Resources

HIPAA (Health Insurance Portability and Accountability Act of 1996) Healthcare

Most Frequently Asked Questions about HIPAA

1. What does the HIPAA Privacy Rule do?
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
• And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
• It empowers individuals to control certain uses and disclosures of their health information.

2. Can telemarketers obtain my health information and use it to call me to sell goods and services?
Under the HIPAA Privacy Rule, a covered entity can share protected health information with a telemarketer only if the covered entity has either obtained the individual’s prior written authorization to do so, or has entered into a business associate relationship with the telemarketer for the purpose of making a communication that is not marketing, such as to inform individuals about the covered entity’s own goods or services.

If the telemarketer is a business associate under the Privacy Rule, it must agree by contract to use the information only for communicating on behalf of the covered entity, and not to market its own goods or services (or those of another third party).

3. How does the HIPAA Privacy Rule affect my rights under the Federal Privacy Act?

The Privacy Act of 1974 (U.S. Department of Justice) protects personal information about individuals held by the Federal government. Covered entities that are Federal agencies or Federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule’s requirements, but also must comply with the Privacy Act.

4. If I believe that my privacy rights have been violated, when can I submit a complaint?
By law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, “covered entities”) had until April 14, 2003, to comply with the HIPAA Privacy Rule. (Small health plans had until April 14, 2004, to comply). OCR provides further information on its web site about how to file a complaint.

• Activities occurring before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions.
• After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically.
• This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.
• The Secretary may waive this 180-day time limit if good cause is shown.
• In addition, after the compliance dates above, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.

6. If I am unconscious or not around, can my health care provider still share or discuss my health information with my family, friends, or others involved in my care or payment for my care?
Yes. If you are not around or cannot give permission, your health care provider may share or discuss your health information with family, friends, or others involved in your care or payment for your care if he or she believes, in his or her professional judgment that it is in your best interest. When someone other than a friend or family member is asking about you, your health care provider must be reasonably sure that you asked the person to be involved in your care or payment for your care. Your health care provider may share your information face to face, over the phone, or in writing, but may only share the information that the family member, friend, or other person needs to know about your care or payment for your care.

Here are some examples:

• A surgeon who did emergency surgery on you may tell your spouse about your condition, either in person or by phone, while you are unconscious.
• A pharmacist may give your prescription to a friend you send to pick it up.
• A doctor may discuss your drugs with your caregiver who calls your doctor with a question about the right dosage.

BUT:

• A nurse may not tell your friend about a past medical problem that is unrelated to your current condition.

Source: https://www.hhs.gov/hipaa/for-individuals/faq/index.html