HIPAA And The Privacy Of Your Medical Record
HIPAA sets a national standard for accessing and handling medical information. State laws can give you more rights. State laws cannot give you less rights.
- Medical information which identifies you cannot be disclosed without your authorization. Exceptions are made for treatment, payment or operations, as well as business associates of your health care provider or health plan.
- You must be given a notice of privacy practices about how your medical information will be used and disclosed.
HIPAA Applies To Just About All Health Care Providers. It Applies To ALL Health Plans And Health Plan Clearing Houses.
HIPAA only applies to health care providers (such as doctors, hospitals, laboratories, pharmacists and dentists) who transmit information electronically. The limitation is more theoretical than real because it is difficult these days to find a health care provider that doesn't transmit some information electronically. Even the smallest office is likely to transmit medical records in some capacity -- perhaps through a billing service.
What Information Is Protected Under HIPAA?
- Information about your physical and mental health, including past, present and future.
- Protected health information can be written, oral or in the computer.
- Disclosure of health information is limited to the "minimum necessary." If information is not necessary for the intended purpose, it is not supposed to be disclosed.
Your Medical Information Can Be Disclosed To Individuals Who See Your Records For Treatment, Payment Or Health Care Operations
- There is no limitation to this right built into the law. Past medical information may be disclosed along with current information.
- The information, including information which identifies you, can be given to business associates of your health care provider and/or your health care plan.
- There are other exceptions which permit the sharing of your health care information. For instance, if disclosure is required by federal, state or local regulation or when there is a threat to public safety.
You Have A Right To Know To Whom Your Medical Information Is Disclosed
In general, you are entitled to know who shares your medical information for the past six years.
The accounting does not have to list the individuals who see your records for:
- Health care operations
You Have A Right To Make Special Requests About Confidential Communications
So long as your request is reasonable, a health care provider must comply. For instance, it is reasonable to tell a doctor's office that you want all calls made to you during the daytime to be made on your mobile phone instead of your work number.
You Can Inform The Health Care Provider The Names Of People Who Are Authorized To Receive Your Medical Information.
- The authorization does not have to be in writing, unless psychotherapy notes are involved.
- There is no limit on the type of person you can designate. The person can be a family member, or friend.
- If you have a Health Care Power of Attorney, it is recommended that you include a provision in the proxy that authorizes all health care providers to communicate all matters concerning your health care with your Proxy. While this should not be necessary, it smooths the way to permit discussion at a time when a provider may want to be super cautious. (If you do not have a Health Care Power of Attorney, it is recommended that you execute one "just in case." The documents are easy to obtain and execute, and are free.)
If You Go Into A Hospital, You Have A Choice Whether To Be Listed In The Hospital Directory
You should be given this choice upon admission to the hospital.
Each Of Your Health Care Providers Likely Has Their Own Privacy Provisions. You Have A Right To A Notice Of Privacy Practices From Each Health Care Provider
In addition to telling you the privacy practices of each health care provider, the notice must also tell you:
- How your medical information will be used.
- How your medical information will be disclosed.
- Tell you how to exercise your rights.
- Explain how you can file a complaint with your health care provider and with the Office of Civil Rights of the U.S. Department Of Health and Human Services (HHS).
Each Health Care Provider Must Have A Privacy Officer
- HIPAA imposes administrative requirements on health care providers. Among the requirements is that each provider must have a privacy officer.
- If you have questions about a particular provider's policy or practices, ask for the Privacy Officer.
You Are Not To Be Denied Treatment If You Do Not Authorize Disclosure Of Your Health Information.
There are a few exceptions. For instance, you may be denied admission into a research related treatment if you do not authorize disclosure.
You Must Give Your Authorization Before Your Personal Health Information Can Be Used For Marketing Purposes.
However, the definition of marketing is not always a clear one. For more information, see:www.hhs.gov/ocr/hipaa
If You Have Group Health Insurance Through Your Employer, Health Information Is Not Supposed To Be Shared With Your Employer.
To learn more, see the well stated description by Georgetown University's Privacy Rights Organization: (www.privacyrights.org)
"My employer sponsors a group health plan? Can my boss see my medical claims?
HIPAA requires that the group health plan can tell your employer whether you are enrolled in the plan or not. Your employer can also get from the group plan what is called "summary" information to use to obtain premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures much like that of a covered entity. HIPAA attempts to limit the use of medical information for employment purposes.
Self Insured Employers And Your Right To Privacy
Under the HIPAA Privacy Rule, an employer that is also the insurer of health benefits is in a category called a "hybrid" entity. That means the portion of the company's operations that deal with processing health claims is a covered entity. Like any other covered entity, a "hybrid" function must (1) give notice of written privacy procedures, (2) place restrictions on the use of health information, and (3) appoint a privacy officer and train staff."
As mentioned, state laws can only give you more rights than HIPAA, not less.To see a summary of the law in your state, see summaries of the state laws prepared by The Health Privacy Project, a project of Georgetown University