The Health Insurance Portability and Accountability Act (HIPAA), is a law passed by Congress in 1996. One of its most well known parts is the HIPAA Privacy Rule. Since the rule says who can look at and receive your Protected Health Information (PHI), it’s an important tool to help to protect against health care identity theft.
PHI includes any specific information about your health status, health care, or payment for health care. The HIPPA Privacy Rule allows for the release of your medical files to coordinate treatment with another medical provider, payment of bills, or other health care operations.
The HIPAA Privacy Rule covers all types of protected health information, whether it’s electronic, written, or oral. On the other hand, it doesn’t apply when the information has no “identifiers” that connect it to individual patients, such as large groups of data.
It’s important to know that the HIPAA Privacy Rule requires only “covered entities” to comply. Examples are individual health care providers (i.e. doctors, nurses, dentists, pharmacists, psychologists, and chiropractors), medical establishments (i.e. hospitals, clinics, urgent care centers, and nursing homes), health plans (i.e. health insurance companies, HMOs, company health plans, and government health coverage plans such as Medicare and Medicaid), and health care clearinghouses.
Examples of entities not covered by HIPAA are your employer, most schools and school districts, life insurance companies, and workers’ compensation carriers. Also, HIPAA does not apply to your friend or family member who breaches your confidence or your coworker who overhears your health related conversation.
Under the HIPAA Privacy Rule, patients have many rights when it comes to their health information. First, they have the right to receive a notice of privacy practices. This is usually given to the patient during his or her first visit and it must contain certain disclosures, such as how the HIPAA Privacy Rule allows the covered entity to use and share PHI, stating that it will get the patient’s permission for any other reason, telling the patient about her or his rights under the HIPAA Privacy Rule, telling the patient how to file a complaint with the covered entity, and telling the patient how to file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
Second, patients have the right to access and request a copy of medical records. Third, if a patient comes across information on her medical records that she or he believes is wrong, she or he has the right to request a correction to those records – and the covered entity must respond within 60 days.
Fourth, patients have the right to request special privacy protection for PHI, and, although it is not required, once the covered entity agrees, it must comply unless the patient needs emergency treatment.
Fifth, patients are entitled to an accounting of disclosures, which allows patients to learn who the covered entity has disclosed their PHI to, up to six years prior to the request date.
Finally, patients have the right to access a minor child’s medical records as long as the parent or guardian a parent is acting as a child’s “personal representative” and the action is consistent with state and other law. Kieu-Nhi Le, Rutgers School of Law Newark candidate for a JD degree in May 2016. She is the Managing Business Editor of the Rutgers Computer and Technology Law Journal collaborated with me on this blog.