HIPAA and the Privacy of your Medical Information

Megan Oltman Community Member
  • What are my Rights under HIPAA?


    Healthcare WorkerWhen we go to a new doctor, and even periodically at our established doctors' offices, we have to sign forms informing us of the office's privacy practices under HIPAA. If you are like most of us, it's one more boring piece of paper to look at and sign before you can get to what you really came for: seeing the doctor.  Maybe you read all of it, but I wouldn't bet that many of us do!  Maybe you go so far as to think, "Oh good, they are doing something to protect my privacy."  Well, they are, but it's important for you to know what the policies are.


    *** This sharepost is legal education, not legal advice. No attorney-client relationship is created. ***

    Add This Infographic to Your Website or Blog With This Code:


    What's HIPAA For?

    Most of us think of HIPAA as the law that protects the privacy of our medical records, since that's how most of us come in contact with the statute.  HIPAA does do that, but that's not what it was originally designed for.  HIPAA stands for the Health Insurance Portability and Accountability Act, and its main purpose was to increase consumer access to health care, and make it easier for us to maintain health insurance coverage despite job changes or other situations that could have resulted in lapses in coverage.  HIPAA provisions provide protections for coverage under group health plans; limit exclusions for preexisting conditions; and prohibit discrimination against employees and dependents based on their health status. HIPAA may also give you a right to purchase individual coverage if you have no group health plan coverage available, and have exhausted your COBRA or other continuation coverage.  Visit the Department of Health and Human Services web site for more information regarding these HIPAA portability of coverage provisions.


    The Privacy Rule


    As Congress dealt with creating a law that made it possible for consumers to move from employer to employer or insurer to insurer without a lapse in coverage, the need for a unified way to deal with protected medical information became clear.  Your medical records have always been private and protected information, falling under doctor-patient confidentiality rules which exist in the common law going back for centuries.  What was missing was a clear, unified standard for how to deal with them.  The HIPAA Privacy Rule, which is the part of HIPAA that generates all those forms, and which we all encounter, was authorized by the Administrative Simplification subtitle of HIPAA.  Something so important as a national standard for privacy of medical information came to us by way of an attempt to reduce bureaucracy!


    So what are your rights under the HIPAA Privacy Rule?  The Rule covers all individually identifiable health information, and protects how that information can be shared.  The Rule also makes clear that your medical records belong to you, and you have a right to copies of them.  Teri Robert wrote a great sharepost about obtaining your records under HIPAA.  Your Rights to Your Medical Records


    Remember that the Rule was written as part of a statute designed to make the administration of health care easier! 


    The Privacy Rule is written to balance privacy rights with the flow of information to make treatment and public health possible.  Generally your individually identifiable health information cannot be shared without your consent, but there are broad exceptions.  It is important to actually read the HIPAA notices at the doctor's offices, because they are written to protect the medical offices as well as to protect you.  Each office has some leeway in designing its privacy practices, and they will not be identical at each office. 

    Add This Infographic to Your Website or Blog With This Code:


    Some of the more common exceptions to the Rule are if two physicians are both treating you, or a pharmacy is providing you prescriptions and a physician is treating you, they may share information with each other if the information is deemed necessary for your treatment, even without your knowledge or consent.  If there is a public health or public policy interest at stake, as in preventing the spread of communicable disease, information may be disclosed without consent.  When your health information is disclosed under the Rule, the health care provider must disclose the minimum information necessary, and it is up to the provider to come up with policies to determine what is the minimum necessary. 


    The Rule permits disclosure of your health information:

    1. to you;
    2. to the health care provider's own operations, or other health care providers who have a relationship with you, for treatment, payment or health care operations purposes;
    3. where there is informal permission or you have an opportunity to agree or object, as in an emergency, where you are being treated in a large facility like a hospital and the information would be kept in a central directory, or for notification of family members or friends with your informal permission of your health status.;
    4. where the use or disclosure is "incidental," or a result of a permitted disclosure under the Rule;
    5. for twelve national priority (Public Interest and Public Health) purposes -
      1. when required by law;
      2. to public health authorities to control the spread of disease, or limit injuries from emergencies;
      3. regarding victims of abuse, neglect or domestic violence;
      4. to agencies that oversee the health care and government benefits systems;
      5. in judicial and administrative proceedings by court order or subpoena;
      6. for law enforcement purposes;
      7. to funeral directors, medical examiners and coroners to identify a deceased person or determine cause of death;
      8. for research in limited circumstances;
      9. when the health care provider believes the information is necessary to prevent or lessen a serious threat to the health of another or the public;
      10. essential government functions; and
      11. in compliance with workers' compensation laws; and
    6. in a "limited data set" - protected health information which has individual identifiers removed from it.

  • It's all About Your Relationship with your Doctor

    Add This Infographic to Your Website or Blog With This Code:


    Why do we have doctor-patient confidentiality to begin with?  Our law recognizes that there must be trust in the relationship between a doctor and a patient, in order for good health care to take place.  If we don't trust our doctors enough to give them accurate information, they won't be able to treat us appropriately.  The HIPAA Privacy Rule doesn't replace the rules of doctor-patient confidentiality that have existed in our law for centuries; it just makes them more uniform.  It also provides guidelines that both health care providers and patients can count on as to when information can be disclosed.  What's important is to read your provider's HIPAA forms.  If you don't understand them, ask questions.  And first and foremost, ask your doctor questions.  If you are concerned about what's in your chart, or who gets to see it, ask! Keep open communication and keep informed, and you may head off potential problems later.


    *** This sharepost is legal education, not legal advice. No attorney-client relationship is created. ***

    © Megan Oltman, 2009.

    Last updated May 28, 2009.

Published On: May 28, 2009