Health & Medical Record Privacy
What is HIPAA?
The Health Insurance Portability and Accountability Act (more commonly referred to as HIPAA) was enacted by Congress in 1996, and serves two purposes: to regulate certain types of group and individual health insurance policies, and to standardize medical record formats and privacy regulations.
What rights do I have under HIPAA?
HIPAA is designed to give you more control over your health information. Under HIPAA, you may:
- Get a copy of your medical records. This must be provided to you within 30 days; however, your health provider may charge you for the cost of providing copies.
- Have wrong, missing, or incomplete information corrected in your medical records. If a medical provider does not agree that a correction needs to be made, you still have the right to add your disagreement as a permanent note in your file. Either way, all changes must be completed within 60 days.
- Request that certain information not be shared with other health providers. For example, if you pay in full for medication, you may request that the pharmacy not give that information to your health insurer.
- Receive a report on how your private health information is used, who has been given access to it, and why they were given that access.
What is a HIPAA-Covered Entity?
A HIPAA-Covered Entity is any business, organization, or individual who is required to follow HIPAA privacy and security rules. Covered Entities include:
- Health plans and health insurers
- Health care providers who use electronic transactions for payment, insurance claims, or other health insurance information
- Health care clearinghouses, which process health records and turn them into a standard format
- Contractors and subcontractors working for the Covered Entity that need or will have access to Protected Health Information (e.g. a billing company or IT support firm)
While almost all health care providers will be covered by HIPAA, providers who use electronic transactions to transmit information are not covered. For example, a free health clinic may not be covered, because it does not charge for services and thus does not electronically submit transactions. If you have any questions as to whether your health care provider is covered by HIPAA, you should ask them directly.
What is Protected Health Information (PHI)?
Virtually all data related to your health, including treatments, prescriptions, and medical billing, is considered Protected Health Information (PHI). This includes:
- Information your health care providers put on your medical record
- Discussions your doctor has with other health care providers about your health or treatment
- Information about you held by your health insurance provider
- Billing and payment information
While the actual text of HIPAA includes highly complex definitions and exceptions for Protected Health Information, it is almost always safe to assume that any personal information about you held by a Covered Entity is PHI.
When can substance abuse information be released?
Any records relating to the treatment of substance abuse are held in even more confidence than regular medical records. If you seek treatment for substance abuse, the facility where you receive treatment cannot even acknowledge that they have records about you. Some of the limited circumstances where portions of your record can be divulged without your consent include:
- Data that has been anonymized and cannot be tied to you
- In a medical emergency
- You commit or threaten to commit a crime at your treatment facility
- When child abuse or neglect is suspected
- Under a court order if the judge determines that there is no other way to obtain the relevant information, and both you and your treatment facility have been given an opportunity to respond
Even in these circumstances, only the minimum data necessary can be divulged.
How do states protect my health privacy?
HIPAA sets forth the minimum requirements for your health privacy rights at a federal level, but it does permit individual states to create laws that have even stricter requirements. For example, while HIPAA requires health plans to send a privacy notice reminder to members every three years, a state might require that the reminder be sent every year.
The interactions between state law and HIPAA are highly complex, and vary from state to state. Be sure to read privacy notices from your health care provider to learn what rights are available to you in your state.
When can law enforcement access my medical records?
Your health data may be made available to law enforcement without your written consent in certain limited circumstances:
- In relation to a legal process (i.e. court orders or subpoenas)
- When needed to locate a fugitive, suspect, or missing person
- When you are the victim of a crime and are unable to agree or object to the information being used to investigate the crime
- If there is a crime committed on the premises of the Covered Entity, and the information is evidence of that crime
- In emergencies, to notify law enforcement about a crime being committed
- If someone poses a serious threat to health or safety, and giving the information to law enforcement will help them reduce or prevent potential harm
When can my employer access my medical records?
In general, HIPAA prevents your employer from accessing your health data without your consent, with a few exceptions:
- Employment-related drug tests, which are not considered Protected Health Information
- Medical information related to a Worker’s Compensation claim
- Information that is part of a credit report (for example, if you owe medical bills to a hospital)
- Certain health-related information that the Department of Transportation, Federal Aviation Administration, and Federal Highway Administration require your doctor to provide to your employer, depending on your job
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act (more commonly known as the HITECH Act) was signed into law in 2009, and was designed to increase efficiency and improve standards surrounding technology use in healthcare. It increased HIPAA privacy and security regulations by requiring the business associates of Covered Entities to meet HIPAA standards, as well as by creating new reporting requirements in the event of a data security breach.
If a Covered Entity has a data breach that affects 500 or more people, it is now required to notify the Department of Health and Human Services, as well as the individuals whose private data was affected by the breach.
How do I keep my medical records private?
While HIPAA provides tools to understand how your medical information is being used and prevents certain usage of your records, you should still take proactive steps to protect your health privacy.
- Know what data is included in your medical records. If there is information in your records that is erroneous, submit a request to the healthcare provider to have it corrected.
- Be careful when providing health information to organizations that aren’t covered by HIPAA; the list of non-covered entities that have health records about you may be surprising. For example, if you join a gym and buy a discounted membership because you have a disability, you may be required to provide medical documentation of the disability. If you upload your medical records to a service like Microsoft HealthVault, the records do not receive HIPAA protections there either.
- Talk to your doctor’s office about what steps they take to protect the privacy of your records, and how they monitor access to them.
Privacy Protection Tip
Ask your doctor if your records can be accessed by third parties. If so, ask why. Before the office sends your records to third parties like insurance companies, ask to check your record for accuracy.