and bringing the problem to public attention.
thumb_up
26 likes
L
Medical identity theft occurs when someone uses an individual’s name and sometimes other parts of their identity — such as insurance information — without the individual’s knowledge or consent to obtain medical services or goods. Another variation of medical identity theft occurs when someone uses an individual’s identity information to make false claims for medical services or goods.
thumb_up
44 likes
B
Medical identity theft frequently results in erroneous information in existing health records, often in the name of the victim. Harms to victims include wrongful medical treatment because of the incorrect information and the use of health insurance benefits by someone not entitled to them. If you want to learn more about medical identity theft, go to (https://www.worldprivacyforum.org/category/med-id-theft/).If you think you were a victim of medical identity theft, see the FAQ for Victims of Medical ID Theft at (http://www.worldprivacyforum.org/FAQ_medicalrecordprivacy.html).
thumb_up
33 likes
G
The answers there specifically address the needs of identity theft victims. This same page also links to consumer tips for medical ID theft and other resources.
thumb_up
35 likes
L
Hide
2 Where Else Can I Find Help
If you want the official view — as well as the text of the federal health rule known as HIPAA and related materials — go to the website of the Office of Civil Rights (you will often see this office referred to as its acronym, OCR) of the federal Department of Health and Human Services (HHS) at (http://www.hhs.gov/hipaa/index.html or http://www.hhs.gov/hipaa/for-individuals/index.html). The website offers fact sheets, FAQs (http://www.hhs.gov/hipaa/for-individuals/faq/index.html), formal summaries of the HIPAA privacy rule, and more. If you are a covered entity looking for guidance on implementing HIPAA, HHS has webpages for you as well.
thumb_up
12 likes
M
Start at (http://www.hhs.gov/hipaa/for-professionals/index.html). The official materials are formal and even useful at times, but there is a lot to wade through. We seek to tell it like it is.
thumb_up
17 likes
S
The Office of Civil Rights tells it like it is supposed to be. Both views have relevance. Why does responsibility for the federal health privacy rule rest with the Office of Civil Rights?
thumb_up
6 likes
A
The Department had to put the health privacy function somewhere, and it chose the Office of Civil Rights. The Office of Civil Rights also enforces violations of the HIPAA privacy rule.
thumb_up
31 likes
I
Some complained that the Office of Civil Rights was not focused on health privacy. It didn’t bring enforcement actions for years after the health care world had to comply with health privacy rule. However, enforcement by OCR became much more aggressive in recent years, and you have a reasonable chance that your complaint will receive appropriate attention.
thumb_up
22 likes
A
In fact, there’s a much greater chance that a health privacy complaint at OCR will result in an investigation than a similar privacy complaint will result in action by the Federal Trade Commission. You can find other guides to HIPAA on the Internet. However most of them are for health care providers like hospitals and doctors trying to comply with the law.
thumb_up
37 likes
S
Hospitals and health plans sometimes offer patient-oriented privacy materials. Overall, we were surprised at how few free, detailed patient-oriented materials are available. The Privacy Rights Clearinghouse (https://www.privacyrights.org) has a wealth of useful materials on privacy in general as well as some facts sheets on medical privacy (https://www.privacyrights.org/topics/health-medical).
thumb_up
47 likes
S
The Center on Medical Record Rights and Privacy at Georgetown University’s Health Policy Institute had a good website focused on patient access rights. But it is out of date.
thumb_up
3 likes
B
You might find something relevant under the medical privacy tab at ( http://hpi.georgetown.edu/papers.html). The Center for Law, Ethics, and Applied Research in Health Information at Indiana University also has a variety of useful materials on health privacy at (https://medicine.iu.edu/research/centers-institutes/bioethics/research/health-information/).
thumb_up
1 likes
E
Consumer Action has materials on health privacy for California patients. (http://www.consumer-action.org/english/articles/health_records_privacy_in_california).
thumb_up
29 likes
L
That information is also available in Spanish. (http://www.consumer-action.org/spanish/articles/health_records_privacy_in_california_sp). Consumer Action has other health privacy resources as well.
thumb_up
11 likes
C
(http://www.privacy-information.org/publications/P0/topics/medical). The federal HIPAA rule may not be the only health privacy law relevant to you.
thumb_up
3 likes
M
The HIPAA rule establishes a “floor” of privacy protection. If state law or another federal law gives you more rights, greater access to your health records, more limits on disclosure, or lower fees for copies of your health records, then those other laws supersede HIPAA. This can be very important at times.
thumb_up
28 likes
E
The National Conference of State Legislators has a site dedicated to HIPAA impacts and actions by states: (http://www.ncsl.org/research/health/hipaa-a-state-related-overview.aspx). Your state health department may also have useful information on its website.
thumb_up
30 likes
K
So might a state hospital association. After you have the citations, you have to look to find the laws.
thumb_up
46 likes
J
Knowing where to look is half the battle, however. Always, look carefully to see if the information on these websites is current. It may be hard to tell.
thumb_up
13 likes
R
Be aware that state laws change, and the information on any state law website can be outdated. Pay attention to the dates of any discussion of state laws.
thumb_up
15 likes
M
If the Privacy Act of 1974, a law applicable to federal agencies like Medicare and the Department of Veterans Affairs, is relevant to you, you can find a guide at (https://www.fas.org/sgp/foia/citizen.html). Federal agencies subject to HIPAA and the Privacy Act of 1974 must give you the best of both laws.
thumb_up
13 likes
Z
Hide
3 What Federal Laws Are Relevant to Health Privacy
HIPAA is the most important federal health privacy law for almost everybody in the United States. Most of this guide explains what you should know about HIPAA.
thumb_up
40 likes
J
We also highlight some other federal laws that may be relevant to your health privacy. There are five federal laws beyond HIPAA we think you should know about.
thumb_up
1 likes
E
Each of these touches on privacy in a slightly different way. They are: Privacy Act of 1974
Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
Family Educational Rights and Privacy Act (FERPA)
Americans with Disabilities Act (ADA)
Genetic Information Nondiscrimination Act (GINA) We discuss each of these other laws briefly below.
thumb_up
27 likes
A
Hide Privacy Act of 1974 An important general purpose federal privacy law is the Privacy Act of 1974 (http://www.law.cornell.edu/uscode/text/5/552a). The Privacy Act of 1974 covers nearly all personal records (not just health records) maintained by federal agencies and some federal contractors.
thumb_up
6 likes
J
It applies to military health records, veterans’ records, Indian Health Service records, Medicare records, and health records of other federal agencies. HIPAA also applies to most of those same federal records.
thumb_up
22 likes
T
So if a federal agency has health information about you, you are entitled to the best protections in both laws. HIPAA is sometimes better, but rights under the Privacy Act of 1974 are often better than HIPAA. You can learn more about the Privacy Act of 1974 from a detailed guide published by the Department of Justice (http://www.justice.gov/opcl/1974privacyact-overview.htm).
thumb_up
0 likes
S
Warning: The Privacy Act of 1974 is just as complicated as HIPAA, and maybe even more so because there have been decades of litigation under the Privacy Act of 1974 (and very little under HIPAA). Remember that the Privacy Act of 1974 does not apply to most hospitals, clinics, or physicians. The Privacy Act of 1974 does not apply to them even though they may receive federal funds or are tax-exempt.
thumb_up
34 likes
T
Remember, the Act applies to federal agencies, not federal funds recipients. The National Institutes of Health — part of the Department of Health and Human Services — may be one of the few major health care institutions in the United States not covered by HIPAA.
thumb_up
22 likes
J
However, the Privacy Act of 1974 still applies to the NIH. More at (https://oma.od.nih.gov/forms/Privacy Documents/Documents/NIH Privacy FAQs March 2013.pdf). Hide Confidentiality of Alcohol and Drug Abuse Patient Records Regulations The Confidentiality of Alcohol and Drug Abuse Patient Records Regulations (42 Code of Federal Regulations Part 2) are an important set of federal rules for some health records.
thumb_up
48 likes
S
These rules provide privacy protections for records of federally funded substance abuse (alcohol and drug abuse) health care providers. You can find more information at (https://www.samhsa.gov/laws-regulations-guidelines/medical-records-privacy-confidentiality).
thumb_up
31 likes
G
The actual rules are also at (https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=b7e8d29be4a2b815c404988e29c06a3e&rgn=div5&view=text&node=42:1.0.1.1.2&idno=42). HHS updated the Part 2 rules in 2017.
thumb_up
50 likes
T
See https://www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records.
RULE OF THUMB
The alcohol and drug abuse rules contain the strictest privacy protections of just about any law. The rules allow many fewer disclosures than HIPAA, and the restrictions generally follow the records.
thumb_up
18 likes
I
That means that if a record is subject to the rules, the record remains subject to the rules if the record is disclosed to anyone. That is an unusual but very privacy protective policy.
thumb_up
9 likes
K
The Substance Abuse and Mental Health Services Administration (SAMHSA) administers the alcohol and drug abuse rules. SAMHSA is part of the Department of Health and Human Services. You can find a document that discusses how HIPAA and the substance abuse privacy rule relate at (http://www.samhsa.gov/sites/default/files/part2-hipaa-comparison2004.pdf).
thumb_up
7 likes
J
Hide Family Educational Rights and Privacy Act (FERPA) Health records at most schools and colleges (at least those receiving federal funds) are not covered by HIPAA but by the Family Educational Rights and Privacy Act (FERPA). You will find more information about FERPA and a link later in this guide.
thumb_up
37 likes
A
(See FAQ 9.) In general, FERPA’s protections are better than HIPAA in some ways and not as good in others. There’s a simple Q&A on FERPA and HIPAA at (https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html), and a more detailed guide at (http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf) and at (https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf).
thumb_up
25 likes
S
Be warned that the interplay between HIPAA and FERPA is very complex. Hide Americans with Disabilities Act (ADA) The Americans with Disabilities Act (ADA) provides employees with disabilities some protections against discrimination in the workplace. The law includes limited workplace privacy protections as well.
thumb_up
45 likes
E
You can learn more about the ADA at the Equal Employment Opportunity Commission’s website. Hide Genetic Information Nondiscrimination Act (GINA) The Genetic Information Nondiscrimination Act provides some federal protection from genetic discrimination in health insurance and employment.
thumb_up
25 likes
M
Genetic discrimination occurs when people are treated differently by their employer or insurance company because they have a genetic change that causes or increases the risk of an inherited disorder. GINA is a federal law designed to protect people in the United States from this form of discrimination.
thumb_up
1 likes
Z
Most states have similar laws. Title I of GINA makes it illegal for health insurance providers to use or require genetic information to make decisions about a person’s health insurance eligibility or coverage. This part of the law went into effect on May 21, 2009.
thumb_up
23 likes
S
Title II makes it illegal for employers to use a person’s genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law went into effect on November 21, 2009. For more on GINA, see: (https://ghr.nlm.nih.gov/primer/testing/discrimination).
thumb_up
25 likes
J
GINA has been controversial in some respects. Some think that the protections of GINA are not all that useful.
thumb_up
18 likes
K
We discuss the privacy provisions of GINA briefly in FAQ 56. Some other federal privacy laws may apply at times to health records held by some records keepers (e.g., banks and credit bureaus). We don’t think that these laws are relevant enough to most people to explain here.
thumb_up
0 likes
A
There are other general privacy resources at the World Privacy Forum website and at the website of the Privacy Rights Clearinghouse. Hide
Part I Learning About HIPAA
4 What is HIPAA and Why Should You Care
You can’t get very far into health privacy without running across the acronym HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 US federal statute.
thumb_up
0 likes
A
Although many people associate HIPAA just with health privacy, the Act actually covers many topics unrelated to privacy. The part of the Act relevant to privacy directed the Department of Health and Human Services to write a health privacy rule. The rule originally took effect on April 14, 2003.
thumb_up
6 likes
E
Some refer to it as the health privacy rule, the HIPAA rule, or just plain HIPAA. Other HIPAA rules also exist, but they don’t relate to health privacy. When we say HIPAA in this document, it means the HIPAA health privacy rule unless we state otherwise.
thumb_up
24 likes
D
There is a HIPAA security rule for health records, a breach notification rule, and an enforcement rule. These rules all relate to health privacy in some way.
thumb_up
11 likes
L
Other HIPAA rules also exist, but most address topics unrelated to health privacy.
HIPPA or HIPAA
People often incorrectly abbreviate HIPAA as HIPPA (two Ps rather than two As). If you do an Internet search for hippa, you may be surprised at how often the wrong acronym is used.
thumb_up
18 likes
E
The HIPAA security rule requires the health care world to comply with security standards for health information. HHS issued security standards under the authority granted by the HIPAA statute.
thumb_up
29 likes
S
Responsibility for the security rule had been assigned to the Centers for Medicare & Medicaid Services (CMS), but it now belongs to the Office of Civil Rights at HHS. You can find more information on the security rule at (http://www.hhs.gov/hipaa/for-professionals/security/index.html). We won’t cover the security rule in detail here because it is of interest primarily to health care providers and insurers who have to implement it.
thumb_up
33 likes
L
Health Care Data Breaches
We receive many questions about the rules covering health care data breaches. The HIPAA breach notification rule tells those covered by the HIPAA privacy and security rules how to handle and respond to data breaches. (http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html).
thumb_up
41 likes
I
HHS posts data breaches involving over 500 records on its website at: (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf). The World Privacy Forum has a data visualization tool that visually shows a history of the data breaches listed on HHS at www.worldprivacyforum.org, click the Maps, Apps, and Data Visualizations category tag or search for “data breach” on the WPF site. FAQ 65 discusses breach notification.
thumb_up
24 likes
C
Hide
5 Who is a Patient
Interestingly, HIPAA does not use the term patient. Not everyone who is the subject of a health record is a patient.
thumb_up
47 likes
R
For example, you may be the beneficiary of a health insurance policy. The insurer has information about you, but you are not the insurer’s patient. Even if that information is only your name, address, and plan number, it is protected health information (PHI), and that is covered by HIPAA.
thumb_up
9 likes
C
The HIPAA rule uses the term individual to cover patients, beneficiaries, and others protected by the rule, but we find the term a bit jarring. We use the more familiar term patient here because just about everyone is a patient eventually. HIPAA’s individual and our patient are identical.
thumb_up
40 likes
C
(For more about what we mean by the term protected health information, see FAQ 8.)
Health Files and Your Information
The individual who is the subject of a health file is the patient. Information about one individual may appear in someone else’s file. For example, information about your health condition may be part of your sibling’s family history.
thumb_up
18 likes
S
Generally, you only have rights under HIPAA with respect to information in your health file held by a covered entity.
What is PHI
When use the term PHI — all caps — we mean the HIPAA-related abbreviation that means “protected health information.” PHI is any information that a health care provider (or any other entity covered under HIPAA) holds about a patient.
thumb_up
28 likes
L
PHI covers everything from demographic information like your name, to financial information, and of course, health information. Hide
6 Do Children Have Privacy Rights
Yes, but it is complicated. The basic answer is that if a child has a right to make a health care decision about himself or herself, then the child has the right to control information associated with that decision.
thumb_up
28 likes
S
Otherwise, a parent or guardian or person acting in loco parentis can exercise privacy rights on behalf of a child. To state the rule more specifically, a child can exclusively exercise his or her own privacy rights with respect to a health care service if: The child is emancipated;
the child consents to the health care service and no other consent is needed;
the child may lawfully obtain the service without a parent’s consent; or
the parent or guardian consented to an agreement of confidentiality between the child and the health care provider.
thumb_up
7 likes
L
Legal technicalities can make a big difference here. In addition, a special rule addresses cases where a covered entity has a reasonable belief that the child is a victim of domestic violence, abuse, or neglect.
thumb_up
32 likes
A
(A covered entity here is generally a hospital or other health care provider, or possibly a health plan that is required to comply with HIPAA. For more on what is a “covered entity,” see FAQ 9.) The covered entity may decide that it is not in the best interest of the abused child to allow the parent to act on behalf of the child. It gets even more complicated for minors because the HIPAA rule recognizes that States may have other policies governing privacy, health, and children.
thumb_up
9 likes
H
When state law specifically addresses disclosure of health information about a minor to a parent or guardian, that law preempts (supersedes) HIPAA whether it prohibits, mandates, or allows discretion about a disclosure.
RULE OF THUMB
Normally, HIPAA defers to a state law that is stronger than HIPAA. However, for minors, HIPAA defers to all state law, whether the law is stronger or weaker.
thumb_up
15 likes
C
When does a child become an adult? That depends entirely on state law.
thumb_up
20 likes
L
Hide
7 Do Privacy Rights Survive Death
Not in the way that they did before. Until the rule changed in 2013, a patient’s privacy rights survived death and lasted forever. The 2013 change means that privacy protections remain in place for fifty years after the date of death.
thumb_up
37 likes
O
However, if a State has a law that provides for additional privacy protection, that law remains in force. Further, the professional responsibilities of health care providers may require that patient records receive longer protection.
thumb_up
33 likes
E
After a patient dies, that patient’s legally authorized executor or administrator, or a person otherwise legally authorized to act on the behalf of the deceased patient or patient’s estate, can exercise the deceased patient’s privacy rights. It is important to know that disclosures for treatment do not require consent or authorization of the patient or the patient’s representative. (For more on authorizations, see FAQs 64-66).
thumb_up
17 likes
D
That means, for example, if information about the deceased patient is relevant to the care of the surviving spouse, the information can be disclosed by a health care provider to the health care provider for the surviving spouse. Privacy for the dead can be especially messy when questions arise in the period after death and before anyone is formally authorized to act for the patient or the patient’s estate. For many individuals, there may be no formal legal process following death.
thumb_up
3 likes
S
Another 2013 change helps here. It clarifies that a covered entity may disclose a decedent’s information to family members and others involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
thumb_up
12 likes
B
This gives health care providers and health plans the discretion to do what they consider to be the right thing for families of recently deceased patients. Hide
8 What s a Health Record
HIPAA introduces the term protected health information or PHI.
thumb_up
47 likes
J
The actual definition is a conglomeration of nested and complex terms with even longer exceptions. It is too messy to bother with here.
thumb_up
18 likes
H
Instead, we offer a rule of thumb that works just fine most of the time.
RULE OF THUMB
Any information that a covered entity (e.g., health care provider or insurer) has about you is PHI. It doesn’t matter if the information is medical, financial, or otherwise.
thumb_up
7 likes
S
We tend to use the more traditional term — health record here, but we mean PHI.
HIPAA Myth
A common myth about the HIPAA privacy rule is that it only covers electronic information. That is false.
thumb_up
6 likes
E
The health privacy rule applies to PHI in any form or medium. If a covered entity records your information on paper, computer disk, or tree bark, it is subject to HIPAA. However, the HIPAA security rule only applies to electronic Protected Health Information.
thumb_up
7 likes
H
For more on covered entities, see FAQ 9. A 2009 change in the statute made it clear that genetic information is PHI. That really didn’t change anything because genetic information is no different than any other information in a health record.
thumb_up
17 likes
D
Genetic information was already PHI. Hide
9 Which Health Care Entities Must Comply With HIPAA
HIPAA doesn’t apply to every health record keeper or to every health record. Only covered entities must comply with HIPAA.
thumb_up
16 likes
Z
Get used to the term covered entity because it comes up a lot. HIPAA recognizes and regulates three types of covered entities.
thumb_up
24 likes
L
This is a complicated area, and this is one of the longest FAQs in this guide. There are lots of types of entities, some covered by HIPAA, some partly covered, and some not at all. HIPAA generally covers health information maintained by or for a covered entity.
thumb_up
19 likes
K
HIPAA generally does NOT cover health information held by those who are not covered entities. This is an especially important point that many people in the health care world do not understand clearly. Health information that is protected when held by a covered entity (like a health record held by a hospital) may have no privacy protections when the information is held by a someone who is not a covered entity.
thumb_up
27 likes
N
In other words, health privacy protections depend on who has the information and not on the nature of the information. The covered entity concept is complicated.
thumb_up
43 likes
A
We explain related terms — business associates and hybrid entities — later in this FAQ. Covered entities under HIPAA are:
1 Health care clearinghouses
Health care clearinghouses transmit information (typically claims and billing information) between other players in the health care system.
thumb_up
27 likes
I
For example, a hospital may send the bill for your treatment to a health care clearinghouse that reformats and submits the information to your insurance company. Clearinghouses are of no interest to the average patient because their function is usually invisible. Patients rarely, if ever, come into contact with them.
thumb_up
5 likes
A
But clearinghouses have the same obligations as other covered entities, and that is important if you ever have an issue with a clearinghouse. Otherwise, don’t worry about clearinghouses. We won’t mention them again in this guide.
thumb_up
35 likes
D
2 Health plans
Health plans are covered entities. Health insurers, health maintenance organizations (HMOs), and Medicare are examples of health plans subject to HIPAA. So are plans covering uniformed service members.
thumb_up
42 likes
S
Nearly all health plans are covered entities, but some small group health plans (fewer than 50 participants) may not be covered entities. We use health plan and insurer interchangeably here.
thumb_up
14 likes
M
3 Health care providers
Health care providers are covered entities, at least most are. Generally, a health care provider is a doctor, hospital, dentist, podiatrist, pharmacist, laboratory, optometrist, and just about anyone else licensed to provide health care.
thumb_up
7 likes
E
The formal legal definition of health care provider is so complex that it makes lawyers wince. It is important to understand that HIPAA does not automatically cover all health care providers.
thumb_up
37 likes
A
It generally depends on whether a provider bills (directly or indirectly) for services electronically. The reason for this odd, even silly, standard has to do with the structure of the health care system and the Department of Health and Human Service’s authority to regulate. Unless you are a policy wonk, you probably don’t want to know more.
thumb_up
0 likes
T
RULE OF THUMB
What organizations are covered under HIPAA
A simple rule of thumb is that any health care provider who bills an insurance company or health plan is a covered entity under HIPAA. If your doctor accepts Medicare, for example, the doctor is a covered entity. A free health clinic may not be subject to HIPAA because it doesn’t bill anyone.
thumb_up
48 likes
O
A doctor who charges every patient $25 cash and does not submit a bill to any insurance company may not be covered by HIPAA. A first aid room at your workplace may or may not be covered by HIPAA.
thumb_up
16 likes
S
If you want to know if the organization you are dealing with is a HIPAA-covered entity, ask. If you don’t get a straight answer, ask for a copy of its privacy policy. If it has a privacy policy, the policy will explain about HIPAA’s application.
thumb_up
23 likes
J
If it doesn’t have a written privacy policy, then it is either not covered by HIPAA or it is violating the rule.
Hybrid Entities Supermarket pharmacies etc
Do you use a pharmacy at a supermarket?
thumb_up
40 likes
S
If so, the pharmacy’s records are subject to HIPAA because the pharmacy is a health care provider that submits electronic bills. What about the records that the supermarket maintains as part of a frequent shopper program?
thumb_up
50 likes
N
The answer is the supermarket’s other customer records are almost certainly not protected by HIPAA. An organization with both health care functions and other functions can define itself as something called a hybrid entity. HIPAA will then apply only to the part of the organization that does health care and not to the rest.
thumb_up
38 likes
H
This should all be explained in the covered entity’s notice of privacy practices.
School health records
Most school health records are not subject to HIPAA.
thumb_up
25 likes
J
Instead, school records (private schools are a major exception) are usually covered by another federal privacy law, the Family Educational Rights and Privacy Act (FERPA). The federal Department of Education oversees FERPA.
thumb_up
30 likes
M
A school nurse is likely to be subject only to FERPA. A university hospital that runs a student clinic on behalf of the university is also subject to FERPA.
thumb_up
36 likes
D
However, other university hospital records about students could also be subject to HIPAA, depending on the circumstances. The relationship between HIPAA and FERPA is very complicated. For more, see (http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf).
thumb_up
11 likes
A
Which law is better for privacy? The short answer is that privacy rights under FERPA can be better in some ways than under HIPAA and worse in other ways. Many states maintain immunization data systems (“Immunization Information Systems”) for school children and other individuals.
thumb_up
33 likes
A
The privacy of records in these registries is subject to standards set of the Centers for Disease Control. (http://www.cdc.gov/vaccines/programs/iis/func-stds.html). The immunization records in these systems may or may not be subject to HIPAA.
thumb_up
16 likes
H
Business associates and subcontractors
If a covered entity hires another organization to perform a function that requires access to health information, that other company may be a business associate of the covered entity. This happens routinely, for example, when a hospital hires an accounting firm to audit its records.
thumb_up
12 likes
V
Many covered entities have dozens of business associates. Business associates of a covered entity are now directly covered by HIPAA.
thumb_up
0 likes
K
That means that a business associate of a covered entity can be penalized for violations in the same way as a covered entity. This is a good thing, as the possibility of penalties may result in better compliance with the law. A covered entity must have a contract with each business associate.
thumb_up
49 likes
Z
The contract must require the business associate to comply with all relevant HIPAA provisions. The basic idea is that a covered entity cannot avoid the privacy rule by hiring someone else to process health records.
thumb_up
38 likes
E
If a business associate hires another entity to help process PHI, then that entity (called a “subcontractor”) is also subject to HIPAA. If a subcontractor hires another subcontractor, all are covered by HIPAA. Covered entities, business associates, and subcontractors must all process your health records according to HIPAA rules.
thumb_up
30 likes
N
There’s a lot of complexity here, but it is not the patient’s problem.
Other health record holders
Who else has health records but isn’t subject to HIPAA?
thumb_up
32 likes
W
Many organizations have health information about you, but neither the organizations nor the records are subject to HIPAA. The list of unregulated health record keepers is shockingly long. These include gyms, medical and fitness apps and devices not offered by covered entities, health websites not offered by covered entities, Internet search engines, life and casualty insurers, Medical Information Bureau, employers (but this one is complicated), worker’s compensation insurers, banks, credit bureaus, credit card companies, many health researchers, National Institutes of Health, cosmetic medicine services, transit companies, hunting and fishing license agencies, occupational health clinics, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alternative medicine practitioners, disease advocacy groups, marketers of non-prescription health products and foods, some workplace wellness programs, and some urgent care facilities.
thumb_up
46 likes
E
Commercial providers of Personal Health Records have health records but are not covered entities. However, PHRs maintained by or on behalf of your health care provider or insurer are covered by HIPAA. Employers may offer wellness programs.
thumb_up
42 likes
D
Some wellness programs do collect health information. For more about HIPAA and workplace wellness programs, see HHS guidance at (https://www.hhs.gov/hipaa/for-professionals/privacy/workplace-wellness/index.html?language=es).
thumb_up
29 likes
A
Wait … who outside of my health care provider has my health information
Did you wonder why a hunting and fishing license agency made this list of organizations with health records? Some states give discounted licenses to those who are disabled. How do you prove entitlement to a discount?
thumb_up
11 likes
L
You must provide adequate health information to the agency. This is just one example how your health information can end up in the hands of many different types of organizations that have no direct health care or payment responsibilities.
thumb_up
24 likes
A
This is also why protecting the privacy of health information is so difficult. The information turns up in places that you might not expect.
thumb_up
9 likes
D
Have you ever filled out a survey asking if you or a household member has a particular medical condition? Unless you gave the survey directly to your doctor, odds are that a marketing company asked for the information. Marketers are not subject to HIPAA, and they can use and sell your information without any restriction as often as they want.
thumb_up
41 likes
D
For example, if you tell a marketer when you are 21 that you have allergies, that marketer can use or share the information to sell you products for the rest of your life.
Is your Personal Health Record protected
If an organization or a business maintains a Personal Health Record (PHR) for you, that PHR may not always fall under HIPAA’s protections.
thumb_up
20 likes
Z
Be cautious with PHRs because they are the subject of much attention and promotion. Many companies are trying to get in the business of storing your health records for you, especially online. But you need to know that unless a health care provider or insurer (or someone doing it on behalf of a provider or insurer) maintains the PHR, HIPAA does not apply.
thumb_up
42 likes
E
It’s always worth checking to be sure. Read the privacy policy to know. Here’s the most important point: if you give a commercial, advertising-supported PHR service consent to store your records, the records are probably not protected by HIPAA.
thumb_up
24 likes
A
The PHR service may be able to exploit the records as it pleases, subject only to its own privacy policy and terms of service. If you read the PHR company’s policy carefully, we bet that it says that the company can change the policy at any time. We would not give our health records to a PHR service not covered under HIPAA.
thumb_up
10 likes
H
We’re skeptical because some companies and websites are not forthright in describing how they use or disclose health information, even when they have a privacy policy. Even if they promise not to disclose your information for marketing, they may still use it for marketing. If the PHR service is ad-supported and if you click on an ad, a considerable amount of your PHI may be disclosed to the advertiser by your click alone.
thumb_up
24 likes
C
The advertiser may have a privacy policy that differs from the PHR service provider, or the advertiser may have no privacy policy at att. Further, it is easy for companies to change their privacy policies at a moment’s notice.
thumb_up
42 likes
H
This means that you can lose control of your sensitive health information if the company changes its business model, merges with another company, or goes bankrupt. For more on PHRs, see the World Privacy Forum report Personal Health Records: Why Many PHRs Threaten Privacy at (https://www.worldprivacyforum.org/2008/02/blog-legal-and-policy-analysis-personal-health-records-why-many-phrs-threaten-privacy/). A health record covered by HIPAA can lose its privacy protection if transferred to a third person who is not a HIPAA-covered entity.
thumb_up
41 likes
C
This is a very important aspect of HIPAA. Some would call it a loophole.
thumb_up
13 likes
A
The original record in the hands of the covered entity remains subject to HIPAA, but the copy sent to a non-HIPAA-covered entity falls outside the scope of the HIPAA privacy rule. We offer five examples of health information transfers that you may see it in daily life.
thumb_up
29 likes
D
However, each of our examples has a weasel word (“probably”) because the rule is complicated. If we stopped to explain this kind of thing further, this document would quadruple in size.
thumb_up
28 likes
R
You tell your doctor to give part of your health records to your employer to explain your absence from work. The record will probably not be subject to HIPAA in the hands of your employer. But your health information may have some protections under other laws covering your employer.
thumb_up
33 likes
H
You download your health record from your health care provider to your mobile phone. When your record is at the provider, it is covered under HIPAA.
thumb_up
37 likes
L
But on your phone, the record is not covered. A health researcher obtains your health records for use in a properly authorized research project.
thumb_up
32 likes
J
The records probably have no HIPAA protection in the hands of the researcher. However, if the researcher is treating you as part of the research (as in a clinical trial), then HIPAA is more likely to apply. You apply for life insurance, and the insurance company obtains your health records with your consent.
thumb_up
21 likes
E
The records are not subject to HIPAA in the hands of the insurance company. The records may be subject to a state insurance privacy law. Some of the information you authorize the insurer to have may also end up at the Medical Information Bureau (MIB), another organization not subject to HIPAA.
thumb_up
47 likes
N
If you read the fine print in your application/authorization, you will learn that signing the form authorizes disclosure to MIB as well. MIB is subject to the Fair Credit Reporting Act, a different privacy law that provides you with some rights and some protections. (To assert your Fair Credit Reporting Act rights, you would, for example, request a copy of your consumer file from MIB.
thumb_up
49 likes
S
See (http://www.mib.com). Your doctor tells you that you have a communicable disease (e.g., tuberculosis).
thumb_up
23 likes
N
The doctor must report your illness to the state public health department. The part of the health department that receives your record is probably not subject to HIPAA.
thumb_up
24 likes
E
We could list additional examples, but we offer a rule of thumb instead.
RULE OF THUMB
If a covered entity discloses a health record to anyone who isn’t a covered entity, the record is generally outside the scope of HIPAA in the hands of the recipient. This is a major way that health records escape from privacy protections.
thumb_up
1 likes
C
This is true online and offline. If you share health information with your family, a neighbor, or co-worker, the information that you share is not protected under HIPAA in the hands of the recipient. If you share your health information with a website that isn’t a covered entity under HIPAA, then the information you disclose is not protected under HIPAA in the hands of the website.
thumb_up
41 likes
L
This is a complex area that has created a lot of confusion among some consumers. Web sites that are medical web sites may very well not be covered under HIPAA, even if they say they are “HIPAA compliant.” See Rule of Thumb, HIPAA Compliant or HIPAA Covered
RULE OF THUMB
HIPAA Compliant or HIPAA Covered
If a company is not covered by HIPAA, it may still say that it is “HIPAA compliant.” HIPAA compliant does not mean the same thing as being a HIPAA-covered entity.
thumb_up
32 likes
V
If you see the words HIPAA compliant, find out if the company is a HIPAA-covered entity. This is a yes or no question; there is no “maybe” answer here.
thumb_up
4 likes
E
If a company is HIPAA compliant but not a HIPAA-covered entity, we urge caution. The use of the term HIPAA compliant can be deceptive in that circumstance. HHS has a bit of guidance on misleading marketing claims at: (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/be-aware-misleading-marketing-claims/index.html?language=es).
thumb_up
6 likes
J
Hide
10 What are Fair Information Practices and How Do They Relate to HIPAA
If you read the HIPAA privacy rule — and stayed awake while doing it — the rule would appear to be a welter of detailed and uncoordinated provisions. It actually has a structure, but that structure is difficult to appreciate unless you know about Fair Information Practices or unless you read the original preamble to the rule from 2000. The rule implements Fair Information Practices (FIPs), an established set of principles for addressing concerns about information privacy.
thumb_up
0 likes
E
FIPs are especially significant because they form the basis of many privacy laws in the United States and, to a much greater extent, around the world. Understanding FIPs makes it easier to make sense of the HIPAA privacy rules. The eight FIPs generally recognized are: Openness
Use Limitation
Purpose Specification
Collection Limitation
Data Quality
Security
Access and Correction
Accountability.
thumb_up
48 likes
E
We could discuss FIPs here in more detail, but it would be a distraction. Different versions of FIPs exist, and the actual application of FIPs to any set of personal records can be complex, variable, and controversial.
thumb_up
36 likes
D
We just want you to know that there are basic principles of information privacy that HIPAA mostly implements. You can read a short introduction to FIPS here: (https://www.worldprivacyforum.org/2008/01/report-a-brief-introduction-to-fair-information-practices). Understanding FIPs is not essential to understanding HIPAA, but it may help some people.
thumb_up
48 likes
E
But if you are interested, you can find a longer history of FIPs at (http://bobgellman.com/rg-docs/rg-FIPshistory.pdf). Fair Information Practices are important for privacy of records other than health. Whenever you consider whether any record keeper properly protects the privacy of your personal information, you can use FIPs as a checklist for assessing privacy practices.
thumb_up
37 likes
O
If you see a privacy policy for an Internet site, a bank, or a government agency, try to determine if the policy addresses all eight FIPs. If it doesn’t, then you already know that the policy isn’t as good as it could be or should be. When a policy addresses FIPs, see how good a job the policy does in protecting your privacy.
thumb_up
4 likes
E
For example, a good policy may say that personal information is only disclosed when required by law or for necessary business purposes. A mediocre policy may allow for disclosure to affiliates for marketing or when disclosure is allowed by law.
thumb_up
35 likes
H
“Allowed” can be a major weasel word in a privacy policy. A weak policy may not address disclosure at all.
thumb_up
36 likes
I
Hide
11 Does HIPAA Protect Privacy
This is a tough question to answer. Health care providers generally care about patient privacy, but health care providers have only some control over the records of their patients.
thumb_up
29 likes
S
Our complicated health care treatment and payment system places patient health information in the hands of many different providers, insurers, agencies, and others. Before HIPAA, we believe that the health care system mostly paid lip service to privacy.
thumb_up
50 likes
C
How many hospitals offered you a notice or privacy practices before HIPAA? How many trained their staff in privacy? How many told you that you had a right to see and copy your own records?
thumb_up
26 likes
E
Before HIPAA, active privacy policies were a rarity in health care. By this measure, HIPAA made some definite improvements. Our health care system — with third-party payors and lots of government involvement (e.g., Medicare and public health) — places many demands on health records.
thumb_up
14 likes
B
Everyone wants low-cost, high-quality health care for all. Achieving these objectives often affects privacy in negative ways.
thumb_up
46 likes
W
The trade-offs can be sharp. HIPAA is decidedly a mixed bag for privacy. It does some good things and some not-so-good things.
thumb_up
25 likes
J
It protects privacy rights in some ways and undermines those rights in other ways at the same time. HIPAA gives each patient some rights.
thumb_up
16 likes
L
There are seven formal rights, not all of which are new everywhere. (See the heading Basic Patient Rights to learn more about the seven rights HIPAA gives patients).
thumb_up
33 likes
L
However, some of the new rights are not especially meaningful. HIPAA also permits many uses and disclosures of health records without the patient’s consent. Many will find some of these uses and disclosures objectionable.
thumb_up
13 likes
E
A patient doesn’t have the opportunity to control most uses or disclosures of his or her records. If you just look at the disclosure provisions, then you might conclude that HIPAA allows many disclosures that you may not think are appropriate.
thumb_up
30 likes
J
For good or bad, many of those disclosures were routine before HIPAA. However, if you consider the overall state of privacy protections before HIPAA, you might see a marked improvement in many aspects of privacy today. So does HIPAA protect privacy?
thumb_up
48 likes
A
Everyone is entitled to his or her own answer to this question. We prefer to say that HIPAA offers patients Fair Information Practices. (See FAQ 10.) Whether the implementation of Fair Information Practices in HIPAA meets your own privacy standards is for you to say.
thumb_up
1 likes
A
Everyone has different privacy needs, preferences, and desires. Hide
12 How to Solve Problems Presented by HIPAA
In this guide, we point out some shortcomings with the HIPAA rule. The rule doesn’t require covered entities to do everything that you might want.
thumb_up
26 likes
J
It may not protect privacy sufficiently or define your rights as expansively as you think it should. In many instances, deficiencies in the rule can be addressed when covered entities (See FAQ 9) and patients work together in good faith to address problems that arise.
thumb_up
43 likes
D
The rule generally doesn’t prevent covered entities from treating patients better than the rule requires. We suggest that when the rule doesn’t give you a formal right that you think is reasonable, ask the covered entity to consider doing what you need anyway. The rule gives a covered entity discretion to take actions that can benefit patients and their privacy.
thumb_up
2 likes
N
If you ask politely and persistently for help, you may get it. If one person won’t bend the rules or procedures, then ask another person a supervisor, or to the Privacy Officer at the covered entity. Try to work cooperatively with the covered entity.
thumb_up
44 likes
I
This is a real story. A patient parks his car in a parking lot adjacent to a doctor’s office. Another individual leaves the doctor’s office, gets in her car, and backs into the car of the patient who just arrived.
thumb_up
31 likes
V
The damage is minor. The driver is not aware of the accident and drives away. The arriving patient goes into the doctor’s office to ask for the name and address of the patient who just left.
thumb_up
48 likes
T
Under the HIPAA rule, the office could not disclose the name of the patient driving the other car. None of the disclosure exceptions applies. However, this doctor’s office does the right thing, something not required by HIPAA.
thumb_up
0 likes
E
The office calls the driver and asks her to speak to the owner of the car that she hit. The driver agrees, and the problem is solved. The office facilitated the exchange of information between the two patients, but it disclosed no information in violation of HIPAA.
thumb_up
12 likes
C
The two individuals disclosed information to each other. The creative and cooperative action by everyone avoided much more complicated and expensive responses to the problem (e.g., calling the police to report a hit-and-run accident).
thumb_up
18 likes
C
Not everything needs to be a federal case. Hide
Part II Basic Patient Rights
This section covers the rights that HIPAA grants to patients.
thumb_up
24 likes
A
The rule defines seven patient rights, but not all of those rights are meaningful. We discuss the rights in the order of importance as we view the rights.
thumb_up
25 likes
D
Your mileage may vary. Hide
A Right to a Notice of Privacy Practices
13 What is a HIPAA Notice of Privacy Practices
The rule requires each covered entity, like a hospital, to publish a notice of privacy practices.
thumb_up
8 likes
V
You may see this abbreviated as NPP in some cases. The notice describes how each entity implements the rule.
thumb_up
6 likes
H
Notices from different health care institutions may look similar because the rule is the same for everyone. However, each notice should have some details (procedures, addresses, etc.) that are specific to the institution.
thumb_up
48 likes
Z
If you want to learn more about health privacy, a notice of privacy practices is a good place to start. So is this FAQ! Hide
14 Why Are the Notices Long and Boring
One answer is that the rule is long and complicated.
thumb_up
13 likes
O
Another answer is that lawyers write many of the notices. Often, lawyers write like…lawyers, and the results are sometimes complete, precise, and incomprehensible.
thumb_up
43 likes
R
Some privacy notices — and not just notices for health — are deliberately written to be obscure. Even other lawyers can’t understand them.
thumb_up
10 likes
T
Not every organization really wants you to understand or exercise your privacy rights. In the end, health privacy is a complex subject. Health records have quite a few uses and disclosures that you probably never thought about.
thumb_up
16 likes
I
All of these factors contribute to the length and complexity of the notices. Still, the notice is your friend and your guide if you want to pursue your rights.
thumb_up
24 likes
M
Hide
15 Should I Read the Notice
Only if you want to. Every expert says that people should know their rights and understand privacy.
thumb_up
7 likes
Z
We agree, but we recognize that people often don’t have the time or interest needed for privacy management. Don’t feel guilty if you just don’t want to read the notice from your doctor, hospital, laboratory, or pharmacy today. What’s important is that the notice exists and that the record keeper who produced the notice has a privacy policy and — we hope — actually implements the policy appropriately.
thumb_up
15 likes
J
The HIPAA requirement that each covered entity prepare a notice was a big advance in privacy protection. That remains true even if most patients never read the notice.
thumb_up
19 likes
O
The notice also tells a covered entity’s employees what the privacy rules are. That is just as important as telling patients what the rules are.
thumb_up
26 likes
D
In the past, employees often didn’t know whether there were privacy rules or what those rules stated. To put it another way, you have privacy rights whether or not you know the details. Your rights do not depend on your level of understanding.
thumb_up
35 likes
A
You can do a better job of protecting your rights if you know more, of course. Here’s what’s really important: Read the notice when it matters to you. If you decide that you want a copy of your health records, that’s a time to read the notice and find out how to obtain the records.
thumb_up
34 likes
H
If you think that there is an error in your record, read the notice and learn how to ask for a correction. If you think that your records were improperly used or disclosed, read the notice to see if you are right. If you have a privacy complaint, you can read about the complaint procedure that the rule provides.
thumb_up
50 likes
B
When it makes a difference to you, get a copy of the notice and read it. That could be today or two years from now. You can always ask for a copy, even if you are no longer someone’s patient.
thumb_up
49 likes
A
If a provider or insurer maintains a website, it should post a copy of its privacy policy on the website. That may make it easier for you to find the notices that you need.
thumb_up
16 likes
Z
Hide
16 What Are the Forms that My Doctor s Office Asks Me to Sign
The rule generally requires a health care provider to make a good faith effort to obtain an acknowledgement that each patient received the notice. Some people think that it is a dumb requirement and a paperwork burden, but that’s what the rule says.
thumb_up
6 likes
E
Signing a standard acknowledgement does not waive your rights. You do not have to sign the acknowledgement. Your rights do not change if you sign or don’t sign.
thumb_up
50 likes
S
However, the requirement for a signature is poorly understood. Some receptionists think that a signature is mandatory, and they will hassle you if you don’t sign. Some will tell you that you must sign or you can’t see the doctor.
thumb_up
18 likes
L
That is wrong. You can fight about signing the acknowledgement if you want. We suggest, however, that this isn’t a fight worth having.
thumb_up
17 likes
S
Save your energy for another battle. The acknowledgement — if that’s all that the form contains — is meaningless. If you see something on the form that you don’t like, you can just cross it out.
thumb_up
36 likes
E
Odds are that no one will even notice what you did. We hear that some doctors are asking patients to sign broader forms that limit the ability of patients to file malpractice suits, that prevent patients from talking about the doctor to other people or on the Internet, or do accomplish other things that benefit the doctor and not the patient. We suggest being careful if offered these types of documents.
thumb_up
7 likes
I
We wouldn’t sign one. In the pre-HIPAA days, most patients were given actual consent forms to sign when they came to see the doctor. The forms often gave your health care provider permission to disclose your records to just about anyone.
thumb_up
2 likes
W
It was the privacy equivalent of a blank check. Most people signed the forms without reading or understanding them.
thumb_up
45 likes
A
HIPAA eliminated consent forms, something that some people find objectionable. However, the old consent forms mostly waived any rights that you had and did more to protect your provider than to protect you.
thumb_up
34 likes
G
HIPAA eliminated the need for routine consent forms, but at a price. The discussion later about uses and disclosures will make that price clearer. (See FAQs 55-67.)
What you really need to know
When you visit your doctor’s office for the first time, someone should offer you a copy of the doctor’s notice.
thumb_up
8 likes
W
You may be offered the same notice on each visit because many offices find it easier to give every patient a notice on every visit rather than keeping track of first visits. Sometimes, the notice will be sitting on a counter or table.
thumb_up
30 likes
S
You have the right to take a copy home. Remember that you can always ask for a copy later or find it on the website of your doctor or insurer.
thumb_up
42 likes
A
If you don’t care about it today, it should be available to you later, even if you are no longer a patient of that doctor or covered by that insurer. Your health plan also will provide you a notice, but the rules for getting you the notice are somewhat different for health plans. Patients really don’t need to know those rules.
thumb_up
24 likes
R
You probably received a health plan notice in the mail, but you may have ignored it. If you want a notice from your health plan, ask for it or look on the health plan’s website.
thumb_up
38 likes
A
Hide
17 What Are the Most Important Parts of the Notice
Almost any health privacy notice will tell you something that you probably didn’t know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make.
thumb_up
0 likes
A
These examples will likely be both enlightening and disturbing. Notices from most HIPAA-covered entities are quite similar because you have the same rights everywhere the rule applies.
thumb_up
18 likes
S
If you read one notice, you’ve generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states.
thumb_up
39 likes
J
When you want to exercise your rights at a particular covered entity, the local procedures described in the notice are likely to be different in each notice. That’s the time when reading the notice may matter a lot. Each notice should describe the covered entity’s procedures for exercising patient rights.
thumb_up
11 likes
A
Make sure you follow any specified procedures. Otherwise, here are some notable features to look for.
What institutions are covered by the notice
If the notice is for a hospital or other large institution, read the description of which institutions and providers are covered.
thumb_up
5 likes
E
We have a notice for a hospital that says that more than a dozen different institutions in three states are part of the same institution. That means that patient information can be readily shared among all the affiliated organizations without your consent. That ability to share records widely may not be unusual or should not always be troubling.
thumb_up
20 likes
T
Further, being able to obtain care at related institutions may be a good thing. Consider, however, if your cousin works in a health care facility in a nearby state. You may not realize that facility is connected to the health care provider that you see regularly.
thumb_up
32 likes
J
You might not be happy knowing that your cousin may have access to your record. It may or may not be lawful for your cousin to do so, but the possibility may be unnerving.
What are the directions for requesting amendments copies of your health records accounting of disclosures and restrictions of disclosures
HIPAA contains seven rights for patients, and the notice of privacy practices is a good place to find out how you can utilize these rights.
thumb_up
36 likes
O
A notice should have clear instructions for you, as well as contact information, about how you can make requests and follow up on them. (For details about the basic rights of HIPAA, see FAQs 13-54.)
What does the notice say about fundraising
A hospital can use your records in a limited way for fundraising. You have the right to tell the hospital not to use your records for fundraising.
thumb_up
49 likes
H
If you say nothing, then use of your records for fundraising is permissible. Each fundraising communication must include a clear and conspicuous opportunity to opt-out of future fundraising communications. Exercising this opt-out right may not be of critical importance, but it helps everyone if some people exercise opt-out rights when they exist.
thumb_up
20 likes
N
What does the notice say about disclosures for national security
Look for the national security disclosure provision. A covered entity can disclose your records for just about any national security purpose.
thumb_up
19 likes
A
The rule does not require a warrant, court order, subpoena, or any procedure prior to the disclosure. We point this out because it is perhaps the most privacy-invasive of the HIPAA disclosure provisions.
thumb_up
44 likes
N
You are also invited to look for other broad and objectionable disclosure provisions in the notice. Don’t blame the hospital or doctor.
thumb_up
26 likes
J
The rule allows these disclosures to be made, and privacy notices usually reserve the right for a covered entity to make allowable disclosures. However, the disclosures are not necessarily mandatory. In other words, a doctor can disclose your record to the CIA, but the doctor can usually say no.
thumb_up
46 likes
H
Provision allowing covered entity to change the notice
There will be a provision that says a covered entity can change the notice at any time and with retroactive effect. This isn’t quite as bad as it looks. HIPAA limits the ability of a covered entity to change the policy.
thumb_up
10 likes
J
The covered entity must comply with HIPAA, and it cannot change the notice and take away your rights. However, if HHS changes HIPAA or if Congress passes new laws, then your rights can expand, diminish, or disappear. Most privacy policies elsewhere (such as on commercial websites like search engines or clothing retailers) are not based on formal legal requirements and are changeable at the discretion of the record keeper.
thumb_up
48 likes
I
Changes are not always bad, but it is okay to be a bit suspicious.
Find the right to request alternate methods of communication
Find the right to request alternate methods of communications.
thumb_up
21 likes
A
This right may be important to you, and the notice tells you how to exercise this right. We explain this right in full later.
thumb_up
45 likes
L
(See FAQs 25-28.)
Contact information
At the end of the notice is where your will probably find contact information for the covered entity’s privacy officer. If you have any questions or want to exercise your rights, the privacy officer for the covered entity is probably the first person to contact.Wait – the notice says my records can be disclosed without my consent What’ s up with that
If you read the notice, you will likely come away with the feeling that your health records aren’t really private.
thumb_up
32 likes
E
It’s not an unreasonable conclusion. The notice describes many uses and disclosures that do not need your consent and that are permissible even over your express objection.
thumb_up
29 likes
N
We don’t like it either. Still, we recognize that we have a complicated health care system, and there are many demands on health records for socially beneficial purposes.
thumb_up
32 likes
H
There is a legitimate policy justification for most of the disclosures permitted under HIPAA. Nevertheless, we think that some of the HIPAA standards for use and disclosure should be higher and that some of the procedures should create more barriers. Sadly, we don’t know any way to return to a health care system where only you and your doctor knew about your health and where no disclosures of your records were ever made without your approval.
thumb_up
17 likes
A
That system disappeared decades ago. We repeat again that we don’t like it either.
thumb_up
2 likes
M
We do like it, however, when an insurance company pays for our treatment or Medicare pays our doctor bills. We like it when researchers find new treatments for diseases.
thumb_up
23 likes
L
We also like it that public health authorities can alert people about contagious diseases. Patients do benefit at times when their records are shared for appropriate purposes and with appropriate protections.
thumb_up
36 likes
C
We wish some of those protections were better. In 1999, Maine implemented a health privacy law that required patient consent for many routine disclosures (e.g., to doctors, family members, hospital visitors). People hated the law so much that the legislature suspended the law within weeks after it took effect, and the consent requirements that upset people later disappeared.
thumb_up
39 likes
S
Some discretion is needed to make the world operate smoothly and in accordance with patient expectations. If you want to know more about the Maine experience, go to (http://www.worldprivacyforum.org/wp-content/uploads/2007/04/MaineHealthPrivacy1998_Gellman.pdf). Hide
B Right to Inspect and Copy Your Record
18 Why Both Inspect and Copy
HIPAA provides each patient with the right to inspect his or her record and to have a copy of the record.
thumb_up
50 likes
Z
These are two different things. You cannot be charged a fee if you want to inspect your records. This means that you can always see your record, even if you don’t want to pay.
thumb_up
41 likes
E
If you want a copy of the record to take with you, then you can be charged a fee. You can also be charged an additional fee if you ask for a summary or explanation of your record.
thumb_up
24 likes
C
You do not have to ask for a summary or explanation. HHS has guidance for covered entities about patient access. While the guidance is for health professionals, individuals may find it useful at times because of the level of specificity.
thumb_up
1 likes
E
If you have a dispute about access with a covered entity, the official HHS guidance may help convince someone about the scope of your rights. (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?language=es). Hide
19 Do I Want to See or Copy My Record
There are many reasons you might want to review your health record at your health care provider or insurer.
thumb_up
13 likes
H
Decide if any of these appeals to you: You plan to move to another city and want to bring your records to a new doctor so that the doctor has your current information on your first visit. You may not know who the new doctor is in advance so you cannot arrange a doctor-to-doctor transfer. You want a second opinion from another doctor and want to avoid having duplicate tests.
thumb_up
35 likes
L
If you have the records, you don’t have to let your first doctor know about the second opinion. You want to make sure that your new consulting doctor knows about earlier treatments and previous tests.
thumb_up
4 likes
L
You want to keep a permanent copy of all your health records in one place and in your possession. You are curious. You want to make sure that your children have your records because you think that something in your record (e.g., genetic information or family history that they may not know) may eventually be relevant to their treatment.
thumb_up
3 likes
B
You have given your medical power of attorney to your grandson, and you want him to have all of your records (not just those for your current treatment) so that he can make informed decisions or so he can obtain assistance in making choices. By the way, the records that you give to your grandson are not covered by HIPAA in his hands (except, perhaps, if he is a physician or other health care provider).
thumb_up
43 likes
S
You want to talk to a lawyer about medical malpractice and don’t want your health care provider to know about it. You think that there might be incorrect or irrelevant information in your record. You think that you are a victim of medical identity theft.
thumb_up
20 likes
D
You think that your insurance company improperly denied your claim, and you want to see the record about you that the company maintains. You think that your doctor or insurance company is lying to you. Any other reason or no reason.
thumb_up
41 likes
L
It is your right to see or have a copy of your record. You don’t need to have a reason.
thumb_up
21 likes
E
You do not have to tell anyone what your reason is. Hide
20 Which Records Can I Get and in What Formats
You can generally ask for your all of your records maintained by any covered entity, but the covered entity can withhold some records.
thumb_up
45 likes
N
We will cover that subject in FAQ 24. The copying of paper records is familiar to everyone. For electronic records that a covered entity maintains (whether or not the information is formally maintained in an electronic health record), you have the right to obtain the information from a covered entity in an electronic format.
thumb_up
14 likes
E
Generally, you can choose the electronic format you want as long as the information is readily reproducible in that format. In order words, a covered entity has to give you the format you want if it can without a great deal of trouble. Be sure to state your preference and ask for alternative formats if you can.
thumb_up
21 likes
J
You can also ask the covered entity what formats it is capable of providing and then make an appropriate choice. Remember that some electronic records (e.g., 3-D images created by an MRI) may be maintained in a format that requires special software to read.
thumb_up
10 likes
A
If your goal is to be able to share an electronic record with a physician, then the native format may be okay because your physician will likely to able to read it in that format even if you can’t. Depending on your purpose, you may be interested in records of your hospitalization, records from your family physician, records from your insurance company, records from your pharmacy or pharmacy benefit manager, or your records any other covered entity.
thumb_up
7 likes
S
You can ask every covered entity for all of your records, but the next few questions suggest reasons for narrowing your request. You can tell a covered entity to transmit your record directly to someone you designate.
thumb_up
14 likes
S
Your request must be in writing, signed, and clearly identify the designated person and where to send the copy of protected health information. This is not the same as an authorization, which has many more elements to it. Authorizations are discussed in later FAQs.
thumb_up
29 likes
L
We think this rule was needed because some hospitals made it hard for a patient’s lawyer to obtain the patient’s record. It’s fine to use this capability, but be careful that you don’t casually or accidentally sign a form that allows someone to get your health records.
thumb_up
10 likes
V
Whoever gets your records in this fashion may not be subject to HIPAA, and your records could conceivably be made public or used for marketing or profiling. If you allow a data broker or marketer to have a copy of your health records, you are not likely to be happy about the result.
thumb_up
36 likes
Z
This particular change in the rule has potential for mischief, but your can protect yourself by being careful what you sign. That’s good advice all the time.
thumb_up
36 likes
C
Hide
21 How Much Will It Cost For a Copy of My Health Record
A covered entity can charge a reasonable, cost-based fee for providing a copy. The fee may include only the cost of labor for copying, the cost of supplies for creating the paper copy or electronic media, and the cost of postage. Any other copying charges — including but not limited to administrative fees, overhead, retrieval costs for locating data — are improper.
thumb_up
45 likes
G
Don’t let anyone charge you more than is allowed by the HIPAA rule. If you don’t think that the fees are proper, complain about it.
thumb_up
19 likes
N
You have a right to complain to the Secretary of HHS (via the Office of Civil Rights), and that right will be covered later. (See FAQs 46-50, 51.) Remember that state law may establish lower fees than HIPAA allows or may not allow any fees at all.
thumb_up
50 likes
L
If you need records and can’t afford to pay, ask for a waiver of fees. Some covered entities may provide some or all records without charge or at a discount, but they are not required by HIPAA to do so. Standard copying costs can be as much as $1.00 a page or perhaps more.
thumb_up
39 likes
A
If you want a hard copy of an x-ray, the fee could be considerably more (but an electronic copy may be cost-free if transmitted to you electronically). Many health care institutions hire outside firms to handle copies.
thumb_up
28 likes
A
Copying hospital records is a business. Insurance companies and lawyers tend to be frequent requesters of records, and copying charges can be expensive because these requesters don’t much care about the cost and because there is no competition.
thumb_up
30 likes
V
The result is that the standard charge per page can be high. Your best strategy may be to narrow your request (see the discussion in FAQ 23 about what records to request) or just obtain an electronic copy of records that are already electronic.
thumb_up
4 likes
R
Copies of electronic records may be less expensive. Hide
22 How Do I Make a Request for Access
Start by reviewing the covered entity’s copy of the notice of privacy practices.
thumb_up
22 likes
E
Remember that every covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).
thumb_up
2 likes
D
The notice of privacy practices describes your right to inspect and to obtain a copy of your record. It should also tell you the local procedure for making a request.
thumb_up
12 likes
L
You will likely be asked to write a letter or fill out a form in order to make your request for access. A covered entity can insist on a written request and may ask you for identification. Asking for an ID is reasonable because you don’t want someone else to get your records without your consent.
thumb_up
22 likes
E
However, avoid letting a covered entity make a copy of your driver’s license. Someone with access to your health records may use that copy to make you a victim of identity theft.
thumb_up
7 likes
N
When you make a request, the covered entity must act on your request within 30 days. Don’t count on an instant response. The entity can take an additional 30 days to respond if it provides you with a written explanation of the delay.
thumb_up
16 likes
I
If you need the records more urgently, say so. It might help, but the rule allows the covered entity to wait 30 days or more no matter what. Your doctor might be responsive to your need for fast access, but bigger institutions have formal procedures and may not be inclined to do anything but the minimum required of them.
thumb_up
26 likes
N
This is a real-life example. A patient needed a copy of x-rays and CAT scans in order to get a second opinion on a critical injury that required immediate surgery. The hospital told the patient to make a written request and wait 30 days for a response.
thumb_up
36 likes
I
The patient’s medical needs were urgent, but the hospital didn’t care to help. The patient found another way. He explained the problem to a nurse who was sympathetic.
thumb_up
34 likes
J
The nurse quietly made an electronic copy of the needed records on a thumb drive and gave it to the patient. The nurse may not have followed the hospital’s internal procedures, but the disclosure to the patient did not violate the law.
thumb_up
34 likes
N
The lesson is that if the official methods don’t meet your needs, see if you can find another way. Just don’t break the law doing it. Remember to thank (and protect!) your sources.
thumb_up
49 likes
K
Hide
23 What Records Should I Ask For The Strategy of Asking for Records
A covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld.
thumb_up
2 likes
E
(See the next FAQ.) Just figuring out who to ask and what to ask for can be complex. Don’t assume that you need a copy of all records from all health care providers and insurers.
thumb_up
37 likes
N
Obtaining your health records can be surprisingly complicated, may present some hard choices, may be expensive, will require some planning, and can take time. Managing many records from many different providers may be a challenge too.
thumb_up
19 likes
M
This FAQ tells you about the strategy for requesting health records. First, copying costs for paper records may be considerable.
thumb_up
6 likes
G
You may want to think about the costs involved before you ask. A hospital record can have hundreds or even thousands of pages. Think about whether inspecting your records will meet your needs.
thumb_up
18 likes
T
If you can inspect first, you might be able to narrow your request and cut the cost. Copies of electronic records may be much less expensive than copies of paper records. You might be able to inspect your records and make a copy with your digital camera, cell phone, or a portable scanner.
thumb_up
15 likes
E
If you try using your own equipment, don’t be surprised if the covered entity doesn’t like it and tries to stop you. However, if you can see the record, you should be able to make your own copy. Nothing in the HIPAA rule says that you can’t.
thumb_up
14 likes
S
However, if you want to wheel in a 500-pound copying machine, you’d better ask permission first. Second, if you have been using the same hospital or doctor for 20 years and the reason for your request relates only to your treatment from your last visit, you might limit your request to recent records, or records dating back one visit, one month, or one year.
thumb_up
7 likes
H
The same idea may work if you want records from your insurer. You may not know which records you need at first.
thumb_up
33 likes
S
The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA-covered entity. Most people have had dozens of health care providers and insurers in the course of their lives. Many records will not be important or worth the time and effort to find for most people.
thumb_up
32 likes
H
Old records from individual practitioners may be hard to locate and obtain. However, hospitals and other long-standing institutions are more likely to have older records, although they may be in storage offsite. If you want your records because you think you might have been a victim of an identity thief, you will find some more specific advice at the World Privacy Forum’s FAQ for Medical Identity Theft Victims, available at: (https://www.worldprivacyforum.org/2012/04/faq-victims-of-medical-id-theft/).
thumb_up
46 likes
H
It is possible that a thief used your name to obtain services from a health care provider, clinic, pharmacy, or laboratory that you never used yourself. Don’t be surprised if the trail leads you to unexpected places.
thumb_up
49 likes
M
One part of the health care world that few people recognize is the Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, government programs, and other insurers to manage pharmacy network management, drug utilization review, and other activities.
thumb_up
46 likes
H
A PBM is likely to be the organization that fills your drug prescriptions by mail. A PBM may have relevant records.
thumb_up
45 likes
A
Your health plan hires the PBM, and you may have to seek access to PBM records through the plan. The notice of privacy practices should tell you what you need to know on this front, or it should tell you how to find out. PBM records may duplicate records that exist elsewhere, but they can be important sources of information at times.
thumb_up
39 likes
H
If you are seeing more than one doctor, clinic, or hospital, PBM records are likely include information from different providers. It can be especially important to correct errors in Pharmacy Benefit Manager (PBM) records.
thumb_up
44 likes
E
If you apply for individually underwritten life insurance or certain other types of insurance, the insurance company will insist that you sign a consent for disclosure of your health records. The insurance company wants to know if you have a health condition that affects your insurability.
thumb_up
40 likes
C
The easiest place for the insurer to obtain your records may be from a PBM rather than from your doctor. PBM records are electronic and can be shared quickly.
thumb_up
37 likes
I
Your doctor may not respond to the insurer’s request as promptly Third, asking for a copy of your complete paper health record may provide more information than you need. It may also be especially expensive.
thumb_up
25 likes
M
Your health records may include results of x-rays and other diagnostic tests that may be costly to duplicate. On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form.
thumb_up
42 likes
H
You can ask for hard copy of electronic records, but the cost might be higher. Not all electronic records can be printed on paper.
thumb_up
18 likes
H
You can obtain electronic records in the format you want if the covered entity can reasonably provide them in that format. Consider how you might limit your request for access so that you limit your costs. See if you can talk to someone in the record keeper’s office when you make a request so that you can negotiate what you really need.
thumb_up
26 likes
M
One idea is to not ask for a hard copy of an x-ray unless you know that x-rays are essential. Even then, an electronic copy may be sufficient. If other records are especially expensive to duplicate, you may want to defer asking for those records too.
thumb_up
37 likes
A
Ask for a price list before requesting all records. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied.
thumb_up
4 likes
J
Fourth, once when you receive some records, you may be able to focus your later requests. You may find that the provider used a lab or other independent provider that has some of your records that you may want to have or that you may want to inspect.
thumb_up
36 likes
I
Fifth, there are health records and there are billing (and other administrative) records. These records may be controlled by different offices at a health care provider. You are entitled to both health and billing records, but you may not want both.
thumb_up
7 likes
J
It depends on your purpose. If you narrow your request, the response may be faster and less expensive. Finally, copying of electronic records can be very inexpensive.
thumb_up
48 likes
S
If you want a copy of all of your electronic records, you can ask for them. It’s a reasonable request.
thumb_up
7 likes
D
Understand that the records may not arrive in a single, chronological file, however. You may receive many different files in different formats.
thumb_up
30 likes
V
If you are planning to maintain your own health record archive for your lifetime, remember that computer record formats may change over time. Some formats go out of date.
thumb_up
11 likes
C
For example, it can be difficult or impossible today to read a file saved by a 1992 word processing program. Consider asking for records in formats likely to remain in use in the long run.
thumb_up
39 likes
A
Experts think that PDF may be one of those formats, but there may be others. This can be a complex issue to assess.
thumb_up
7 likes
E
More on requests for electronic health records
There are many reasons why you might want to have an electronic copy of your health records, whether in whole or in part. We do not take issue with that in any way. We do, however, want to offer a thought from a different perspective.
thumb_up
46 likes
S
How are you going to secure that electronic record? Do you want to keep it on your phone?
thumb_up
23 likes
L
On your notebook computer or tablet? On your work computer?
thumb_up
1 likes
R
In the cloud? There are many options here, and each presents its own security issue. Security is neither simple nor automatic.
thumb_up
43 likes
A
Securing electronic information is hard to do, even if you are good at it. When you take possession of your own electronic health information, you take responsibility for the security of that information. If you lose your phone, if your computer gets hacked, if you accidentally attach the wrong file to an email message, the health record that you had may lose some of the legal and security protections it once had.
thumb_up
7 likes
M
If your child uses your desktop computer, there’s a chance that the child will find the health record stored there, whether it is his, yours, or your spouse’s record. You can’t withdraw the knowledge once the child obtains it, and that knowledge may affect family relations forever.
thumb_up
47 likes
Z
If you accidentally share a document showing your diagnosis with your brother-in-law, there’s a chance that he will share it with other relatives. Failure to control health information in your possession may have major consequences for you and your family. The same thing can happen with paper records, of course, but it may be true that the dangers are greater with electronic records.
thumb_up
44 likes
A
Institutions that have your records, including health care providers and insurers, do not necessarily have perfect security all of the time. (There are regularly reported breaches of health care institutions.) However, we suggest that most health care institutions probably have better security for the health records they maintain than you do. The HIPAA security rule imposes many requirements on HIPAA-covered entities.
thumb_up
30 likes
L
Even if a covered entity does security poorly, it’s still probably better than the security on your phone or your local network at home. File this under “you have been warned”.
thumb_up
7 likes
W
Hide
24 Can a Covered Entity Withhold Any of My Health Records
Yes. In some situations, a covered entity can withhold records. First, the right of access under HIPAA does not extend to psychotherapy notes and materials compiled for litigation.
thumb_up
10 likes
S
Second, a covered entity can deny you access to some records, including records maintained by a prison, some records about research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one.
thumb_up
40 likes
S
Read the notice of privacy practices to learn if there is an appeal option. We recommend that you appeal to the head of the institution (or to the privacy officer) even if you don’t have the right to do so. An appeal may result in a review of the initial decision.
thumb_up
49 likes
A
If it doesn’t, then you only invested the energy of writing a letter. Third, a covered entity can deny you access to some records if a licensed health professional determines that access is reasonably likely to endanger the life or physical safety of you or another individual.
thumb_up
8 likes
W
Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual’s personal representative can also be denied if disclosure would cause substantial harm.
thumb_up
35 likes
A
If an institution withholds records for any of these reasons, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have.
thumb_up
10 likes
M
Remember that state law may grant you greater access rights than HIPAA. If state law has an access provision for health records — and many states do — then you may be able to obtain records exempt under HIPAA. If a federal agency has your records, rights of access under the Privacy Act of 1974 may be greater than the rights under HIPAA.
thumb_up
31 likes
E
To be complete, we will tell you that HIPAA has a complex definition for something called a designated record set. You can get access to records that meet this definition and that aren’t otherwise exempt.
thumb_up
22 likes
N
There may be some records about you that are not part of the designated record set, but they are likely to duplicate the records that you can see. This limitation in the rule solves some administrative problems, and it isn’t a sinister plot to deny you access. We suggest that you not worry about it.
thumb_up
49 likes
M
For example, if you had surgery, some of the records about your operation may be kept in the operating room records in addition to being in your main hospital health record. A patient normally doesn’t need to see the same information twice. However, if you request your records and the covered entity tells you that none of your records are part of a designated record set, something may be wrong.
thumb_up
21 likes
A
There must be some records that are part of a designated record set. Hide
C Right to Request Confidential Communications
25 What is the Right to Receive a Confidential Communication
You have the right to ask a health care provider to communicate with you by alternative means or at alternative locations.
thumb_up
27 likes
A
This means, for example, that you can ask your fertility clinic not to call you at work or to send you an email notification of an appointment. You could ask your psychiatrist not to leave a message about an appointment at your home telephone voice mail. You might also ask a specialized clinic not to send you a post card reminder of your appointment but to use a closed envelope.
thumb_up
33 likes
N
A provider must accommodate reasonable requests. We think that all of the examples in this paragraph are generally reasonable. We also think that that asking for written communications — including bills — to be in plain envelopes with no identification of the provider in the return address is also reasonable.
thumb_up
16 likes
N
Did you ever get an unwanted robocall from your doctor, pharmacy, optometrist, dentist, or other health care provider? If you hate robocalls, you can use the right to request a confidential communication to ask that you not receive automated calls. In our opinion, a request for no robocalls is reasonable.
thumb_up
7 likes
S
You may be aware that the Telephone Consumer Protection Act (TCPA) limits robocalling with some exceptions. The TCPA rules are complex, and we won’t pause to explain them here.
thumb_up
18 likes
H
But the TCPA has a big exception for robocalls that comply with HIPAA. HIPAA allows a health care provider to communicate with you for treatment, case management, and under other circumstances, including prescription refill reminders.
thumb_up
50 likes
S
A provider can’t robocall you for marketing, but the distinction between a marketing call and a treatment call can be a fine one. An optometrist who calls saying it’s time to examine your eyes to see if you need new glasses wants to sell you goods and services, but that call (robocall or not) is probably allowed under HIPAA.
thumb_up
11 likes
I
You may be happy to have reminders from your health care providers (whether automated or not). If not, the next FAQ tells you how to go about making a request that stops robocalls.
thumb_up
0 likes
L
The right to receive a confidential communication is a real right that may be important to you. Not everyone will care or will care all the time. You may not object to a postcard from your dentist reminding you to make an appointment to have your teeth cleaned.
thumb_up
40 likes
S
However, many people would likely object to receiving a postcard informing them about a follow-up visit to a sexually-transmitted disease clinic. The right to receive a confidential communication is important because a provider doesn’t need express permission to contact a patient at home or to leave a message on an answering machine.
thumb_up
17 likes
E
For a patient who doesn’t want others in his or her family or household to know about a form of treatment, then exercising the right to receive a confidential communication will be crucial. For some, this right may provide a vital privacy protection that will make the greatest difference to your life or wellbeing.
thumb_up
37 likes
J
Hide
26 How Do I Exercise the Right to Receive a Confidential Communication
A provider may require you to make a written request to receive a confidential communication in writing. Read the notice of privacy practices to find out the local procedure. In a small office, an oral request may be sufficient.
thumb_up
15 likes
S
Still, if you orally tell the receptionist not to call you at your office, the doctor may not know about your request. A written request may be safer because it creates a formal record of the request.
thumb_up
11 likes
T
You should keep a copy of your written request. The rule says that a provider must permit a patient to make a request, but it does not expressly say that the provider must respond at all, or in writing.
thumb_up
25 likes
V
However, a provider must agree to a reasonable request. It’s a good idea to ask for a written acknowledgement and to save the acknowledgement.
thumb_up
8 likes
A
If you only receive an oral response, you might want to send a written confirmation to the provider, and keep a copy of your confirmation. The written confirmation should summarize the request and identify the person who agreed to comply. Ask the provider to respond if the summary is incorrect.
thumb_up
36 likes
H
You do not have to tell the provider why you made the request. Indeed, the rule expressly prohibits a provider from requiring an explanation as a condition of fulfilling the request. However, the rule does not prohibit the provider from asking for you reason.
thumb_up
47 likes
H
You don’t have to disclose your reason if you don’t want to. Here’s a draft letter that you can use as a model to make a request for confidential communications. We offer two different examples, one about robocalls and the other about emails to a work address.
thumb_up
22 likes
W
You can easily modify these examples to cover to redirect unwanted calls to a different phone number or to stop some other type of unwanted communication. Remember that a covered entity’s notice of privacy practices is likely to include details about how to make the request and where to send it.
thumb_up
46 likes
A
Check that notice before you sent your letter. Note that a HIPAA-covered entity can ask you to specify an alternative method of conduct so we include several options in the draft letter.
thumb_up
29 likes
T
You can choose one or both options or another option of your choice.
Sample Letter Version 1 No Robocalls
[Name and address of health care provider or health plan] This is a request for confidential communication pursuant to the HIPAA health privacy rule at 45 C.F.R. §164.522(b)(1).
thumb_up
34 likes
M
I request that [name of covered entity] stop calling me at [phone numbers] using an autodialer that delivers a pre-recorded message of any type. These calls are sometimes referred to as robocalls. As an alternative to robocalls, you may send me snail mail at [address].
thumb_up
44 likes
A
I would appreciate a written response acknowledging and accepting this request. Thank you.
thumb_up
6 likes
W
Sample Letter Version 2 No Emails to my Work Address
[Name and address of health care provider or health plan] This is a request for confidential communication pursuant to the HIPAA health privacy rule at 45 C.F.R. §164.522(b)(1). I request that [name of HIPAA-covered entity] stop sending me electronic mail at my work address.
thumb_up
29 likes
C
My work address is [[email protected]]. As an alternative to electronic mail to my work address, you may send message to me by sending: electronic mail to my personal address at [[email protected]] or
postal mail to my home address, which is [Me, 1234 Main Street, City, State, Zip]. [Choose one, both, or another option] I would appreciate a written response acknowledging and accepting this request.
thumb_up
47 likes
V
Thank you.
Confidential Communications
We think that the right to receive a confidential communication is a real right that will be meaningful for some patients. If you don’t want your psychiatrist leaving an appointment reminder with your secretary, make a request for a confidential communication.
thumb_up
23 likes
I
Remember that a covered entity must agree to a reasonable request so don’t take a denial of your request from a lazy staff member without a fight. If you make a reasonable request and your provider doesn’t accept it, you can complain to HHS.
thumb_up
12 likes
A
Remember that having a written document about your request in your health record is a better protection than reliance on an oral agreement. The current receptionist may know of your request, but a new or temporary receptionist may not.
Facebook and Health Confidentiality
If you share your health information with a non-covered entity, and social media companies are generally not HIPAA-covered entities, you may lose some of your privacy.
thumb_up
12 likes
K
You can read more about this in our report on Personal Health Records where we discuss the risks to confidentiality when health files are stored at third party commercial web sites that are not covered entities under HIPAA. (https://www.worldprivacyforum.org/2008/03/resource-page-personal_health_records/) How does this apply to you? If you “like” your health care provider’s page on Facebook, don’t be surprised that others know you are a patient of that provider.
thumb_up
40 likes
C
You may care much less about the disclosure if the provider is a dentist than if the provider is a psychiatrist. If you reveal details about your health condition on commercial (or even non-commercial) health or social media websites using your real identity, privacy issues may arise. For example, if you join a disease advocacy group, others may assume that you or a member of your family suffers from that disease.
thumb_up
8 likes
C
Not all of this sharing may be troublesome for you. Concern about privacy varies widely.
thumb_up
22 likes
L
The point is that you should be aware what can happen when disclosing your protected health information with those outside the umbrella of HIPAA. Once you disclose health information to the world, it may be captured by an advertiser, marketer, database company, put in a profile about you or your household, and used to affect you (or your children) for the rest of your life.
thumb_up
28 likes
D
Hide
27 Does the Right to Receive a Confidential Communication Apply to Health Plans
Yes, but the rule is a bit different. To make a request to a health plan, the individual must clearly state that the disclosure of all or part of the information could endanger the patient. The plan may require that a request contain a statement that disclosure could endanger the patient.
thumb_up
23 likes
E
The plan can demand a written request. It is not apparent, however, that the patient must identify what the harm is. The statement that disclosure could endanger the patient seems to be enough.
thumb_up
27 likes
L
Perhaps the most likely example of endangerment is a threat of domestic violence. A battered spouse may not want information about her location or activities to be accessible by her batterer. We can’t be sure about everything that might constitute endangerment.
thumb_up
21 likes
I
We take the position that it is up to the patient to decide what it means. If you say that disclosure could be potentially endangering or merely embarrassing, that’s enough to convince us.
thumb_up
17 likes
M
If a disclosure to the wrong person might persuade you to stop seeking treatment, we would argue that also constitutes endangerment. We can’t predict how plans will respond, but we emphasize that plans must accommodate reasonable requests. Asking to send mail to an alternate address (physical or email) strikes us as reasonable.
thumb_up
23 likes
G
Asking for phone calls only to your cell phone and not to your home phone also strikes us as reasonable. Asking for messages to be sent by carrier pigeon will not be viewed as reasonable by anyone.
thumb_up
12 likes
J
Hide
28 Are There Any Other Requirements for the Right to Receive a Confidential Communication
A plan or provider can condition the accommodation on the patient providing an alternative address or means of contact for information about how payment will be handled. This means that you can’t ask someone to send all bills to the White House unless you are the President.
thumb_up
41 likes
N
There’s an exception for emergencies. No matter what restriction a covered entity agreed to, it can ignore the restriction in case the information is needed to provide emergency treatment.
thumb_up
19 likes
E
Fair enough. Hide
D Right to Request Amendment
On our list, the right to request an amendment of your health record is only the fourth right out of seven. Normally, access and amendment go hand in hand.
thumb_up
28 likes
N
We list amendment lower because the limits on the amendment right seriously undermine its utility. Nevertheless, if you can use it, the right to request an amendment may be important to you.
thumb_up
5 likes
N
We want to underscore that the law does not give you a right to amend your record. You only have a right to request an amendment.
thumb_up
48 likes
L
We see this as a reasonable implementation of a patient’s interest in amending a record. The record keeper has rights and interests as well as the patient, and these rights and interests deserve respect too.
thumb_up
24 likes
O
You cannot, for example, reasonably expect your doctor to change the record so that it no longer shows that you were treated. A doctor has a legal and professional obligation to maintain treatment records.
thumb_up
15 likes
E
This part of HIPAA comes as a surprise to many who believe they have a right of outright deletion. This is not the case.
thumb_up
9 likes
D
Is there a right to deletion of information
This is a question we are asked frequently. Health care providers in the US that are covered under HIPAA do not have requirements to respond to requests to fully delete data from health records.
thumb_up
2 likes
B
There is a process under HIPAA to request an amendment. (See FAQ 29.)
It is often surprising to patients when encountering a refusal to delete information by a health care provider, and it can cause a lot of dismay.
thumb_up
25 likes
A
This is especially true if a patient is trying to get inaccurate information removed from a file. See FAQ 30 for more on how to approach this issue.
thumb_up
23 likes
M
Hide
29 How Do I Make a Request for Amendment
Start by obtaining a copy of the notice of privacy practices. You may already have a copy.
thumb_up
13 likes
T
If not, each HIPAA-covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website). The notice of privacy practices describes your rights, including your right to ask for an amendment.
thumb_up
3 likes
S
The covered entity’s notice will tell you where to submit your request for amendment. You might be asked to write a letter or fill out a form to make your request for amendment.
thumb_up
32 likes
S
You might be asked to tell the record keeper what information is wrong or is not about you. You may have to explain why you want the amendment. When you make a request, the covered entity must act on your request within 60 days.
thumb_up
5 likes
C
The entity can take an additional 30 days to act if it provides you with a written explanation of the delay. It is hard to object to the formality of the amendment process allowed by the rule. We hope, however, that covered entities don’t use it inappropriately.
thumb_up
25 likes
J
If you want to report a change of address or corrected telephone number to your family doctor, you should be able to tell the provider or the provider’s receptionist without any formality. A covered entity can ask for a written request, but it doesn’t have to do so.
thumb_up
33 likes
A
If someone in a doctor’s office who knew us said that we had to write a letter to change an incorrect telephone number, we would complain to a supervisor or physician. But if you are not known to the provider, it might not be unreasonable if the provider first asked you to show identification. Changing an address is one way that medical identity thieves try to hide the trail of their activities.
thumb_up
37 likes
H
Hide
30 Can I Ask that Incorrect Information be Removed From My File
Yes, but it may not be that easy. A HIPAA-covered entity does not necessarily have to remove incorrect information. It can mark the information as incorrect and add additional notes that show the correct information.
thumb_up
18 likes
S
There is a reason for this policy. Suppose that your doctor suspects that you have an infection. Before the test results come back, the doctor prescribes an antibiotic.
thumb_up
33 likes
C
When the test later shows that you didn’t have the infection, the doctor tells you to stop taking the antibiotic. Now suppose that you ask the doctor to remove the initial diagnosis of an infection. If the information is totally removed, it will be impossible for the doctor to explain or justify the prescription for an antibiotic.
thumb_up
39 likes
O
It may not be appropriate to remove the entire incident from the record because the doctor will be unable to explain the treatment provided or the bill for the services. The doctor also needs to keep the record in the event that there are complications from the drug. The doctor rightly needs a history of the treatment for his/her protection for both legal and medical reasons.
thumb_up
1 likes
A
Your health record isn’t just about you. It’s about your provider too. Some requests for amendment present real conflicts between the interest in having an accurate record on the one hand, and having a record reflecting what treatment was provided to a patient and why, on the other.
thumb_up
26 likes
H
These objectives will conflict at times. Information that seemed to be correct one day may be incorrect on another day. A health record may need to reflect both conclusions, even though they are different.
thumb_up
2 likes
D
If you disagree with your physician’s diagnosis, but the physician insists that the diagnosis is correct, you are not likely to prevail with an amendment request. You have to right to put your views in the record, as we explain later.
thumb_up
7 likes
M
(See FAQs 34 and 35.) Health care providers are typically nervous about removing information from health records. For the most part, they have a reasonable concern for the reasons explained above.
thumb_up
19 likes
W
However, when the information in your health record is not about you, the provider’s concern is weaker. When the information in your record is not about you and the presence of the information did not affect your subsequent care, the argument for removal is stronger. For example, if your record includes a lab slip belonging to another patient, it may be appropriate for the record keeper to remove the slip entirely and put it in the right record.
thumb_up
45 likes
E
However, if the incorrect information affected your treatment — even if that treatment was inappropriate — then retaining some or all of the incorrect information (suitably marked as incorrect and including a full explanation) may be legally and medically justifiable. You may be able to negotiate with the provider about how the information should be marked or otherwise segregated from your health record.
thumb_up
23 likes
T
The problems faced by medical identity theft victims seeking amendment of their record can be particularly difficult. See the World Privacy Forum’s FAQ for identity theft victims at (https://www.worldprivacyforum.org/2012/04/resource-page-medical-identity-theft/).
thumb_up
26 likes
S
If there is information in your file that is not about you at all — whether because of a filing error, medical identity theft, or other reason — you should ask for its total removal. The covered entity may still be unwilling to comply.
thumb_up
26 likes
M
Another possible remedy is to ask the entity to put the information about another individual in a wholly separate record that is not directly associated with your health record or in a sealed part of your record. The two records might contain references to each other, but the substantive health information about the other person will not be in the normal file that a doctor would review when treating you.
thumb_up
6 likes
J
A covered entity may not agree to do this, but it is worth a try. Hide
31 What Other Limits Are There on the Right to Seek Amendment
A covered entity does not have to amend a record that it considers accurate and complete. It does not have to amend a record that is not available for inspection by you under the access provision.
thumb_up
29 likes
H
More importantly, a covered entity is not required to amend a record not created by the covered entity. That means if the information in your record came from any third party — including another provider, an insurer, a relative, or anyone else — the covered entity has no obligation to amend your record or even to consider your request. We find this limitation on the right to seek an amendment to be unfair, inappropriate, and dangerous.
thumb_up
34 likes
N
Be aware that state law may not have the same limitation on amendment rights. A provider can treat you using information in the file that you contend is incorrect, but that provider has no obligation under HIPAA to determine whether the information is wrong when you contend that it is wrong.
thumb_up
20 likes
E
This is why we think that this exception is unfair, inappropriate, and dangerous. The covered entity must consider your request for amendment of third-party information if you provide a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment.
thumb_up
44 likes
J
Thus, if the record contains information from a previous physician who is no longer in practice, you may be able to force your current provider to consider amending information supplied by that physician. We note that it can be difficult to prove that the originator of information is unavailable, and an uncooperative covered entity can string a requester along if it doesn’t want to deal with a request for amendment honestly.
thumb_up
26 likes
Z
If the covered entity that is the originator of the incorrect information is available but does not act on a request for amendment, the information in the subsequent covered entity’s record may be just as wrong and could have a continuing detrimental effect on the patient. This can present a real Catch-22 for patients.
thumb_up
44 likes
M
In most circumstances, a health care provider will act reasonably to verify information that may affect patient care. For example, if you tell your surgeon that you think that your blood type is A, the surgeon is not likely to cavalierly accept contrary information just because it came from a third party.
thumb_up
40 likes
L
Any health care provider is likely to be suitably concerned about the possibility of a medical error based on wrong information. However, there may be real problems with third party information in some circumstances.
thumb_up
27 likes
A
Health insurers may not be as worried about an error, especially if the error provides an excuse to deny a claim. Consider an identity thief who has an appendectomy while masquerading as John Doe.
thumb_up
31 likes
M
The real John Doe has an appendectomy a year later and submits the bill to his insurance company. The insurance company rejects the bill because no one has two appendectomies. If John Doe asks the insurer to amend or delete the record of the first payment, the insurer can refuse the request under the HIPAA rule because the information came from a third party, namely the surgeon who operated on the identity thief.
thumb_up
40 likes
B
If John Doe then asks the surgeon to correct the record, the surgeon will likely reject the request saying that the request came from a John Doe who used the same health identification number, and the surgeon may decline to figure out who is who. The HIPAA health privacy rule provides no real assistance or remedy under these circumstances. Unless someone goes beyond the minimum requirements of the HIPAA rule and addresses the real problem, it is possible that a patient will have no remedy at all under HIPAA.
thumb_up
21 likes
A
It may be necessary to find another way to force attention to your problem, such as filing a complaint, hiring a lawyer, writing your congressman, or some other activity. We think that HIPAA should provide you a real remedy here, but it does not.
thumb_up
2 likes
K
If the rule doesn’t provide a remedy when one should be available, the patient may only be able to ask for the good will, understanding, and cooperation of all concerned. Providers and insurers who proceed in good faith may solve a patient’s legitimate concerns notwithstanding the deficiencies of formal legal remedies. If you are not getting the cooperation you need, try talking politely to the privacy officer of the covered entity.
thumb_up
47 likes
I
Filing a complaint with HHS is another option. The last step may be litigation (or the threat of litigation), and that is often an expensive and unattractive alternative for everyone concerned, even when litigation is possible. Hide
32 Do I Have Greater Amendment Rights under State Laws other Federal Laws or Hospital Policies
Maybe.
thumb_up
39 likes
E
Some states have health privacy laws that provide greater rights of amendment. If your records are held by the federal government (e.g., Medicare, VA, or Indian Health Service), your rights to ask for amendment of records under the Privacy Act of 1974 may be greater than under HIPAA. These two sets of privacy rules overlap, and you are entitled to the best parts of both laws.
thumb_up
1 likes
G
Not only may other laws provide patients with better amendment rights than HIPAA, but they may offer better remedies and clear causes of action in case you have to sue to correct records. Hide
33 What Happens When a Covered Entity Agrees to Make an Amendment
The covered entity that agrees to make an amendment must: Make the amendment; Tell the requester what it did; and Make reasonable efforts to inform others about the amendment within a reasonable time. The third requirement is most noteworthy.
thumb_up
25 likes
A
If you convince a covered entity to amend your record, the covered entity must tell any persons that you identify who received the original incorrect information and who need the amendment. In addition, the covered entity must notify any persons who have the information that was the subject of the amendment and who may have relied or could foreseeably rely on the information. To make sure that amendments have been appropriately distributed, you may want to ask for an accounting of disclosures.
thumb_up
45 likes
R
The right to receive an accounting is explained elsewhere in this guide. (See FAQs 37-44.) What is important is that amendments be provided to those who may rely on the original incorrect information. Each patient has the right to tell a covered entity to send the amendment to anyone who received the original information and needs the information.
thumb_up
38 likes
Z
Be sure to ask that any amended information that bears on your future medical treatment be shared with other providers. Similarly, be sure to ask that amended information that bears on insurance and payment matters is shared with insurers and, possibly, with employers.
thumb_up
29 likes
R
The goal is to find and eliminate any incorrect information that others have and that may affect you adversely. It may take considerable effort to make sure that every appropriate person has the information and that those with the information correct their own records.
thumb_up
0 likes
E
Every covered entity must act when it receives a notice of amendment, but that doesn’t mean that it will be done quickly or properly. It may be appropriate to ask each covered entity that received an amendment to confirm that it actually made the amendment.
thumb_up
25 likes
S
You may have to request a copy of your record from that covered entity to be certain. Should you do all of this?
thumb_up
29 likes
D
It may depend how important the information is to your future treatment. Be aware of any Health Information Exchanges that may impact where your records are located.
thumb_up
25 likes
A
For example, covered entities in some states exchange electronic health records through a third party called a Health Information Exchange. Ask about the presence of an exchange or network so you can locate all of the copies of your records.
thumb_up
27 likes
N
As health records and health networks expand, some aspects of seeing and amending records may become easier. But some things may be harder, especially if no entity has clear responsibility for a health record. This is an evolving area, and there may be a lot of learning for everyone to do.
thumb_up
4 likes
M
There may be some strategy involved in asking a covered entity to send notices of correction to recipients. When you look at the accounting of disclosures, you may be surprised at the number of people and institutions that received the original, incorrect information.
thumb_up
20 likes
L
You may not want all of them to receive the correct information. Suppose that (with your consent), your doctor reported to your employer that you were justifiably absent from work because you had the stomach flu.
thumb_up
5 likes
H
A later test reveals that you had a more serious illness or were pregnant. You might not want this additional information shared with your employer, but you might want another physician to know. If the correct information would affect how a health care provider might treat you, then sending the correction is the right thing to do.
thumb_up
21 likes
E
But you might not care about sending a correction to a physician who treated you in an emergency room if you have no expectation of ever being treated there again. Whether you want your health plan to know about a correction may call for some evaluation. Hide
34 Can I Appeal if a Covered Entity Refuses to Make an Amendment
Maybe.
thumb_up
47 likes
I
An institution must accept complaints about its health privacy policies and practices. Filing a complaint with an institution may not be the equivalent of filing an appeal of a denial of a request for amendment, but it may help if it forces someone new at the covered entity to review your request. However, some institutions may accept formal appeals.
thumb_up
31 likes
E
Consult the institution’s notice of privacy practices to see if there is an appeal method for a denial of a request for amendment. Talk to the privacy officer at the covered entity to see if you can obtain help.
thumb_up
46 likes
E
You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. The Department’s Office of Civil Rights processes complaints.
thumb_up
14 likes
D
You can find information about the process at (http://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/index.html). You have another alternative.
thumb_up
11 likes
S
When a covered entity denies your request for amendment, it must tell you that you can request the covered entity to provide a copy of your request for amendment with any subsequent disclosure of the disputed information. In some instances, it may be important to make the request. Remember that the covered entity is not required to tell others about the dispute unless you ask.
thumb_up
35 likes
A
Read FAQ 35 for more information about other remedies if your request is denied. Hide
35 Are There Other Remedies if My Request for Amendment Is Denied
Yes.
thumb_up
23 likes
M
You have the right to file a written statement of disagreement, and that is an important right. When a covered entity denies your request for amendment, it must tell you about this right.
thumb_up
12 likes
M
The statement of disagreement gives you the opportunity to explain your side of the story. The covered entity can reasonably limit the length of the statement of disagreement, so don’t plan on writing a novel-length document.
thumb_up
43 likes
Z
We also suggest that your statement should be factual and should refrain from making personal attacks on anyone involved in the process. The covered entity can prepare and circulate a rebuttal to your statement of disagreement. If it does so, it must provide you with a copy of its rebuttal.
thumb_up
4 likes
N
HIPAA offers another protection even if you don’t file a statement of disagreement. The rule requires a covered entity that received and denied an amendment request to append or link the record in question to your request for amendment if you ask it to do so.
thumb_up
20 likes
L
The purpose here is to make sure that whoever sees the disputed record will also see the request for amendment. If you ask for a change and it is denied for a good reason, you may not want to ask that your request be shared. However, if you still disagree and you want others to know your views, then you should ask.
thumb_up
24 likes
S
One reason to ask to inspect or have a copy of your record is to see if the covered entity properly handled this requirement. Hide
36 Can a Covered Entity Still Disclose The Information that I Disputed
Yes, but HIPAA offers additional rights.
thumb_up
3 likes
E
First, if you submitted a statement of disagreement, the covered entity must disclose it when it discloses the disputed information. Second, if you choose not to submit a statement of disagreement, the covered entity must include your request for amendment (and its denial) along with any subsequent disclosure only if you requested that the covered entity do so.
thumb_up
27 likes
D
If you ask for a change and it is denied for a good reason, you may not want to ask that your request be shared. If you still disagree and you want others to know your views, then you should ask.
thumb_up
1 likes
A
Hide
E Right to Receive an Accounting of Disclosures
37 What s an Accounting of Disclosures
For a disclosure of health information about an individual, an accounting is a record of: The date of the disclosure The name of the person or entity who received the information A brief description of the information disclosed A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure). The non-intuitive term accounting comes from an older privacy law.
thumb_up
7 likes
I
It’s clearer to think of an accounting as a disclosure history. We will stick with the rule’s accounting terminology here because that’s the term commonly used in HIPAA circles.
thumb_up
16 likes
R
Hide
38 Why Should I Care about Accounting of Disclosures
Many patients won’t care, and that is okay. However, the accounting of disclosures can be crucial in some instances.
thumb_up
29 likes
S
You may want to ask for an accounting if you think that your records were improperly disclosed, if you think that you may be a victim of medical identity theft, or even if you are just curious about the circulation of your health records. Be warned, however, that if you ask for an accounting, the response is likely to undermine whatever faith you had that your health information is confidential.
thumb_up
50 likes
B
Records may be lawfully disclosed to other institutions that have nothing to do with your treatment or the payment for your treatment. The accounting of disclosures will be invaluable if you need to follow the trail of your information and learn who has information about you.
thumb_up
49 likes
H
If you corrected your record through the amendment process, the accounting should allow you to find out who received the original information and who received the corrected information. It provides a way for you to tell whether the covered entity properly distributed the amendment. The accounting may reveal some disclosures that are normal (e.g., to your health plan).
thumb_up
42 likes
E
You may also learn that the covered entity disclosed your records to a researcher, public health agency, or government auditor. These disclosures may not have any immediate consequences for you, but you may be either interested to know about the disclosures or unhappy that they occurred. However, if you learn that your records were disclosed to law enforcement or health oversight agencies, you might have reason to worry that the information disclosed will be used against you in some manner.
thumb_up
17 likes
I
By learning the purpose of each disclosure, you will be better able to make judgments. Hide
39 How Do I Make a Request for an Accounting of Disclosures
Start by obtaining a copy of the notice of privacy practices that your provider or insurer publishes. You may already have a copy.
thumb_up
41 likes
C
If not, each HIPAA-covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).
thumb_up
17 likes
T
Follow the directions for a request in the notice. You might be asked to write a letter or fill out a form in order to make your request for amendment. The covered entity must act on a request for accounting within 60 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.
thumb_up
23 likes
V
Hide
40 Who Has to Provide Me with an Accounting of Disclosures
Any HIPAA-covered entity must provide a copy of an accounting of disclosures. For most individuals, your health care providers (doctors, hospitals, laboratories, pharmacies, etc.) and health insurers (HMOs, health plans, Medicare, etc.) will have accounting records that you may want. You may also want to ask your Pharmacy Benefit Manager or PBM.
thumb_up
44 likes
N
A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. Hide
41 What does it Cost to Obtain an Accounting of Disclosures
You are entitled to receive at no charge one copy of the accounting of your health record in any 12-month period.
thumb_up
14 likes
G
If you make more than one request, the institution may impose a reasonable, cost-based fee. The institution must tell you the cost in advance so you have a chance to modify or withdraw your request.
thumb_up
32 likes
N
If you have a good reason why you need to request an accounting more than once a year, ask the covered entity to waive any fees. For example, if you are a victim of medical identity theft and need repeated accountings to check on current activities of the identity thief and responses to corrective actions, ask for a fee waiver. Argue that both you and the covered entity are victims of the identity thief.
thumb_up
1 likes
E
You need to work cooperatively with the covered entity to correct the problem. Ask the institution’s fraud investigator or compliance officer to help you if the usual HIPAA channels aren’t responsive.
thumb_up
28 likes
B
Hide
42 What are the Limitations of an Accounting of Disclosures
Limitations in the HIPAA rule make the accounting of disclosures much less valuable than it should be. First, covered entities do not have to account for all disclosures. They don’t have to keep an accounting of disclosures for treatment, payment, or health care operations.
thumb_up
37 likes
N
Most disclosures are likely to be for one of these purposes so this loophole is large. Second, covered entities also don’t have to keep an accounting of disclosures if you authorized the disclosure. That means that you may not be able to track if the covered entity actually disclosed records as you directed.
thumb_up
27 likes
D
If you casually signed an authorization that allowed the disclosure of any or all information about you (e.g., for a background check), a covered entity can disclose your health record and not even keep a record that it did so. This is another loophole. Third, health care institutions do not have to account for uses.
thumb_up
37 likes
S
A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a covered entity shares a record with someone outside the covered entity. The accounting requirement only covers some disclosures and no uses.
thumb_up
38 likes
T
If you are hospitalized, hundreds of different individuals in the hospital may see your record. The use exemption to accounting can seriously undermine your ability to hold an institution accountable for leaks or other inappropriate activities. Still, in hospitals with modern computers, there is a greater likelihood that a complete audit trail, including uses, will be maintained routinely.
thumb_up
43 likes
E
Unfortunately, HIPAA does not expressly require that a covered entity share that audit trail for uses, although there may be an argument that disclosure of an entire audit trail is required otherwise by HIPAA or by state law. Ask for a copy of the entire accounting because a reasonable institution will share it with you. Institutions with computerized systems that track all activity might find it easier to provide a requester with the entire history rather than part of it.
thumb_up
18 likes
D
However, they are not required to do so. It doesn’t hurt to ask.
thumb_up
3 likes
W
Fourth, sometimes a covered entity must withhold a particular accounting record from an individual who requests a copy of the accounting. A covered entity may make some disclosures to law enforcement, for example, without telling the record subject for a limited time. Fifth, the HIPAA requirement for an accounting started on April 14, 2003.
thumb_up
17 likes
J
A health care institution covered by HIPAA did not have to maintain accounting records before that date. Finally, perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment.
thumb_up
31 likes
E
This means that a lot of information that you would want to find in an accounting will not be available. Covered entities also don’t have to tell you about disclosures for health care operations, an expansive category that covers many management and other functions.
thumb_up
18 likes
M
For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures.
thumb_up
1 likes
A
Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations. In 2011, HHS proposed changes to the accounting for disclosures rule.
thumb_up
5 likes
J
As of 2019, the changes have not yet been made final. Once final, it may be a while before covered entities must implement the changes.
thumb_up
45 likes
H
As proposed, some of the accounting changes were better for patients and some were not. We must wait and see when and what happens. Hide
43 Why Bother Asking for an Accounting if It Has so Many Loopholes
Why seek an accounting of disclosures?
thumb_up
26 likes
J
You may not need an accounting, but here are reasons why you might want one. First, obtaining a copy of the accounting is free. All you have to do is fill out a form or write a simple letter.
thumb_up
31 likes
J
Second, an accounting may help even if it isn’t complete. You should be able to learn something about how the covered entity disclosed your records from the accounting.
thumb_up
18 likes
Z
It may point you to some record keepers you didn’t realize had records about you. Finally, even though there are many exceptions to accounting, some institutions will nevertheless have a record about disclosures (and even uses) even though the records are not required by HIPAA.
thumb_up
5 likes
J
If you ask for more, you might just get what you want. Nothing in HIPAA prevents a covered entity from providing a more complete accounting than the minimum required by the rule.
thumb_up
18 likes
C
Hide
44 Do I have Greater Rights under State Laws Other Federal Laws or Hospital Policies
Maybe. A few states may have health privacy laws that require health care institutions to maintain better accounting records or to disclose more accounting records to you. If the federal government has your records (e.g., Medicare or VA), your rights to have a copy of an accounting under the Privacy Act of 1974 are greater than under HIPAA.
thumb_up
4 likes
E
These two sets of privacy rules overlap to your benefit. See FAQ 2 to find other online resources that may help you understand state laws.
thumb_up
37 likes
A
Hide
45 What s the Best Strategy for Making a Request
You only are entitled to one free request in any 12-month period. Think about the best timing to make that request.
thumb_up
24 likes
A
If you learn that you were a medical identity theft victim two years ago, you probably should make the request right now. However, if your reason for asking relates to a current activity (perhaps a hospitalization that just ended), it can take time for your records to be updated. Actions that follow a hospitalization, such as submitting a bill to an insurer or to the government, may not occur immediately.
thumb_up
35 likes
A
You might want to wait a week or two before asking for the accounting. If the institution’s privacy officer is helpful, the officer may be able to offer useful advice about timing. Many institutions with computerized record systems have accounting records that exceed the HIPAA requirement.
thumb_up
5 likes
V
Modern computer systems routinely track every use and disclosure of a health record. HIPAA does not require a covered entity to give you all the accounting records that the entity has.
thumb_up
45 likes
A
That’s unfortunate. It doesn’t mean that you can’t ask for non-HIPAA required accounting records if they exist. We suggest that you make a broad request.
thumb_up
42 likes
L
If you are dealing with a federal or state institution, you might be able to use other privacy or freedom of information laws to seek records about you that may not be available under HIPAA. If the records are important to you, ask first for all the records.
thumb_up
2 likes
L
Even if there is no right, an institution may still be willing to share the accounting records, if only because it is cheaper and easier to do so than to separate the required from the non-required parts of the accounting. If you ask for more, you might just get what you want.
thumb_up
35 likes
A
If asking doesn’t get you what you need, use other laws and procedures if they are available. Hide
F Right to Complain to the Secretary of HHS
46 Can I File a Federal Complaint about a HIPAA Problem
Yes.
thumb_up
41 likes
M
Any person who believes that a covered entity is not complying with the HIPAA privacy rule may file a complaint with the Office of Civil Rights (OCR) at the Department of Health and Human Services. You do not have to be a patient of a health care provider or a beneficiary of a health insurance plan to file a complaint.
thumb_up
11 likes
L
For example, if you visit a relative in the hospital and see a violation, you can file a complaint. You generally must file a complaint with OCR within 180 days of when the incident occurred or when you learned about it.
thumb_up
26 likes
E
You can find information about the complaint process at (https://www.hhs.gov/hipaa/filing-a-complaint/index.html). There is a list of regional offices at (https://www.hhs.gov/ocr/about-us/contact-us/index.html) including phone numbers.
thumb_up
23 likes
S
OCR wants you to file a complaint at the regional office for your state, and the website provides addresses and fax numbers. However, OCR doesn’t necessarily make it easy. There is no email address for each regional office.
thumb_up
13 likes
A
If you look hard enough through the OCR website, you will find that you can submit a complaint by email to [email protected]. An emailed complaint does not require a signature.
thumb_up
40 likes
V
OCR has a complaint form that you can fill out at (https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/complaints/hipcomplaintform.pdf). The complaint website has information in other language about how to file a complaint. You can use email to ask questions or need help.
thumb_up
43 likes
W
You can e-mail OCR at [email protected]. In recent years, OCR opened a large number of investigations in response to complaints from individuals and otherwise. The total number of investigations that found a violation of HIPAA privacy and security rules averaged 2000 a year in recent years.
thumb_up
20 likes
D
That is a lot of violations and a lot of activity by OCR. There’s a reasonable chance that a well-founded complaint will result in a review and change. Filing a complaint with OCR should be worthwhile.
thumb_up
31 likes
S
You can file a complaint about the Security rule and find instructions on filing a complaint in other languages at (http://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html). Hide
47 What Information Belongs in a Complaint
The Office of Civil Rights at HHS wants a complaint to be signed and to include: Your name, full address, home and work telephone numbers, email address. If you are filing a complaint on someone’s behalf, provide the name of the person on whose behalf you are filing.
thumb_up
15 likes
H
Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule. Briefly describe what happened.
thumb_up
16 likes
C
How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated? Any other relevant information.
thumb_up
9 likes
I
Your name and the date of the complaint. Optional information that OCR requests includes: Do you need special accommodations for us to communicate with you about this complaint? If HHS cannot reach you directly, is there someone else to contact?
thumb_up
43 likes
S
Have you filed your complaint somewhere else? Hide
48 Will Filing a Complaint Really Help
There’s now a reasonable chance that filing a complaint will produce a response and may lead to action. In the early years of HIPAA, enforcement of the Rule by the Office of Civil Rights was rare.
thumb_up
10 likes
L
In the last few years, OCR has become much more aggressive in enforcing the HIPAA privacy and security rules. Some of the penalties imposed on covered entities run in to the millions of dollars. If you file a complaint, it should receive appropriate attention.
thumb_up
32 likes
H
Remember, however, that the Privacy Rule complaint process is for HIPAA complaints. OCR receives and rejects many complaints because they are not about HIPAA matters. We wouldn’t hesitate to file a complaint if we thought that a covered entity violated HIPAA.
thumb_up
33 likes
D
But we remind you that filing a complaint may have the effect of spreading your health information around more widely. Not all complaint investigations will involve disclosure of the intimate details of your medical history, but some may.
thumb_up
34 likes
V
It is for you to judge whether a complaint will invade your privacy more than you can tolerate. Nevertheless, if you are just trying to get a hospital to respond to your request for a copy of your record, the additional threat to privacy may be small and your complaint to OCR may help you get what you want.
thumb_up
18 likes
L
Hide
49 What Should I do if I See a Privacy Violation
Now that the complaint process is working, filing a complaint with OCR has real potential to help. There is a real reason for the public to show interest in privacy laws and to use the process to protect individual rights guaranteed by law.
thumb_up
18 likes
M
However, we think that the first step should be to complain directly to the covered entity that did something you think was wrong. Each covered entity has a privacy officer, and the name, address, and telephone number of the privacy officer should be included in the notice of privacy practices.
thumb_up
21 likes
K
Everyone makes mistakes, and everyone deserves the chance to make things right. It is also important for covered entities to know that people pay attention to privacy and that people care when privacy violations occur.
thumb_up
28 likes
E
If the covered entity does not satisfy you, then you can look elsewhere. We don’t think that every minor violation should become a federal case. Our first choice is to complain locally about any violation.
thumb_up
48 likes
M
If you do not get satisfaction locally, then consider a complaint to OCR. Remember that filing a formal complaint may bring more attention to you and to your health record.
thumb_up
35 likes
D
You may want to be guarded about how much of your personal health information you include in the complaint. In other words, the complaint process may further invade your privacy. But complaints keep the whole system honest and they can be important to patients and to covered entities trying to manage HIPAA compliance.
thumb_up
0 likes
C
It’s your choice about how far to pursue a complaint. Here are some ideas if you want to pursue a federal complaint.
thumb_up
43 likes
Z
Complain to OCR as described above. If you do complain to OCR, consider sending a copy of your complaint to your congressman or Senators. Ask them to write to the Secretary of HHS and report back about what happens to the complaint.
thumb_up
22 likes
S
When an elected official writes to an agency on behalf of a constituent, the constituent’s file gets a pink slip and that may get your complaint faster attention. The downside may be sharing your personal information more widely.
thumb_up
33 likes
J
You might be able to complain to a state official. Every state has a health department and an insurance department. If your complaint is about a health care provider, complain to the health department.
thumb_up
11 likes
J
If the complaint is about an insurer, complain to the insurance department. Health care providers hold licenses from state boards. If the violation is serious, see if the state licensing board accepts public complaints.
thumb_up
41 likes
T
If your problem is newsworthy and you are willing to make it public, you might look for a local reporter who covers health issues and who may be interested in your story. Remember that going public may make the privacy violation worse, but it may get better results.
thumb_up
26 likes
N
A hospital may be very unhappy to see a news story that said it violated someone’s privacy or denied a patient rights guaranteed by law. A call from a reporter may produce a response that you couldn’t get on your own.
thumb_up
35 likes
A
Use the Web. You may find websites where you can post your story and the basics of your complaint. Posting a complaint about a health care provider may help others and may be satisfying all by itself.
thumb_up
34 likes
M
If you post information publicly, be sure that you are not revealing too much of your personal health information. Tell your friends and neighbors.
thumb_up
10 likes
Z
A national insurance company may not care what you say. However, local providers and local hospitals care a lot.
thumb_up
7 likes
C
A bad reputation can result in the loss of clients and revenues. Write something in a local listserv or blog.
thumb_up
42 likes
J
You may be able to file a lawsuit. HIPAA does not provide patients with the right to sue covered entities. However, other laws may allow you to sue.
thumb_up
5 likes
S
If the courts recognize that HIPAA establishes a standard of care, then it may be possible to sue for breach of contract, malpractice, violation of standards of professional conduct, or on other grounds to enforce HIPAA requirements. However, remember that lawsuits are not fun, take a long time, and can be expensive.
thumb_up
44 likes
N
Finding a lawyer willing to take a privacy case can be hard. Obtaining monetary damages can be highly uncertain.
thumb_up
42 likes
D
Lawsuits are remedies you should consider pursuing only after you tried other potential remedies and then only for major problems. Hide
50 Should I Worry that a Covered Entity will Retaliate if I File a Complaint
Each covered entity’s notice of privacy practices must say that there will be no retaliation against a person who files a complaint. We would like to believe that.
thumb_up
28 likes
N
But in the real world, there are no guarantees. We have seen, for example, a notice from a hospital that says — as required by the rule — that there will be no retaliation.
thumb_up
50 likes
K
The next sentence in the notice says more ominously that the hospital reserves the right “to take necessary and appropriate action to maintain an environment that serves the best interests of our patients and staff.” We have no idea what that means or why the hospital chose to add that statement directly after the required language about not taking retaliation. But it sure sounds like a threat to us. We would be happier to see a privacy notice that included a statement to the effect that the hospital reserves the right to take additional actions to protect the privacy of its patients.
thumb_up
38 likes
D
However, hospital lawyers don’t like statements like that, lest they be interpreted to oblige the hospital to do more than the bare minimum. Hide
G Right to Request Restrictions on Uses and Disclosures
51 What is the Right to Request Restrictions on Uses and Disclosures
The right to request restrictions is the least meaningful of the seven HIPAA patient rights.
thumb_up
33 likes
W
A covered entity must allow a patient to request a restriction on the uses or disclosures of the patient’s information to carry out treatment, payment, or health care operations. A patient can also ask for a restriction on disclosures to a family member, relative, or close personal friend.
thumb_up
43 likes
S
Some requests made at a human level are likely to be fulfilled than those made at an institutional level. If you ask your doctor not to reveal something to your grandson, the doctor is likely to do what you ask. If you ask a hospital not to share your information with its administrative staff, the hospital is not likely to agree.
thumb_up
29 likes
E
You can read later in this document about the scope of permissible uses and disclosures for treatment, payment, and health care operations. (See FAQs 55 – 67.) No covered entity needs your consent to make disclosures for those purposes. Health care operations is a particularly broad term that includes many activities that are in the interest of the covered entity and not necessarily in the interest of the patient.
thumb_up
8 likes
N
However, there’s a new element that came in 2013. You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for treatment or payment, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full.
thumb_up
36 likes
H
We’ll explain that new option in FAQ 53. It’s well-intentioned but very messy to use. Hide
52 Why is the Right to Request Restrictions Almost Meaningless
The rule does not require a covered entity to agree to a restriction requested by a patient.
thumb_up
19 likes
I
The covered entity does not have to agree even if the patient’s request is reasonable. Contrast this provision with the right to request confidential communication.
thumb_up
19 likes
J
A covered entity must agree to a reasonable request for confidential communication. However, if you ask for a restriction on use or disclosure, the covered entity does not have to agree, does not have to state a reason for denying a request, and does not have to even respond to your request.
thumb_up
2 likes
D
Because it is a patient right without a corresponding obligation on the part of a covered entity, we conclude that the right is almost meaningless. It gets worse.
thumb_up
6 likes
O
The rule expressly provides that some restrictions that an institution might agree to are not effective. These are uses or disclosures that are permitted for facility directories (separate rules govern facility directories), to the Department for oversight of the rule, or for any of the scores of other permissible disclosures allowed under the law.
thumb_up
43 likes
L
Thus, if an institution agrees to your request not to make a discretionary disclosure to the CIA, that agreement is not effective under the rule. If the unlikely event that a covered entity agreed to a patient request and violated the agreement, OCR might respond to a complaint from a patient.
thumb_up
25 likes
Z
But if OCR took aggressive action, covered entities would see that as a reason not to agree to any restrictions. It’s not clear that any covered entities need more incentive not to agree than they already have.
thumb_up
12 likes
G
A patient who had an agreement from a covered entity might be able to enforce the agreement through a complaint about professional misconduct or through a legal action for breach of contract. This is all rather hypothetical because it will be hard to convince any covered entity to agree to your request in the first place. It would be much easier to enforce an agreement if it were in writing.
thumb_up
50 likes
E
It is highly unlikely that any large institution will agree to any restriction on use or disclosure. It is conceivable that you might get a small provider — e.g., a psychiatrist in a solo practice — to agree with your request.
thumb_up
27 likes
C
A bigger institution — especially one with a staff of lawyers — will probably never agree. Frankly, trying to get a voluntary agreement for a large covered entity is not likely to be worth the time and trouble. Hide
53 The Right to Pay Out of Pocket
A 2013 change offers a new and mandatory restriction.
thumb_up
23 likes
M
You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for treatment or payment, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full. This looks like it is more meaningful than the right to request a restriction.
thumb_up
48 likes
D
If you meet the terms and make the request properly and in a timely fashion, a covered entity must agree. However, it will be hard for most patients to meet the requirements. As you read the following discussion of the problems with the new mandatory restriction, you will see what we mean.
thumb_up
47 likes
N
The PHI must relate to fully paid health care: If a treatment included a service that was partly paid by insurance and partly by the patient, it does not qualify. So if you have surgery for a deviated septum paid for by your health insurance with a little added cosmetic surgery at the same time that you pay for, you cannot make a request to keep the cosmetic surgery restricted. The surgery was not solely paid for by the patient.
thumb_up
14 likes
J
If you pay for a treatment, but let your insurer pay for a related blood test, it will probably not qualify as a treatment solely paid by you. Paying in full may be difficult for many patients. At some HMOs, payments by patients for some services are not allowed.
thumb_up
49 likes
L
Medicare may prohibit providers taking any payment from some patients. Costs may be too much for many patients, and patients paying on their own may not qualify for the negotiated lower prices that health plans pay.
thumb_up
38 likes
A
The health care system is complicated and interconnected. You may pay for a service out-of-pocket and tell your doctor not to tell the health plan.
thumb_up
0 likes
I
Yet if the doctor sends a prescription electronically to a drug store, the drug store may not be aware of the restriction and is likely to automatically query the health plan. The same problem can arise with a laboratory or x-ray facility.
thumb_up
31 likes
E
A patient seeking to keep treatment information from a health plan will have to think ahead and be adept at finding non-standard ways of managing referrals or ordering tests. Requests to restrict may need to be made in advance of treatment or billing. Covered entities are sure to insist (as the rule allows) that requests be made in writing.
thumb_up
19 likes
S
From the perspective of a covered entity, managing a mandatory request not to tell a health plan can be challenging. A health care provider will have to think how to tag or separate restricted information so that it remains available to those treating patients but does not casually slip off to insurers.
thumb_up
37 likes
M
Even a provider trying to act in good faith will face challenges. All providers will have to think long and hard how to handle mandatory requests. For most patients, paying in full out-of-pocket is not realistic.
thumb_up
7 likes
O
Some patients have the ability to pay and will want to use the mandatory restriction provision. It is generally well known that some individuals receiving mental health treatment are zealously protective of their privacy and will pay for their own treatment. Others will also want treatment to be as confidential as possible.
thumb_up
32 likes
E
For patients who want to make use of the mandatory restriction in the Rule, we tentatively offer this advice. Recognize up front that getting a mandatory restriction to work will require a lot of advance planning.
thumb_up
49 likes
G
Find out the covered entity’s requirements for a mandatory restriction. Be prepared to make your written request before you make the actual appointment. Come to that appointment with a written request in hand.
thumb_up
15 likes
D
Have multiple copies of your letter with you. For a large provider, consider talking in advance with the privacy officer to make sure that you can meet the provider’s requirements. A larger provider is more likely to have a formal procedure, and you will want to make sure that you do the things necessary to follow that procedure.
thumb_up
13 likes
L
If the treatment you need normally requires pre-certification from your health plan, you may need to take action well before your appointment. A provider may routinely seek pre-certification on your behalf if you don’t make it clear that you do not want the information shared with the insurer. Telling your doctor may not be enough if the clerk who handles the pre-certifications does not know.
thumb_up
14 likes
M
Work this out well in advance with the provider’s administrative staff. Try to talk to the office manager rather than to a receptionist. If you get a referral to a second provider, your request for restriction will not automatically follow with the referral.
thumb_up
11 likes
V
You have to ask the second provider for a restriction, which may mean doing the same advance work that you did with the first provider. In emergencies, this could prove to be especially difficult or impossible. If you are having an outpatient surgical procedure, it’s possible that the same procedure will involve a surgeon, anesthetist, and a hospital, each of which is a separate provider.
thumb_up
37 likes
G
Your request may have to be made to each provider separately. There may well be other circumstances in which a single type of treatment involves more than one covered entity.
thumb_up
31 likes
S
You will have to ask a lot of questions to be sure. If your provider orders lab tests or x-rays, your request for restriction will not automatically be transferred with the sample or order. You will have to make the same request for restriction with each subsequent provider (a lab is a provider).
thumb_up
15 likes
M
You may want to decline to let your provider take a blood sample to send to the lab. Consider getting an order for a test from the doctor.
thumb_up
42 likes
N
Take the order to a lab, pay in cash, and don’t let the lab bill your insurance company. Remember, however, that the cash price may be much higher than the insurance price.
thumb_up
13 likes
G
If you use a lab that your doctor uses for other tests, your records may end up intermingled and could be disclosed even though you told the lab not to disclose some of the results. Make sure that you can pay for your care.
thumb_up
16 likes
W
If you don’t pay or if your check bounces, a provider may bill your insurance company anyway. If possible, pay for your care at the time of receipt so there is no question about the need to bill your insurer.
thumb_up
1 likes
M
See if you can arrange for care from a small provider rather than a large provider. A psychiatrist in solo private practice may be much more adept at billing you than a university hospital with many formal procedures, separate billing offices, automated claims submissions, and the like.
thumb_up
10 likes
D
There’s no guarantee that a small provider will do better, but we guess that you have a better chance. Consider having the treatment you want to keep confidential from your health plan at a health care provider that you don’t see for other types of treatment.
thumb_up
9 likes
J
If you establish a relationship with a new provider, make it clear that you will pay for the care yourself, then you may be able to not tell the provider about your insurance at all. Try to avoid even sharing your insurance information if you can.Here’s an example.
thumb_up
14 likes
C
Suppose that you usually fill your prescriptions at the “ABC Pharmacy” that has your health plan information on file. It could be easy for a pharmacy to accidentally bill your health plan despite your request. It’s also possible that when you fill your next unrestricted prescription, the record of your restricted prescription will go along to the insurer anyway.
thumb_up
11 likes
I
Avoid the risk, if possible, by filling a restricted prescription at a different pharmacy where you do not do business otherwise. Don’t give the second pharmacy your health plan information.There’s a real downside here, however. There’s a risk here that if the new drug conflicts with another drug you already are taking, you could have a serious or fatal reaction.
thumb_up
24 likes
A
It is important to discuss the issue with the prescribing physician. You could encounter the same type of problem if you receive care from one provider that your regular provider does not know about. You could endanger your health or even your life.
thumb_up
37 likes
G
It’s definitely something to think about. Second example: if you need treatment for a sexually transmitted disease and you don’t want the information to circulate in the health care payment system, go to a walk-in clinic that takes cash.
thumb_up
30 likes
D
We can’t advise you to use a pseudonym. We don’t know that it is legal to do so. However, some people do.
thumb_up
45 likes
S
If the provider is part of a local Health Information Exchange, keeping your information out of a shared record is something to ask about. You don’t have a right to keep PHI from being shared with other providers, but once information is shared, it is more vulnerable to inadvertent disclosure to your insurer.
thumb_up
20 likes
D
However, as we just pointed out, it is possible that treatments or drugs from different providers could conflict in some way and endanger your life or your health. There’s an advantage when your provider has a more complete medical history. Still, you may want to look for a provider who is not part of a Health Information Exchange.
thumb_up
30 likes
I
Remember that the mandatory restriction is hard for everyone in the health care system. As should be clear from the above discussion, it raises many complications for patients and for providers. If you happen to be the first person who asks for a mandatory restriction, you may have to work carefully with the provider to work out the proper arrangements.
thumb_up
42 likes
S
Put another way, you may have to be highly motivated and persistent to have your restriction properly honored. Document everything.
thumb_up
48 likes
G
Keep copies of your restriction request letters. Try to get receipts for the restriction letters. Keep a log of everyone you talked to in every provider’s office and what they said.
thumb_up
7 likes
E
Don’t assume that your doctor will remember that you have a restriction demand on file when you show up for a second, third, or tenth visit. Repeat your demand before every appointment, during each visit, and when you check out of the provider’s office. You can’t be too careful.
thumb_up
38 likes
K
In many offices, providers automatically bill insurers after a visit, and they may do so if you don’t remind everyone about your restriction demand. The right to restrict the flow of information to an insurer is a firm right, not just a request that a provider can decline to honor. You may have to fight to have your rights honored.
thumb_up
35 likes
W
Unfortunately, we have not yet exhausted the problems presented by the new disclosure restriction mandate. Here’s another possibility. You go to a provider and successfully impose a restriction on disclosure to your health plan.
thumb_up
9 likes
D
The treatment results in a complication that requires additional treatment, possibly including hospitalization, additional tests, and new prescriptions. If you cannot afford to pay out of pocket for the additional treatment, your health care will begin to receive claims and may ask why the additional treatment is needed.
thumb_up
47 likes
L
It is also possible that the additional treatment itself will identify to the plan something about the treatment that you kept secret.Here’s another example. You pay out of pocket for a genetic test to see if you have a gene that predisposes you to colon cancer. The test is positive, and you schedule a colonoscopy that you cannot afford to pay for yourself.
thumb_up
33 likes
J
Your health plan may ask why it should pay for a colonoscopy for someone of your age when the test is only recommended for someone much older. You may be forced to reveal the test and the result that you wanted to keep secret. All the effort and expense that went into keeping the test from your health plan may be wasted in that case.
thumb_up
39 likes
O
One lesson is to think through what you are requesting and what are the possible consequences. Will a restriction demand really make your health record private? Sadly, the answer is no.
thumb_up
5 likes
E
Don’t get your expectations raised too much. The restriction only applies to disclosures to health plans.
thumb_up
12 likes
M
Other disclosures allowed by the Privacy Rule — to public health agencies, researchers, law enforcement, private litigants, the CIA, and others — are not affected in any way by a patient’s restriction. Also unaffected are disclosures to a covered entities business associates, disclosures for health care operations, and disclosures to other health care providers for treatment. Think about that if you want to undertake the efforts to ask for a restriction and make it work.
thumb_up
50 likes
H
It provides a narrow degree of confidentiality. That may be what you need, but don’t expect any more. Only you can decide if the expense and the effort are worth the limited result.
thumb_up
14 likes
N
So why did OCR adopt this messy, complicated, nearly-impossible-to implement change in the Privacy Rule? Because Congress directed the change in the HITECH Act.
thumb_up
47 likes
A
It’s a well-intentioned provision, but we have many doubts that it will work well in the real world. If a health care provider does not protect your confidentiality required by law, you can complain to OCR. However, any complaint is only likely to exacerbating sharing of the information that you wanted kept secret in the first place.
thumb_up
7 likes
E
Hide
54 Is the Right to Limit Disclosures to Relatives and Friends Meaningless Too
Not entirely. There is a bit of hope if you want a provider to agree to limit disclosures to relatives and friends.
thumb_up
0 likes
L
If you tell your doctor or nurse not to talk to a relative, that provider is likely to comply regardless of the rule. The rule doesn’t make those disclosures mandatory.
thumb_up
11 likes
M
It does, however, make it harder for a patient to obtain or enforce an agreement. If, for example, you ask your provider not to disclose your diagnosis to your children, the rule requires the provider to document the request.
thumb_up
18 likes
B
Since formal documentation is less likely to be done for casual requests, any agreement may be unenforceable under the rule. Further, the required formality of the rule allows providers to insist that patients make requests in writing, and most will demand a letter. If you are a patient in a hospital about to receive a visit from a relative, how can you possibly make a written request and get a timely agreement from the hospital?
thumb_up
32 likes
M
Even if you do make a written request, the rule doesn’t require any response to your request or any response in a reasonable period. If you are prepared enough to present a formal request at the start of your hospitalization, the hospital could take 30 days or more before it agreed. Your hospitalization will likely have ended well before any response, if you even get a response.
thumb_up
2 likes
Z
Luckily, while the rule makes these requests to limit disclosure mostly meaningless, the human element that still exists in the health care system may supply what the rule does not. If you make a personal request to your provider, that provider will likely abide by your wishes regardless of the rule and its required formality.
thumb_up
46 likes
E
Your request may not be legally enforceable under the HIPAA rule, but enforcement may not be important. Generally, we don’t see much of a reason to bother with formal requests for use and disclosure restrictions, but the decision is yours.
thumb_up
2 likes
J
If you read many notices of privacy practices, you will find that covered entities say that they won’t agree to most requests. That is a polite way of saying that they won’t agree to any requests.
thumb_up
35 likes
A
If you want to control disclosures to family members or friends, the formal process under the rule isn’t likely to help you at all. Make your requests orally and informally to your providers, just the same way that patients have always done.
thumb_up
38 likes
L
Be clear. Be repetitive. Hope for the best.
thumb_up
36 likes
D
The HIPAA rule does almost nothing for you. If you are a movie star, politician, other celebrity, or hospital executive, most hospitals usually fall all over themselves to protect your privacy.
thumb_up
2 likes
I
They may admit you under a fake name, take other special actions to limit access to and disclosure of your data, and may even agree to your special requests for confidentiality that far exceed legal requirements. Ordinary people are likely to get only basic HIPAA rights, and you may have to fight to get those.
thumb_up
30 likes
C
If you seek to exercise the right to request restrictions on uses and disclosures, you will almost certainly get little to no help in most cases. Still, if it is important to you, make the effort to ask for what you want. Hide
Part III What You Should Know about Uses and Disclosures
The HIPAA health privacy rule is long and complex.
thumb_up
46 likes
N
Implementation guides for use by the covered entities that must comply with the rule can be hundreds of pages. For example, the rule sets out ten administrative requirements for covered entities.
thumb_up
6 likes
L
They are designation of a privacy officer, privacy training for staff, establishment of safeguards, sanctions for violations, and the like. We are happy that the rule includes these requirements, but we don’t think that you need to know the details.
thumb_up
20 likes
N
The parts of the rule directly relevant to patients are long enough. The most important part of the rule — after the provisions that define the rights of a patient — restricts use and disclosure of health information by covered entities. We’ve already discussed the seven patient rights.
thumb_up
12 likes
D
(See FAQs 13-54.) The rest of this guide focuses on the use and disclosure provisions. Hide
55 Does HIPAA Really Restrict Use and Disclosure of My Health Records
This is a tough question to answer in a simple way. The answer depends in part on your perspective.
thumb_up
1 likes
V
If you thought that your health records would never be disclosed without your consent, then you won’t think much of the HIPAA use and disclosure provisions. Another answer is that HIPAA regulates all uses and disclosures.
thumb_up
32 likes
D
If the rule does not allow a use or disclosure, then the only way that a covered entity can use or disclose the record is with your written authorization. If you think that sounds good, you should keep reading because the rule allows a large number of uses and disclosures without your consent.
thumb_up
26 likes
E
By the way, a use of information occurs when a covered entity makes a record available to someone within the organization that maintains the record. A disclosure occurs when a record is shared with someone outside the organization.
thumb_up
17 likes
H
Mapping Health has a map that shows data flow within the health care system. Have a look for yourself at (http://www.mappinghealth.com). There another map maintained by Harvard Professor Latanya Sweeney about health sector data flows at (https://thedatamap.org).
thumb_up
46 likes
W
Both of these maps are works in progress. A third answer is that HIPAA allows many uses and disclosures to occur without any need for your approval.
thumb_up
1 likes
H
Typically, these are uses and disclosures made so a covered entity can be paid for services, manage its operations, provide treatment, or comply with government reporting requirements. In most cases, these disclosures are reasonable and expected. It is genuinely difficult to count the number of categories of permissible uses and disclosures.
thumb_up
33 likes
R
Much depends on how you do the counting. The number of government and private institutions that can ask for and receive health records without your permission numbers in the tens of thousands.
thumb_up
33 likes
J
A covered entity can make nearly all permissible uses and disclosures without your consent or authorization. Indeed, with only a few exceptions, a covered entity can make most allowable uses and disclosures even over your express written objection. A fourth answer is that HIPAA did not really change the practice for most covered entities regarding use and disclosure in any major way.
thumb_up
7 likes
S
Instead, HIPAA established universal standards and procedures for covered entities. These standards and procedures were new. However, the uses and disclosures that HIPAA allows are largely those that became routine in the last half of the twentieth century.
thumb_up
34 likes
S
Most health care providers were not aware of how widespread the use and disclosure of health records had become. Before HIPAA, many providers thought that they only disclosed patient records with the consent of the patient, but it just wasn’t true.
thumb_up
7 likes
J
HIPAA made everyone pay attention to and learn about privacy, often for the first time. The biggest drivers for the sharing of health records are: Growth of third party insurance (including Medicare)
Pressures for increased controls on the cost of health care
Development of quality controls for medical practice
Growth of health care fraud and fraud investigations
Increase in public health activities
Expansion of records-based health research
Electronic health records and electronic health networks such as Health Information Exchanges (HIE). For more about HIEs, see WPF’s HIE resources at (http://www.worldprivacyforum.org/hie.html).
thumb_up
27 likes
M
All of these activities and others contributed to the demand for access to individually identifiable health records. Most of these activities serve important public or personal purposes, and it is not always easy to dismiss the HIPAA rule’s policies as anti-privacy. Disclosure often serves another significant but competing goal.
thumb_up
10 likes
S
Protecting privacy is only one objective in the health care system. Some health activities can be and are conducted with records that do not include any identifying data about individual patients.
thumb_up
2 likes
R
However, use of anonymous or non-identifiable records doesn’t meet all the needs for health information for several reasons. First, some activities really do require records with identifiers. For research that tracks the course of disease over years, the only way to link records may be with the use of identifiers.
thumb_up
29 likes
S
Second, too many activities that could have used non-identifiable records started at a time when few paid attention to privacy or to alternatives to the use of identifiable records. Methods that might have increased use of non-identifiable records do not always exist because nothing forced their development. Third, it is increasingly difficult to talk about non-identifiable records.
thumb_up
14 likes
D
As the amount of data recorded and available throughout society increased, the domain of truly non-identifiable records diminished. It is easier and easier to identify records even though overt identifiers have been removed. To make the point, more than 85% of the population of the United States can be uniquely identified just by date of birth, gender, and five-digit zip code.
thumb_up
16 likes
S
All records, no matter how they may have been edited or masked, may be potentially identifiable with enough time, effort, and other data. Powerful modern computers make it easier to link records and to re-identify records that have been “de-identified.” Even snippets of DNA can sometimes be linked to identifiable individuals, and the ability to link DNA with real people will only expand over time. Another interesting and important part of the rule tries to limit use and disclosure to the minimum amount of information necessary to accomplish the purpose of the use or disclosure.
thumb_up
43 likes
N
This is a fine principle, but its implementation is complex and controversial. All uses and disclosures to a health care provider for treatment purposes are exempt from the minimum necessary rule. It’s a big exception to the principle, but it is one that makes some sense to us.
thumb_up
14 likes
W
Providers need broad access to records for treatment. However, as health records become lifetime records, there may be justification for allowing a patient to control some records some of the time.
thumb_up
20 likes
Z
For example, there may be no need for a physician treating an adult patient for allergies to have access to the patient’s record of sexual abuse that occurred decades earlier. The health care system may need to develop tools that allow patients reasonable controls over disclosures for treatment some of the time (and that allow providers to override restrictions if there is a good reason).
thumb_up
34 likes
H
Disclosures pursuant to a patient’s authorization are also exempt, which is a reason that a patient should be careful when signing any authorization for disclosure of his or her records. If you sign an authorization for the disclosure of “any or all” of your records, your entire medical history can be disclosed. Hide
56 Is My Consent Needed to Disclose Records for Treatment or Payment
No.
thumb_up
27 likes
S
Medical records can be used and disclosed without your approval for treatment, payment, and health care operations. Treatment is the providing, management, or coordination of health care by a health care provider.
thumb_up
34 likes
Z
The formal definition is slightly more complicated, but the basic concept is relatively simple. The definition of payment is more complex.
thumb_up
42 likes
D
It includes activities by a health plan to determine coverage and provision of benefits and activities by a provider to obtain reimbursement. Payment also includes determining eligibility or coverage, including benefit coordination, cost sharing, adjudication and subrogation (making a third party pay) of benefits.
thumb_up
4 likes
M
It includes risk adjustment based on enrollee status and characteristics. Patient data may also be used for billing, claims management, collection activities for bad debts, and reinsurance activities.
thumb_up
37 likes
L
We are not done with payment. It also includes review for medical necessity and appropriateness of care as well as utilization review, such as pre-certification and preauthorization services.
thumb_up
40 likes
E
Disclosure to credit bureaus of information relating to collection of premiums or reimbursement is another payment disclosure. All of those activities, and perhaps a bit more, fall under payment. The breadth of payment activities reflects the complexity of the health care system, the multiple inter-relationships between providers and payors, and the range of insurance activities.
thumb_up
7 likes
L
The definition of payment is just a warm up for understanding disclosures for health care operations, another category of disclosure that does not require patient consent. The formal definition goes on for about 400 words.
thumb_up
7 likes
G
It includes quality assessment, quality improvement, development of clinical guidelines, management and care coordination, review of provider competence, student training, underwriting, premium rating, medical review, legal services, auditing, fraud detection, business planning, business management, customer service, transfer or sale of a business, and fundraising. We didn’t include every type of health care operation here, but you should already get the idea.
thumb_up
23 likes
L
Further, many of the functions mentioned here are complex tasks that encompass other layers of activities and involve the sharing of health records with people far removed from any activity that the average person would readily identify as part of routine health care management. One limit on use and disclosure of genetic information is the result of the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA made it illegal to use genetic information for most underwriting purposes.
thumb_up
16 likes
A
That’s good, but it’s not much in the way of health information disclosure restrictions. GINA also generally prohibits most use of genetic information in health insurance and employment. Those are good restrictions too, mostly in furtherance of preventing discrimination against individuals with genetic predispositions.
thumb_up
12 likes
N
There’s much to debate about GINA, but not here. From a narrow privacy perspective, GINA only helps a little. Hide
57 Are Disclosures for Treatment Payment and Health Care Operations Okay
At one level, yes.
thumb_up
49 likes
L
Health care is a complex enterprise that represents a large chunk of America’s economy. There are hundreds of thousands of health care providers and probably as many support organizations. Daily transactions measure in the millions.
thumb_up
36 likes
L
If you think about it, you may realize that major health care treatment and payment institutions are big businesses that engage in a wide variety of activities just like other businesses. Management and internal controls require access to some records.
thumb_up
33 likes
D
If we spent the time to list the comparable data-intensive activities engaged in by banks or governments, we would also find a long list of uses and disclosures of personal information that are, for better or worse, a routine part of those functions. At one level, then, treatment, payment and health care operations (TPO) disclosures are routine.
thumb_up
28 likes
H
Just about all of the functions supported by TPO uses and disclosures went on before HIPAA, although few health professionals paid attention to them. Before HIPAA, if your consent was sought for the sharing of your records for these purposes — and it frequently was not sought — you weren’t told any of the specifics. Doctors, hospitals, and insurers typically asked patients to consent to “any and all disclosures” without telling patients what that meant.
thumb_up
47 likes
I
Physicians and other providers didn’t know themselves how widely patient information was shared. HIPAA eliminated the need for consent for TPO disclosures.
thumb_up
8 likes
K
A covered entity may still seek your consent, but this seems to happen rarely. It is easier to rely on the authority provided by the rule to justify use and disclosure.
thumb_up
2 likes
R
Some privacy advocates see the lack of consent as a great gap in privacy protection because it removes any pretense of patient control over records. We doubt that asking everyone for consent all the time would achieve a better result, and the extra expense and bother would be considerable. Before HIPAA, many health professionals thought that a patient’s health record would be disclosed only with the patient’s informed consent.
thumb_up
18 likes
S
However, what was called informed consent was typically neither informed nor consensual. You had no idea what the authorization form you were signing meant, and you really didn’t have much of a choice.
thumb_up
35 likes
L
Signing a consent form was a prerequisite to seeing the doctor or having the insurance company pay the bill. Patients — especially those who were ill — are not really able to focus on privacy.
thumb_up
34 likes
S
Almost everybody signed whatever form they were given without question. If a patient limited or modified an informed consent form, the changes were often not noticed or ignored.
thumb_up
49 likes
K
Some experts recognize that it is difficult to expect patients — often people who are sick, impaired, or worried about their children — to be able to understand and control the complex use and disclosures of their records that have become part of health care activities. Would you prefer to be asked for your permission to disclose your records for dozens of different purposes?
thumb_up
27 likes
J
Could you really make a meaningful choice while suffering from the flu, undergoing chemotherapy, or worried about your nauseous child? Further, there is a limit to how much the health care system can cater to individual preferences. There is a cost involved.
thumb_up
23 likes
T
Discussions about the proper role of consent for information use and disclosure in the health care process are ongoing. You are welcome to your side of this debate.
thumb_up
29 likes
N
Hide
58 Do I Have a Say in Any Disclosures Facility Directories and Caregivers
Yes, but only in a few circumstances. First, if you are in a facility (e.g., an inpatient in a hospital), the facility can disclose basic information about your presence, location, and general condition through a facility directory.
thumb_up
30 likes
J
One limitation is that the facility can’t reveal information that discloses specific health information about you (e.g., you are an inpatient on the psychiatric floor or are in a kidney dialysis unit). The idea behind facility directory disclosures is that if someone comes to visit you or sends flowers, the hospital can say that you are there and, perhaps, where you are.
thumb_up
0 likes
H
The hospital may disclose your religious affiliation, but only to a member of the clergy. You have a right to object to facility directory disclosures. The covered entity must offer you an opportunity to object to the inclusion of your information in a facility directory.
thumb_up
46 likes
I
If because of incapacity or emergency treatment, you weren’t offered the chance to object, the hospital can make still limited disclosures in emergency circumstances. For example, if you are unconscious, the emergency room can tell your spouse where you are.
thumb_up
22 likes
T
That seems perfectly reasonable. Second, HIPAA has a complex but flexible set of rules governing disclosures to caregivers. A caregiver can be your next of kin, other family member, or another person involved in your care (e.g., a roommate).
thumb_up
33 likes
O
The HIPAA rule allows disclosure of information relevant to the caregiver’s involvement in your care. A covered entity can make a disclosure to locate a family member or other caregiver.
thumb_up
49 likes
E
If you (the patient) are present at the time of a disclosure to a caregiver, the covered entity can seek your agreement, offer you an opportunity to object, or reasonably infer from the circumstances that you do not object. Essentially, the rule specifically allows the exercise of professional judgment for the types of disclosures that have long been made to caregivers.
thumb_up
9 likes
G
If a patient is not present or is incapacitated at the time of disclosure, the covered entity may exercise professional judgment and make disclosures directly relevant to a caregiver’s responsibility, including payment related activities. Thus, the rule allows your spouse to pick up your prescription at the pharmacy without written consent from you or to negotiate with your health plan on your behalf.
thumb_up
49 likes
N
A covered entity may also disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. This gives health care providers and health plans the discretion to do what they consider to be the right thing for families of patients recently deceased. Another provision addresses disclosures for disaster relief purposes.
thumb_up
21 likes
W
An example is disclosure to the Red Cross following a hurricane. The disaster relief provision, for example, allowed appropriate health disclosures during and after Hurricane Katrina.
thumb_up
0 likes
M
Disclosures by health care providers to family members are a routine part of health treatment. Those are some of the disclosures that the rule contemplates.
thumb_up
42 likes
D
Importantly, the caregiver exception also covers disclosures by insurance plans to family members. That allows a family member to negotiate approval of your treatment or payment of the bill with the insurance company while you are incapacitated.
thumb_up
26 likes
D
In general, the caregiver provision seems to have worked well after some initial confusion. The trick is to strike a reasonable balance between privacy and the normal expectations of patients and families. It is a delicate balance, and we think that HIPAA did well here.
thumb_up
37 likes
A
Giving considerable discretion to health professionals had a lot to do with the success of this provision. Third, a covered entity can use or disclose information for its own fundraising purposes.
thumb_up
34 likes
D
A covered entity can use or disclose to a business associate or related foundation your name, address, other contact information, age, gender, and date of birth. In addition, it may use or disclose information about dates of care, department of service, treating physician, outcome information, and health insurance status. No other PHI may be used for fund-raising.
thumb_up
41 likes
I
This means that a hospital can now tell a fundraiser that you were treated by the oncology or psychiatry department. That is a bit much, if you ask us.
thumb_up
28 likes
A
You can opt-out of fundraising requests. If a covered entity intends to use PHI for fundraising, it must include a statement about its intentions in its notice of privacy practices.
thumb_up
44 likes
N
In addition, each fundraising communication must include a clear and conspicuous opportunity to opt-out of future fundraising communications, and the opt-out method cannot impose an undue burden or more than a nominal cost. Making you write a letter to opt-out is not allowed, however.
thumb_up
19 likes
S
Further, a covered entity may not condition treatment or payment on the individual’s choice about fundraising communications. Fourth, you have the right to authorize the disclosure of your health records to anyone you like.
thumb_up
40 likes
L
The HIPAA rule sets standards for authorization forms, and if a form does not meet HIPAA standards, then the form does not constitute patient authorization. We are not going to bore you with the technical requirements for authorization forms. We discuss the strategy for authorizations later.
thumb_up
30 likes
W
(See FAQs 64-66.) Anyone who wants you to authorize a disclosure or is a covered entity will know the technical requirements. This isn’t typically a problem that patients have to solve.
thumb_up
12 likes
T
The rule uses both consent and authorization as terms that apply when a patient gives approval for the disclosure of a health record. Consent is the term that applies when a patient gives an organization permission to disclosure for treatment, payment, and health care operations.
thumb_up
46 likes
L
Authorization is the term that applies to all other disclosures approved by a patient. The reason for the difference in terminology is buried in the history of the rule, and it is too boring to explain.
thumb_up
14 likes
M
Normally, patients will encounter the term authorization. When might a patient authorize disclosure? You might authorize disclosure if you are applying for life or disability insurance.
thumb_up
18 likes
J
You might authorize your doctor to send information to your employer or to a school to explain an absence. You could authorize your doctor to disclose your records to your lawyer, a family member, or a health researcher.
thumb_up
35 likes
W
You might want records disclosed to support a disability claim made with the Social Security Administration. It is also possible that you might even want to share your records with the police under some circumstances (perhaps to clear you of suspicion). You might want to authorize a provider to give records to the organization maintaining your personal health record (but we think you should think twice before casually establishing a personal health record.
thumb_up
46 likes
L
For more on PHRs, see the World Privacy Forum report Personal Health Records: Why Many PHRs Threaten Privacy at https://www.worldprivacyforum.org/2008/02/blog-legal-and-policy-analysis-personal-health-records-why-many-phrs-threaten-privacy/). For the most part, however, HIPAA defines the range of non-consensual uses and disclosures to include nearly every possible disclosure that is either necessary or convenient for the health care system to operate or for the government to carry out its many functions.
thumb_up
44 likes
Z
After all, the HIPAA rule was written by the Department of Health and Human Services, one of the biggest users of health records in the country. The first thing that HHS did in writing the rule was to take care of its own interests in obtaining access to records.
thumb_up
19 likes
J
Hide
59 Does HIPAA Allow Uses and Disclosures Without My Approval
Yes, does it ever. The HIPAA rule allows dozens of different uses and disclosures without any need for patient consent or authorization. The rule permits so many uses and disclosures that it is hard to count them.
thumb_up
30 likes
M
The rule has about five pages of dense type describing allowable uses and disclosures of health records. Many of HIPAA’s allowable uses and disclosures come with terms, conditions, and procedures that the covered entity or the person seeking the information must meet.
thumb_up
3 likes
I
A simple list of authorized recipients or recognized purposes doesn’t necessarily tell you that much. The terms, conditions, and procedures make a big difference to the scope and ease of disclosures.
thumb_up
3 likes
M
We won’t cover all of the details here because of the complexity. The details are crucial important if you are a covered entity concerned about when it is permissible to make a disclosure. A patient may need to know the details when trying to decide after the fact if a covered entity made a disclosure properly.
thumb_up
1 likes
Z
However, a patient with that requirement will have to look elsewhere for the specifics. We can’t cover every detail here.
thumb_up
5 likes
C
One important feature of the rule’s allowable uses and disclosures is that they are mostly permissive. Just because a use or disclosure can be made without violating the rule does not mean that a covered entity must make the disclosure.
thumb_up
42 likes
L
A covered entity can just say no to almost any person who asks for a disclosure permitted by the rule. This means that the rule itself is not the most important factor in determining how your record may be used or disclosed. In most cases, it is up to your health care provider or insurer to decide whether to make your record available for a particular activity.
thumb_up
4 likes
E
If anyone tells you that HIPAA requires a disclosure, you should be suspicious. The only two types of disclosure that the rule actually requires are: When a patient asks for access to his or her own record, and
When the Secretary of HHS needs access to records to oversee or enforce the HIPAA rule itself. For all other uses and disclosures, it is up to the covered entity to decide whether the use or disclosure is appropriate, legal, and ethical.
thumb_up
50 likes
L
Of course, other laws may affect that decision, and many laws require disclosure of health records. We also want to remind you that the HIPAA rule establishes a floor of privacy protection. If state law or other federal law has higher standards and better privacy protections, then that law controls.
thumb_up
46 likes
B
If HIPAA allows a disclosure that is prohibited by law in your state, a covered entity in your state may not make the disclosure. We will go over one type of allowable use and disclosure in detail to give you better insight into the complexity of use and disclosure. We will then provide general information on the other permissible uses and disclosures.
thumb_up
50 likes
D
Hide
60 What Are Uses and Disclosures Required by Law
We want to discuss the category of uses and disclosures required by law. If you read privacy policies, you may see this term a lot. For purposes of this discussion, we will focus on disclosures rather than uses.
thumb_up
18 likes
L
HIPAA recognizes that other laws sometimes require the disclosure of health records. In one of the shortest sections dealing with disclosure, HIPAA says that a covered entity can make a disclosure that is required by law.
thumb_up
21 likes
M
What does this mean? It means that any federal, state, or local law requiring disclosure of health records remains in force.
thumb_up
14 likes
K
(A law means a statute or a regulation.) For example, when a state law requires a physician to report a suspected case of child abuse to a state agency, the HIPAA rule does not interfere with that disclosure (although it establishes some conditions on that particular disclosure). If a city passes an ordinance that says that the entire health record of any individual hospitalized in a local hospital must be published in full in the local newspaper, HIPAA would permit that disclosure too.
thumb_up
43 likes
N
We do not expect to see laws requiring the publishing of records of patient records any time soon. We just want to point out the breadth of the HIPAA deference to other laws.
thumb_up
12 likes
D
Any law, no matter what its purpose or scope, that requires disclosure is sufficient for HIPAA’s purposes. If another law says disclose, then HIPAA says disclosure is permissible but only to the extent of the requirements of the other law.
thumb_up
48 likes
A
Any compulsion about disclosure comes from that other law and not from HIPAA, however. For some disclosures allowed by HIPAA, the rule provides that the procedures established by HIPAA continue to apply to covered entities even when disclosures are made under the authority of other laws. This is a complicated area, and you may want to skip the rest of this paragraph.
thumb_up
17 likes
T
For example, HIPAA allows disclosures to report suspected cases of abuse, neglect, or domestic violence to the proper authorities. Most or all states have comparable laws. HIPAA includes a set of procedures that a covered entity must comply with before or after making a disclosure of abuse, neglect, or domestic violence.
thumb_up
22 likes
A
Under some specified circumstances, the covered entity making the disclosure must inform the subject of the disclosure (i.e., the victim) about the disclosure. However, the rule specifies that in some circumstances, notifying the victim will place the victim in greater peril so telling the victim is not always required.
thumb_up
8 likes
J
The HIPAA rule says that if state law mandates disclosure about abuse, the covered entity making the disclosure must still comply with the HIPAA procedures. HIPAA also imposes additional duties for disclosures for judicial and administrative proceedings and for disclosures for law enforcement purposes. However, for other allowable disclosures, none of the conditions in HIPAA applies if another law requires disclosure.
thumb_up
47 likes
J
For example, the HIPAA rule allows disclosures for health research under a lengthy set of conditions. If a covered entity wants to make a disclosure for research, it must comply with all of the HIPAA conditions. However, if a state law requires disclosure for health research with fewer or no conditions, then HIPAA says that the disclosure can be made without complying with all of HIPAA’s conditions.
thumb_up
21 likes
A
This is complicated stuff, and we haven’t covered all the nuances. The covered entities that make disclosures need to pay close attention to the details.
thumb_up
46 likes
H
The message for patients is that many laws affect the confidentiality of health records. If you thought that no one disclosed your health records without your approval, keep reading to see how wrong you were.
thumb_up
9 likes
L
Hide
61 What Are the Allowable Uses and Disclosures
We list each HIPAA category of allowable use and disclosure, together with some discussion as appropriate. (If we included every detail of every disclosure, it would double the size of this guide.) A covered entity that must comply with the HIPAA rule needs to know all the specifics, but an informed patient generally only needs to be generally aware of the categories of uses and disclosures. Every covered entity’s notice of privacy practices should include some information about each type of allowable disclosure.
thumb_up
0 likes
O
Those who want to know more can read the rule itself. Treatment, Payment, and Health Care Operations. We covered this category of uses and disclosures in detail in an earlier question.
thumb_up
11 likes
T
(See FAQ 57.) The category includes uses and disclosures for a very large number of purposes. Required by law. We’ve already covered this category in detail in the previous question.
thumb_up
29 likes
D
We used this category to illustrate the complexity of allowable disclosures. Public Health Activities. Public health disclosures are one of the more expansive disclosure categories under the rule.
thumb_up
43 likes
D
There are at least five general types of public health disclosures. Some public health disclosures are to traditional federal, state, and local public health agencies. The reporting of communicable diseases is an example.
thumb_up
9 likes
E
It is the type of disclosure that draws few, if any, objections. Additional confidentiality protections may apply to some of the information disclosed to public health agencies.
thumb_up
0 likes
S
Disclosures to manufacturers of pharmaceutical medicines and devices for the reporting of adverse events may qualify as public health disclosures. Some public health disclosures can be to employers for medical surveillance of the workplace.
thumb_up
41 likes
J
These disclosures to private entities explain why the public health category so expansive. Many different organizations play a role in public health, including employers.
thumb_up
39 likes
S
Immunizations. A covered entity can disclose proof of immunization to a school where an individual is a student or prospective student, if the school is required by law to have proof of immunization before admitting a student and the covered entity obtains and documents agreement to disclose from a parent or guardian or from an adult student.
thumb_up
21 likes
J
The agreement does not have to be in writing. Victims of Abuse, Neglect, or Domestic Violence. Reporting of victims can be done to a social service agency or other government authority (including the police) that is authorized to receive the reports.
thumb_up
21 likes
S
Health Oversight Activities. Many federal and state government agencies regulate and oversee parts of the health care system.
thumb_up
22 likes
S
Disclosures are permissible for activities authorized (not just required!) by law, including audits, investigations, inspections, licensing, and similar functions. One patient protection included in the rule prevents the use of information disclosed for oversight purposes against the patient who is the subject of the record disclosed.
thumb_up
16 likes
L
So if an agency investigates a health care provider, it cannot use information about that provider’s patients against the patients themselves. However, if the information reveals health care fraud by the patient or involving public benefits for health care or benefits based on health condition, the information can be used against the patient. The protection for patients with oversight disclosures is limited, but it has some substance.
thumb_up
45 likes
V
Judicial and Administrative Proceedings. A covered entity can respond to a court order or the order of an administrative agency for health records.
thumb_up
16 likes
S
The authority to disclose also covers subpoenas and discovery requests. The conditions that attach to these disclosures are lengthy and include some obligation to give notice to the patient who is the subject of the record. The complexity here is enough to choke a lawyer because the HIPAA rule interacts with already elaborate state laws and court procedures.
thumb_up
17 likes
I
Law Enforcement Purposes. The rule has six flavors of law enforcement disclosure. The loosest allows disclosures for “administrative” requests.
thumb_up
31 likes
V
An administrative request does not require judicial approval or even have to be in writing. Any law enforcement official can ask for information by stating that the information sought is relevant to a legitimate law enforcement inquiry, by limiting the request to information reasonably practicable to the purpose, and by saying that de-identified information cannot be used. It is hard to imagine a more unrestricted type of police disclosure.
thumb_up
17 likes
S
A covered entity need not comply with an administrative request, but it may do so. The other types of law enforcement disclosures are not so open-ended.
thumb_up
17 likes
E
One, for example, allows a provider to report a crime that occurred in the provider’s office. That seems more reasonable.
thumb_up
38 likes
E
Decedents. A covered entity can share information about people who died with coroners and funeral directors. They may need to know if a decedent had AIDS, for example.
thumb_up
15 likes
E
Organ and Tissue Donation. A covered entity can disclose patient information to organizations engaged in tissue banking and transplantation to facilitate donations. Research.
thumb_up
38 likes
S
Researchers engaged in health research and other types of research often want access to health records. The rule allows disclosures for research but generally requires that a research project be approved by an Institutional Review Board (IRB). An IRB is an existing institution — often part of the organization conducting the research — that oversees research activities to protect human subjects.
thumb_up
19 likes
L
The research section of HIPAA is particularly convoluted in order to address different needs of researchers. We observe that HHS itself conducts and funds research using health records. The rule reflects the needs of HHS and researchers, while offering some procedural protections for privacy.
thumb_up
7 likes
A
There are many policy conflicts involving research disclosures, and the rule strikes balances that some like and some don’t. Serious Threats to Health or Safety.
thumb_up
29 likes
J
A covered entity may use or disclose a patient record if it believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. There are a few other conditions.
thumb_up
50 likes
N
Specialized Government Functions. This category of uses and disclosures has six subcategories.
thumb_up
36 likes
L
Some relate to military, veterans, and prison functions. Another category allows disclosure to the Secret Service to protect the President and some other officials. Another broad subcategory allows disclosure to government programs providing public benefits.
thumb_up
18 likes
E
The broadest provisions in the government functions subcategory authorize disclosure to any national security or intelligence agency. HIPAA imposes no conditions or procedures for national security disclosures.
thumb_up
7 likes
S
The disclosures are not mandatory (at least not under HIPAA), but any national security or intelligence agency can request a health record on any individual without prerequisite and without violating HIPAA, even if the disclosure would violate medical ethics. We think this is the single worst provision in the HIPAA Privacy Rule.
thumb_up
13 likes
J
Worker’s Compensation. HIPAA allows any disclosure authorized and necessary to comply with laws relating to worker’s compensation. The worker’s compensation system typically requires the routine disclosure of health information about injured workers.
thumb_up
1 likes
C
HIPAA stays out of the way and allows the normal processes to continue without any procedural or substantive interference. We remind you once again that nearly all HIPAA disclosures are permissive and not mandatory.
thumb_up
20 likes
H
While many records are heavily used and disclosed for treatment, payment, and health care operations, many of the other permissible disclosures are likely to be relatively unusual. Just because records can be disclosed to the Central Intelligence Agency under the national security category doesn’t mean that the CIA really looks at everyone’s health records routinely.
thumb_up
20 likes
O
Hide
62 Can a Mental Health Care Provider Disclose Health Information to Parents of College Students
Recent violent events on college campuses and elsewhere resulted in concerns that privacy rules may affect how mental health care providers can share information. The specific concern is privacy rules create confusion about the ability of metal health care providers for adults (including college students) to communicate with parents or other potential caregivers of a patient.
thumb_up
6 likes
V
In the 21st Century Cures Act, Congress made a specific finding about the existence of confusion and the consequences of the confusion. Act of December 13, 2016, Public law 114-255, Section 11001(a)(9).
thumb_up
21 likes
L
The text of the Act appears at (https://www.congress.gov/114/bills/hr34/BILLS-114hr34enr.pdf). In the 21st Century Cures Act, Congress also directed the Secretary of HHS to issue guidance clarifying uses and disclosures permissible under HIPAA. The law does not suggest that there is a need for a change in the privacy rule.
thumb_up
25 likes
V
HIPAA provides several methods for disclosure by covered entities to caregivers of information about individuals with mental health problems. The direction to the Secretary identifies the types of uses and disclosures that Congress thinks would clarify the situation.
thumb_up
32 likes
E
Permissible disclosures about an individual patient receiving or needing mental health care can be made: 1) with the consent of the patient; 2) if the patient had an opportunity to object; 3) based on the exercise of professional judgment whether the patient would object if an opportunity to object is not possible because of incapacity or emergency treatment; or 4) based on the exercise of professional judgment to be in the best interest of the patient when the patient is not present or is otherwise incapacitated. Elsewhere, this guide explains all of these types of disclosures.
thumb_up
38 likes
Z
However, it is not possible in this FAQ to address these disclosures in great detail. Much depends on individual circumstances, specific facts, and professional judgment.
thumb_up
11 likes
O
Presumably, the forthcoming guidance from HHS will provide greater clarity. This issue is difficult because of the need to balance interventions and privacy in an effective way.
thumb_up
9 likes
W
Congress considered different approaches, including a substantive change in the rules. In the end, Congress settled on asking for better guidance rather than a new rule.
thumb_up
5 likes
R
Existing HHS guidance on mental health data sharing is at (https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html?language=es). Hide
63 What Happens to Privacy When Adult Children Are Covered by their Parent s Health Insurance Will information of an adult child be disclosed to the parent
Under some circumstances, adult children may have health coverage under an insurance policy of their parents.
thumb_up
31 likes
H
For example, some policies may cover adult children who are college students. Can the policy holder (parent) obtain health information about an adult child?
thumb_up
43 likes
A
This is a messy area, with different types of answers. If the parent is a recognized caregiver of the adult child, then standard HIPAA rules allow a health care provider to share information. This is the rule whether or not the adult child is covered by the parent’s insurance.
thumb_up
50 likes
A
Any patient can prevent these disclosures, however, by telling the provider. A standard HIPAA rule also allows disclosure to avert a serious and imminent threat to health or safety. This provision isn’t likely to apply very often, but it allows disclosure to anyone who can prevent or lessen the threat, parent or otherwise.
thumb_up
49 likes
M
In other circumstances where the adult child may not want to let a parent know about the adult child’s health condition, things are more complicated. Rules and rights are slightly different for health plans (insurers) than for health care providers.
thumb_up
40 likes
L
Insurers usually send bills and EOBs (Explanation of Benefits) to the individual who has the policy. When a parent’s policy covers an adult child, those notices may go to the parent unless the adult child takes action to stop it. HIPAA says that any individual can ask that a health plan communicate with them at a different location or using a different method than normal.
thumb_up
30 likes
A
Any covered entity must comply with a request if the individual says that the routine communication method would endanger the individual. Part II C of this guide explains how to make this type of request.
thumb_up
8 likes
E
Remember that we think that it is up to each individual to decide what is a danger to them, but whether you can convince the insurer of this is uncertain. If it is important to you, it’s worth trying. Even if you make the request and the insurer agrees, it may not work since some communications may end up with the parent who is the policy holder normally.
thumb_up
2 likes
T
Still, insurers may be more sensitive to this problem today than in the past. In the end, the existing HIPAA rule does not meaningfully address this problem, and using any of these methods can be chancy and incomplete. Some state laws may offer some better protections, but it may vary by state and type of treatment.
thumb_up
50 likes
M
What to do? An adult child should make the problem known to their providers and, especially, to their health insurer. Make a request even when HIPAA doesn’t give a formal right.
thumb_up
23 likes
S
Talk to the insurer’s privacy officer, if possible. Some covered entities may respond positively to a request even if not required by HIPAA.
thumb_up
1 likes
D
Another possibility is to pay cash for some services, an option not available to everyone for every type of treatment. Hide
64 What Should I Do if Asked to Sign an Authorization to Disclose my Record
Although not everyone who asks you to sign an authorization will have a sinister motive, you should be cautious in signing an authorization for more disclosure of your information. Here are some things to look out for: Disclosures: Does the authorization say that all of your information can be disclosed?
thumb_up
50 likes
L
If you authorize disclosure to a physician who is treating you, a broad authorization may be appropriate. If you authorize disclosure to a life insurance company, the company will likely insist on a broad authorization as part of the application process. However, if the authorization is for disclosure to your employer to explain your absence from work, you may want to be sure that the authorization only covers your recent illness and not records from the past.
thumb_up
16 likes
M
You may not want your employer to know, for example, about treated for a psychiatric ailment ten years ago. Expiration date: Is there an expiration date or event for the authorization?
thumb_up
25 likes
A
There should be in nearly all cases. You should try to understand why the date or event was chosen and be suspicious of any open-ended authorizations. Some long-term research activities may be able to justify not having an expiration date.
thumb_up
22 likes
A
Otherwise, you should try to insist on a short expiration date or near-term expiration event. Proper description of recipient: Is the person authorized to receive the information properly described?
thumb_up
16 likes
L
It is okay if the form says ABC Life Insurance Company rather than the name of a specific individual at the company. However, if the form is too vague (e.g., “bearer”), then you should definitely think twice. Purpose of disclosure description: Is the purpose for the disclosure properly described?
thumb_up
44 likes
D
If you tell the covered entity why you are authorizing the disclosure, you may reveal information that you don’t want to reveal and don’t have to share. It is okay to sign a form that merely describes the purpose as “at the request of the individual.” However, we wouldn’t normally sign an authorization written that way without a good reason and then only if we trusted the recipient. By stating a purpose, you may limit what the recipient can do with the information.
thumb_up
30 likes
H
Anyone seeking an authorization in good faith should be willing to include an appropriate purpose and, if someone does not suggest a narrow purpose, you should be wary. This can be a bit tricky when you authorize disclosure to a lawyer for a malpractice suit against a provider. Marketing: Is the authorization for a marketing activity?
thumb_up
24 likes
A
We would never sign a disclosure for a marketing purpose, no matter what the inducement. Once a marketer obtains your information, the marketer can use it, keep it, and sell it without any restriction for the rest of your life. Don’t give away your health privacy for a chance to win a t-shirt.
thumb_up
23 likes
L
The Rule allows prescription refill reminders even though they are marketing, but it imposes a limit on how much a provider can be paid for sending a reminder. Financial remuneration: Generally, a covered entity needs your authorization if someone pays (“financial remuneration”) the entity for the use of your information for a marketing purpose.
thumb_up
47 likes
A
That’s good, but limiting the sale of PHI made for a complicated rule because there are some times when it’s okay if a provider receives payment for disclosing PHI. For example, a health researcher may pay a hospital for the cost of providing records for the research project. The Rule explains this, but we won’t because it’s not relevant to most patients.
thumb_up
13 likes
O
Research: Is the authorization for a research project? Read it carefully because a 2013 rule change allows research authorizations to be more expansive. The same authorization can cover the project itself and the storage of a blood, data, or tissue sample about you forever.
thumb_up
8 likes
S
You may or may not be comfortable with that. We encourage you to ask lots of questions about research and researchers. Not all researchers are truly trustworthy.
thumb_up
19 likes
A
We emphasize that while we think that you should be cautious in signing authorizations, in some circumstances it is the right thing to do. Signing an authorization should happen infrequently enough that you can spend a little time asking questions. Be cautious if asked to sign an authorization as part of the process for admission to a hospital.
thumb_up
8 likes
N
The HIPAA rule allows the hospital to make all the disclosure necessary for your care and for the hospital’s operations. Ask questions first if you are presented with an authorization to sign. Some hospitals routinely collect authorizations that allow disclosures to employers.
thumb_up
5 likes
E
Some standard authorizations allow the hospital to film your operation or use your blood or tissue samples for purposes unrelated to treatment. These are examples of disclosure that you may not want to permit without a specific reason.
thumb_up
26 likes
I
The hospital may seek a broad authorization for its own convenience so that it can make a disclosure without getting your signature later. We suggest that any extra paperwork may be worth it, because it may protect you.
thumb_up
21 likes
E
You can decline to sign the authorization or you can limit its effectiveness to the period while you are in the hospital or perhaps for an additional week. If asked to sign an authorization that has language we didn’t like, we would just cross it out. The HIPAA rule expressly provides that no one can condition treatment, payment, or enrollment in a health plan on signing an authorization.
thumb_up
41 likes
H
This is an important protection, and if any provider says “sign or leave”, you should be extremely suspicious and ask for a written explanation that you can take with you. There is a limited exception to this policy if you are enrolling in a research activity involving treatment.
thumb_up
33 likes
E
Another exception allows a health plan to require an authorization for an individually underwritten health policy. There is one other complex but minor exception to the rule.
thumb_up
21 likes
E
What happens when I authorize disclosure to a non-HIPAA-covered entity
We told you earlier that HIPAA protections do not follow the records. When your records are transferred to someone who is not a covered entity, the records in the possession of the recipient are not covered by HIPAA. That is also true for most disclosures with your authorization.
thumb_up
12 likes
C
If you agree to allow a covered entity to share your records with someone who is not a HIPAA-covered entity, no privacy law may apply to the recipient. If you authorize a company that engages in advertising-supported activity (such as a personal health record or PHR) to obtain your records, it is possible that the recipient could use your information for marketing and share it with almost anyone. Any privacy protections would depend on the recipient’s policy.
thumb_up
23 likes
W
If you read the privacy policy at most advertising-supported personal health record companies (and many other websites as well), we bet it says expressly that the privacy policy can be changed at any time. You have been warned! Hide
65 Do I Need a Disclosure Authorization to Care For My Elderly Parent
Maybe.
thumb_up
17 likes
M
If you help a parent, other relative, or even an unrelated friend or neighbor, HIPAA allows a provider to disclose to a person involved in a patient’s care. These people are sometimes called caregivers, and the rule governing caregivers is discussed elsewhere.
thumb_up
32 likes
R
(See FAQ 58.) While the HIPAA caregiver policy usually works well, it may be useful to have a written authorization from the patient. This is good advice especially if you will be caring for someone for a long time, if there are many health care providers involved, or if you expect to have to deal with an insurance company or Medicare.
thumb_up
13 likes
Z
Don’t give away your original authorization. Keep copies because you may need them regularly.
thumb_up
33 likes
C
If you care for someone at a hospital or nursing home, bring a copy with you at all times. The nurse who knows you may not be there tomorrow. If you obtain a health care power of attorney for another person, the power should specifically mention the authority to obtain protected health information about that person.
thumb_up
21 likes
J
Protected health information is the formal HIPAA term for a health record. You can obtain a power of attorney for a patient just for HIPAA disclosure purposes without having the authority to make substantive health decisions about the patient.
thumb_up
6 likes
G
If you sign or receive a broad health care power of attorney that authorizes someone to make substantive health decisions, that same power of attorney should also authorize disclosures to support those decisions. We think it is a good idea to have a signed disclosure authorization for any family member (other than a dependent child) if you have some responsibility for his or her care.
thumb_up
12 likes
E
The more remote the relationship, the more important an authorization may be, especially if a hospitalization occurs. The same is true if you are responsible for a neighbor or friend.
thumb_up
44 likes
M
Ask the hospital for a blank form that it will accept. Plan to obtain the signed authorization in advance of the hospitalization if possible Hide
66 What Can I Do if I Foolishly Signed an Authorization
You can revoke the authorization, but you have to do it in writing. Your ability to revoke an authorization is restricted if a covered entity took action in reliance on the authorization or if the authorization was a condition of obtaining insurance coverage.
thumb_up
19 likes
A
Remember that revoking an authorization may not be enough. The covered entity that you authorized to disclose your records must receive a copy of your revocation.
thumb_up
4 likes
I
If a third party obtained the authorization, you should make sure that the third party receives a copy of the revocation. If a third party obtained the authorization for your records from a specific hospital, formally notifying the hospital in writing that you revoked the authorization is also important. Hide
67 Can My Health Records be Used for Marketing
The short answer is no, but the correct and longer answer is more complicated.
thumb_up
2 likes
I
Let’s go through it step by step. The HIPAA rule tells covered entities that they can only use or disclose health records for marketing with the authorization of the patient.
thumb_up
37 likes
A
One reason for being careful when signing an authorization is to make sure that you don’t casually authorize disclosure of your records to a company that wants to use them for marketing. Other activities can reveal your medical history. If you accept a drug manufacturer’s coupon for a prescription drug, the manufacturer will learn your name and other information that it didn’t have before.
thumb_up
22 likes
S
Drug manufacturers are not covered entities or generally subject to health privacy laws. Signing up for a disease-specific newsletter also reveals your name and health information. Joining a disease support group also effectively shares health information about you or a family member.
thumb_up
23 likes
H
If you give your email address to sign into a disease specific website, the website operator knows what you are interested in and how to spam you. If you chat on a health care provider’s Facebook page (or on your Facebook page) openly about your condition (or your child’s), you effectively reveal health information.
thumb_up
4 likes
G
HIPAA doesn’t protect any information you post on a social network. If you provide health information in response to a “survey” that promises to provide you with coupons, that information will go straight to a marketer’s database.
thumb_up
11 likes
E
If you use a Fitbit or other fitness tracker and you give you data to the company, the data is not subject to HIPAA, only to that company’s privacy policy. Most gyms are not HIPAA-covered entities, so data shared with a gym falls outside HIPAA and has no statutory privacy protections. HIPAA has two exceptions that allow marketing uses and disclosures.
thumb_up
42 likes
O
The first permits face-to-face communications by a covered entity to a patient. The second allows promotional gifts of nominal value provided by the covered entity.
thumb_up
23 likes
H
Under the first exception, for example, a nurse can invite you to visit the hospital’s new weight loss clinic. Under the second, the hospital can give you a refrigerator magnet with the phone number of its well-baby clinic. If the covered entity undertakes any marketing activity because someone, such as an outside company, pays it to do so, then the covered entity must tell you it is being paid.
thumb_up
16 likes
V
The Rule also allows prescription refill reminders, but it imposes a limit on how much a provider can be paid for sending a reminder. If you don’t like refill reminders, you may be able to opt-out of them. A pharmacy can send you a letter telling you to refill an existing prescription, but the Rule does not allow so-called switch letters.
thumb_up
0 likes
A
A switch letter tries to get you to use a different drug than the one you were originally prescribed. The basic marketing rule is pretty good as far as it goes.
thumb_up
6 likes
M
Most doctors believe, and will tell you, that using — and especially disclosing — health records for marketing is unethical anyway. That’s fine, but in many instances, doctors practice in group settings where the doctors don’t control all uses and disclosures of health records. So far, so good.
thumb_up
0 likes
K
The rule allows uses and disclosures for treatment purposes and for health care operations. When does a treatment recommendation constitute marketing? The line can be hard to draw.
thumb_up
1 likes
E
Advice from HHS says that any communication for the patient’s treatment, case management, care coordination, or recommendation of alternative therapies is permitted to the extent reasonably necessary. Further, population-based activities for health education or disease prevention (“Don’t Smoke!”) can also be okay.
thumb_up
20 likes
L
The problem in line drawing here is that legitimate health activities overlap at the edges with marketing activities that many people are likely to find objectionable. Activities that fall on those edges can be characterized differently. Some activities that fall under the broad (and permissible) category of health care operations will look like marketing to some.
thumb_up
21 likes
H
When the answer requires a lawyer to dissect words, the result will be controversial at best. The HIPAA rule helps a bit in limiting marketing disclosures. For example, because of HIPAA, you can expect that no covered entity will sell or rent lists of patients to drug manufacturers for the purposes of sending spam or junk mail.
thumb_up
0 likes
N
However, there may be other forms of marketing-like activities that a covered entity’s lawyer may say is allowed under HIPAA. We are not done yet, but we need more context to continue. If you receive mail hawking allergy medicines or medical devices for diabetics, does that mean that your allergist or internist or insurer or pharmacist gave your name and diagnosis to the advertiser?
thumb_up
50 likes
V
Anything is possible, but there are other, more likely, sources of the same information. Marketing companies and data brokers sell or rent mailing lists of people by diagnosis.
thumb_up
37 likes
C
They offer lists of millions of people by dozens of different diseases and conditions. Where does the information come from? The answer is from many places, but you are the most likely source.
thumb_up
2 likes
D
If you show interest in a medical product by making a purchase, calling an 800 number, registering at a website, using a coded coupon, subscribing to a magazine, filling out a quiz, or entering a sweepstakes, you may reveal your interest and your diagnosis. If you fill out a warranty card or a consumer survey, any information about your health condition (“Why did you buy the vaporizer?”) that you reveal is likely to end up in a personal or household profile and can used and sold forever for marketing purposes. Websites that show ads and the advertisers often collect information about you, what you see online, and what you click on.
thumb_up
30 likes
N
That can all reveal health information not protected by law. Those who read carefully already saw our warning about turning your health records over to a commercial, advertising-supported company offering personal health record (PHR) services. (See FAQ 9.) That’s another way your records can leak into the marketing system.
thumb_up
12 likes
D
Any slip puts your personal information in the permanent possession of list brokers, marketers and profilers. We almost never fill out warranty cards.
thumb_up
33 likes
B
You have the same warranty protections whether or not you fill out the card. The main purpose of warranty cards is for the manufacturer of a product to learn information about its customers that it can use or sell for marketing purposes.
thumb_up
9 likes
E
We do not fill out warranty cards even if the manufacturer promises a one-in-a-zillion chance of winning a prize. If we had a good reason to fill out a warranty card, we wouldn’t give all the information requested or we might lie. We need to remind you again that HIPAA does not protect all health information.
thumb_up
18 likes
E
It only applies to health information held by a covered entity (health care provider or insurer). If you give health information to a product manufacturer, it’s not likely to be protected by any privacy law.
Over-the-counter medications and HIPAA
Be careful when buying over-the-counter medications on the Internet or using frequent shopping cards from drug stores or pharmacies.
thumb_up
14 likes
J
The information about your purchase is not protected under HIPAA because the rule only covers prescription drugs. If the merchant is not a covered entity, then HIPAA does not stop it from recording your name and purchase and selling that information to others for marketing purposes. Here’s the same advice that makes the point more succinctly: Never buy a tube of Preparation H using a frequent shopper card.
thumb_up
8 likes
L
A chain drug store or supermarket is only a covered entity for the pharmacy in the back of the store. Anything that merchant knows about you other than prescription drug purchases will not be protected under HIPAA. The final answer about marketing is that HIPAA mostly does the right thing when it comes to marketing uses and disclosures of health information.
thumb_up
37 likes
D
However, there are gaps at the edges. Beyond HIPAA, there are non-regulated sources of health information about many Americans.
thumb_up
6 likes
L
For many organizations with health information, the pressure to exploit health data for marketing purposes is great. That pressure is even greater on the Internet. Many health care companies are for-profit organizations, accountable to their shareholders.
thumb_up
34 likes
A
We generally trust individual doctors to do the right thing here, but we don’t necessarily trust large institutions. We worry especially that information maintained by non-HIPAA entities in Personal Health Records will leak into the marketing system. We remain cautious and observant about marketing.
thumb_up
48 likes
E
Once a marketer gets your health information, that information is “in the wild” and the marketer has that information forever. The information may be used during your lifetime and the lifetime of your children.
thumb_up
40 likes
H
Hide
68 What Does the Breach Notice I Received Mean
Let’s start with the basics. What’s a breach?
thumb_up
24 likes
L
A breach is impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. The full definition of what is and is not a breach is too complicated for this FAQ. In general, if a covered entity has a qualifying breach, it will send you a notice to let you know.
thumb_up
36 likes
C
The notice will include details about the breach and advice about what you should do to protect yourself. A breach can lead to negative consequences for you, but we don’t want you to overreact.
thumb_up
13 likes
A
Yes, you could become a victim of identity theft, either financial identity theft or medical identity theft. Yes, you are at greater risk because of the breach. Do not panic.
thumb_up
31 likes
B
We cannot assess the probabilities, but not every breach results in consequences for the victims of the breach. If a covered entity offers you free credit monitoring, you may want to accept it.
thumb_up
14 likes
A
If the breach included disclosure of your credit card number or your health insurance number, you may want to pay even closer attention to credit card bills or explanation of benefits. Frankly, you should pay close attention to these anyway. You should always make sure that all charges to your credit card are correct, and you should follow up if any are not.
thumb_up
37 likes
H
Same with explanations of benefits from a health insurer. If it doesn’t look right, call the insurer or provider and ask questions.
thumb_up
15 likes
A
We do not advise paying for identity theft insurance or even buying credit monitoring unless you have a specific reason for doing so. Identity theft insurance is rarely worth the cost.
thumb_up
40 likes
K
You can learn more about medical identity theft at the World Privacy Forum website at (https://www.worldprivacyforum.org/category/med-id-theft/). There are lots of resources and advice.
thumb_up
47 likes
A
For more on financial identity theft, go the Identity Theft Resource Center at (http://idtheftcenter.com/). Hide Posted March 5, 2019 in Featured, Patient's Guide to HIPAA, Reports Next »ED Pam Dixon named as Top 100 Influencer in Identity « PreviousA Patient’s Guide to HIPAA: New eBook + complete update
thumb_up
49 likes
Similar Discussions
-
Twitter flares up to 24 year old AEW star teasing a potential tag team with Bryan Danielson
-
Porto vs Braga Prediction and Betting Tips September 30 2022
-
How Midoriya managed to control his reaction to Bakugo s current state in My Hero Academia Chapter 367
-
5 funny WWE moments featuring Goldust and Booker T
-
Free Fire OB36 update mystery character and pet from Advance Server Abilities and preview
-
DDS Converter Convert DDS to APK Download for Android APKfun com
-
Pets I ve Met APK Download for Android
-
Weigh Station APK Download for Android
-
Voiture lectrique le bonus cologique augmente 7 000 euros pour la moiti des m nages
-
Une coli re iranienne morte sous les coups de la police Iran Mahsa Amini
-
Mgr Emmanuel Gobilliard passe d auxiliaire de Lyon v que de Digne Catholicisme France
-
Yankees Josh Donaldson struggles continue despite first extra base hit Nfl Sports
-
El Se or de los Anillos Los anillos de poder cierra su primera temporada de presentaci n resolviendo inc gnitas
-
New Seattle Kraken retro jerseys go light blue Sports
-
Justice Sonia Sotomayor talks the importance of civic engagement her career on the bench
-
2 teens man charged after off duty police involved shootout Calumet Heights robbery attempt CPD Carjacking Chicago
-
FIFA 23 How to Play as Ted Lasso and AFC Richmond
-
COD Modern Warfare 2 Beta Reaches a Big Goal The Nerd Stash
-
Disney Dreamlight Valley How to Make Sushi The Nerd Stash
-
The best 4K 120Hz gaming monitors for 2022 Digital Trends
-
4 Ways to Find Your Roku IP Address With or Without the Remote
-
The 7 Most Popular Twitch Emotes of 2022
-
Hate Ads? You May Love YouTube s Cheap New Ad Free Plan
-
Microsoft Office and the MacBook Pro s Touch Bar
-
Compare Acura MDX vs Mazda CX 9 CarBuzz
-
Compare Acura MDX vs Genesis GV80 CarBuzz
-
Ineos Grenadier Reveals Its BMW Heart CarBuzz
-
Can The Lamborghini Urus Outsprint A Tesla Model X? CarBuzz
-
Rolls Royce Spectre Will Keep Traditionalists Happy CarBuzz
-
Pediatric Rehabilitation Pediatric Inpatient Rehabilitation Care in Minnesota Mayo Clinic