What does the HIPAA Privacy Rule do?
Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
It gives patients more control over their health information.
It sets boundaries on the use and release of health records.
It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
It empowers individuals to control certain uses and disclosures of their health information.
Does the HIPAA Privacy Rule expand the ability of providers, plans, marketers and others to use my protected health information to market goods and services to me? Does the Privacy Rule make it easier for health care businesses to engage in door-to-door sales and marketing efforts?
No. The Privacy Rule’s limitations on the use or disclosure of protected health information for marketing purposes do not exist in most States today. For example, the Rule requires patients’ authorization for the following types of uses or disclosures of protected health information for marketing:
- Selling protected health information to third parties for their use and re-use. Thus, under the Rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines without an authorization.
- Disclosing protected health information to outsiders for the outsiders’ independent marketing use. Under the Rule, doctors may not provide patient lists to pharmaceutical companies for those companies’ drug promotions without an authorization.
Without these Privacy Rule restrictions, these activities could occur with no authorization from the individual in most jurisdictions. In addition, if a State law provided additional limitations on disclosures of information for related activities, the Privacy Rule generally would not interfere with those laws.
Moreover, under the “business associate” provisions of the Privacy Rule, a covered entity may not give protected health information to a telemarketer, door-to-door salesperson, or other third party it has hired to make permitted communications (for example, about a covered entities’ own goods and services) unless that third party has agreed by contract to use the information only for communicating on behalf of the covered entity. Without the Privacy Rule, there may be no restrictions on how third parties re-use information they obtain from health plans and providers. See the fact sheet and frequently asked questions on this web site about the business associate standard for more information.
Can telemarketers obtain my health information and use it to call me to sell good and services?
Under the HIPAA Privacy Rule, a covered entity can share protected health information with a telemarketer only if the covered entity has either obtained the individual’s prior written authorization to do so, or has entered into a business associate relationship with the telemarketer for the purpose of making a communication that is not marketing, such as to inform individuals about the covered entity’s own goods or services.
If the telemarketer is a business associate under the Privacy Rule, it must agree by contract to use the information only for communicating on behalf of the covered entity, and not to market its own goods or services (or those of another third party).
How does the HIPAA Privacy Rule affect my rights under the Federal Privacy Act?
The Privacy Act of 1974 (U.S. Department of Justice) protects personal information about individuals held by the Federal government. Covered entities that are Federal agencies or Federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule’s requirements, but also must comply with the Privacy Act.
If I believe that my privacy rights have been violated, when can I submit a complaint?
By law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, “covered entities”) had until April 14, 2003, to comply with the HIPAA Privacy Rule. (Small health plans had until April 14, 2004, to comply). OCR provides further information on its web site about how to file a complaint.
- Activities occurring before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions.
- After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically.
- This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.
- The Secretary may waive this 180-day time limit if good cause is shown. See 45 CFR 160.306 and 164.534.
In addition, after the compliance dates above, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.
If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?
Yes. As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care. Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object. In any of these cases, your health care provider may discuss only the information that the person involved needs to know about your care or payment for your care.
Here are some examples:
- An emergency room doctor may discuss your treatment in front of your friend when you ask that your friend come into the treatment room.
- Your hospital may discuss your bill with your daughter who is with you at the hospital and has questions about the charges.
- Your doctor may talk to your sister who is driving you home from the hospital about your keeping your foot raised during the ride home.
- Your doctor may discuss the drugs you need to take with your health aide who has come with you to your appointment.
- Your nurse may tell you that he or she is going to tell your brother how you are doing, and then your nurse may discuss your health status with your brother if you did not say that he or she should not.
- Your nurse may not discuss your condition with your brother if you tell your nurse not to.
If I am unconscious or not around, can my health care provider still share or discuss my health information with my family, friends, or others involved in my care or payment for my care?
Yes. If you are not around or cannot give permission, your health care provider may share or discuss your health information with family, friends, or others involved in your care or payment for your care if he or she believes, in his or her professional judgment, that it is in your best interest. When someone other than a friend or family member is asking about you, your health care provider must be reasonably sure that you asked the person to be involved in your care or payment for your care. Your health care provider may share your information face to face, over the phone, or in writing, but may only share the information that the family member, friend, or other person needs to know about your care or payment for your care.
Here are some examples:
- A surgeon who did emergency surgery on you may tell your spouse about your condition, either in person or by phone, while you are unconscious.
- A pharmacist may give your prescription to a friend you send to pick it up.
- A doctor may discuss your drugs with your caregiver who calls your doctor with a question about the right dosage.
- A nurse may not tell your friend about a past medical problem that is unrelated to your current condition.
If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?
HIPAA does not require proof of identity in these cases. However, your health care provider may have his or her own rules for verifying who is on the phone. You may want to ask your provider about her or his rules.
Can I have another person pick up my prescription drugs, medical supplies, or x-rays?
Yes. HIPAA allows health care providers (such as pharmacists) to give prescription drugs, medical supplies, X-rays, and other health care items to a family member, friend, or other person you send to pick them up.
Can my health care provider discuss my health information with an interpreter?
Yes. HIPAA allows your health care provider to share your health information with an interpreter who works for the provider to help communicate with you or your family, friends, or others involved in your care. If the interpreter is someone who does not work for your health care provider, HIPAA also allows your provider to discuss your health information with the interpreter so long as you do not object.
Since the HIPAA Privacy Rule protects a decedent’s health information only for 50 years following the individual’s death, does my family health history recorded in my medical record lose protection when it involves family members who have been deceased for more than 50 years?
No. When a covered health care provider, in the course of treating an individual or otherwise, collects an individual’s family health history, this information becomes part of the individual’s medical or other record and is treated as protected health information about the individual and not about the family member(s). Thus, even where an individual’s family health history includes information about family members who have been deceased for more than 50 years, the information is protected under the Privacy Rule as the health information of the individual.