The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Your Health Information Is Protected By Federal Law Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.
Who Must Follow These Laws? We call the entities that must follow the HIPAA regulations for covered entities. Covered entities include:
Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies and dentists.
Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content) or vice versa.
Who Is Not Required to Follow These Laws? Many organizations that have health information about you do not have to follow these laws. Examples of organizations that do not have to follow the Privacy and Security Rules include:
Life insurers
Employers
Workers compensation carriers
Many schools and school districts
Many state agencies like child protective service agencies
Many law enforcement agencies
Many municipal offices
What Information Is Protected?
Information your doctors, nurses and other health care providers put in your medical record
Conversations your doctor has about your care or treatment with nurses and others
Information about you in your health insurer’s computer system
Billing information about you at your clinic
Most other health information about you held by those who must follow these laws
How Is This Information Protected?
Covered entities must put in place safeguards to protect your health information.
Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
Covered entities must have contracts in place with their contractors and others ensuring that they use and disclose your health information properly and safeguard it appropriately.
Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
What Rights Does The Privacy Rule Give Me Over My Health Information? Health Insurers and Providers who are covered entities must comply with your right to:
Ask to see and get a copy of your health records
Have corrections added to your health information
Receive a notice that tells you how your health information may be used and shared
Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
Get a report on when and why your health information was shared for certain purposes
If you believe your rights are being denied or your health information isn’t being protected, you can
File a complaint with your provider or health insurer
File a complaint with the U.S. Government
You should get to know these important rights, which help you protect your health information. You can ask your provider or health insurer questions about your rights. Learn more about your health information privacy rights.
Who Can Look at and Receive Your Health Information? The Privacy Rule sets rules and limits on who can look at and receive your health information. To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:
For your treatment and care coordination
To pay doctors and hospitals for your health care and to help run their businesses
With your family, relatives, friends or others you identify who are involved with your health care or your health care bills, unless you object
To make sure doctors give good care and nursing homes are clean and safe
To protect the public's health, such as by reporting when the flu is in your area
To make required reports to the police, such as reporting gunshot wounds
Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:
Give your information to your employer
Use or share your information for marketing or advertising purposes
Share private notes about your health care
How Can I Let Others Share My HIPAA Protected Health Information? Anyone can choose to allow anyone they wish to share their HIPAA protected health information. A simple form is all that is required. Some states have their own specific forms but, to satisfy the requirements of the HIPAA Privacy Rule, all that is necessary is a simple form that identifies the patient, the health care provider, the information to be released and the individuals to whom the information is to be released. A perfectly valid example of the form can be found at Healthcare-Information-Guide.Com. A separate form must be completed and provided to each healthcare provider. Many caregivers have their loved ones complete multiple forms to use when a new health provider is encountered.