Skip to main content

Law in Brief

A Guide to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

What is HIPAA and what does the Privacy Rule do?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996. The U.S. Department of Health and Human Services (“HHS”) issued guidelines called the “Privacy Rule” to manage the use and disclosure of your protected health information. The Privacy Rule sets the standards for your privacy rights. This gives you the power to understand and control how your health information is used.

Who must comply with the Privacy Rule?
People and organizations who must comply with the Privacy Rule include:
• doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and other health care providers;
• any person or organization who provides or is paid for health care;
• health insurance companies, HMOs, and many employer group plans; and
• certain government programs whose purpose is to pay for health care, such as Medicare Parts A and B, Medicare+Choice, and Medicaid.

These entities must take appropriate and reasonable steps to secure your health information. They must also teach the people who work for them how your information may and may not be used and shared.

What type of health information is protected?
Any information that identifies you or reasonably could be used to identify you is to be protected under this law.

This includes any health information that your doctor or health care provider, etc. has about you that discusses:
• your past, present, or future physical or mental health;

• your treatment; or
• the payment of your care.

Your health care provider must protect most health information in their possession, including:
• information that your doctors, nurses and other health care providers include in your medical record;
• conversations your doctor has about your care or treatment with nurses and others;
• information about you in your health insurer’s computer system; and
• billing information about you at your clinic.

What individual rights are protected?
Providers and health insurers who are required to follow this law must comply with your right to:
• ask to see and get a copy of your health records;
• have corrections added to your health information;
• receive a notice that tells you how your health information may be used and shared;
• decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing; and
• get a report on when and why your health information was shared for certain purposes.

How can my private health information be used?
To make sure that your information is protected in a way that does not interfere with your health care; your information can be used and shared:
• for your treatment and care coordination, such as:
o to provide for your treatment and inform you of different treatments,
o to give appointment reminders, and
o to evaluate your care
• to pay doctors and hospitals for your health care and help run their businesses;
• with your family, relatives, friends or others you identify who are involved with your health care or your health care bills, unless you object;
• to make sure doctors give good care and nursing homes are clean and safe;
• to protect the public’s health, such as by reporting when the flu is in your area; or
• to make required reports to the police, such as reporting gunshot wounds.

When is my authorization needed to release my information?
Your information CANNOT be shared with your employer or shared for marketing or advertising purposes unless you authorize it. Private notes about your mental health counseling sessions also cannot be used without your authorization.
When can information be released without my authorization?
The Privacy Rule allows health care providers to disclose your private health information to law enforcement officials, such as the police, without your authorization to:
• comply with a court order, a warrant, subpoena, or summons;
• report child or adult abuse or neglect; and
• respond to a request for purposes of identifying or locating a suspect, fugitive, material witness, or missing person.

Can anyone else see my medical information without my permission?
You may control your protected health information under the Privacy Rule to the extent that State or other law permits you to act on your own behalf. If someone else is authorized to make your health care decisions, such as a guardian, health care power of attorney, etc., then he or she may also have access to your private health information. However, if that person is limited to making only specific health decisions, such as authorizing artificial life support, then his or her access to protected health information is limited to information ONLY dealing with that type of health decision. If someone else is not authorized to make decisions regarding your health care, he or she does NOT have the authorization to gain access to your medical information.

Health care providers must treat requests by your guardian, health care power of attorney, etc. for right of access to protected health information and accounting of disclosures to that person, the same as they would treat a request from you. BUT, if a health care provider has a reasonable belief that your guardian, health care power of attorney, etc., may be abusing or neglecting you in some way, they may decide that a release of this information would not be in your best interest. In that case, the Rule allows them to deny or delay such a request.

What can I do if I think my health care rights have been violated under HIPAA?
You can file a complaint with your health care provider or insurer:
• if you believe your health information privacy rights have been violated or
• if you were not able to exercise your rights to protect or access your information.

The privacy notice you receive from your health care provider or insurer will tell you who to talk to and how to file a complaint.

You can also file a complaint with the U.S. Government Office of Civil Rights (“OCR”). OCR will investigate complaints and work to make sure that your privacy rights have been protected. If you believe your health information privacy rights have been violated and you want to file a complaint, you must do so within 180 days after the violation occurred.

To file a complaint with the OCR, you may use the attached Health Information Privacy Complaint Form provided by OCR or you may send a letter, fax, or e-mail with the required information. If you choose to send a letter, fax, or e-mail, you will need to include the following:
• Your contact information, such as your name, full address, and home and work phone numbers.
• The name, full address, and phone number of the person, agency, or organization you believe violated your health information privacy rights.
• A brief description of what happened. Be sure to tell how, why, and when you believe your health information privacy rights were violated.
• Any other information you believe is relevant
• Be sure to sign your name and date your letter.

You may also wish to include the following optional information in your letter, fax, or e-mail:
• Whether you need special accommodations for OCR to communicate with you about your complaint, such as an interpreter, etc.
• If you cannot be reached directly, you may want to provide the contact information of someone else who knows how to reach you.
• Information about whether you have filed your complaint somewhere else besides with the OCR.

Your complaint should be mailed to OCR at the address below. You may also contact OCR with further questions, if necessary.

Office for Civil Rights
U.S. Department of Health & Human Services
601 East 12th Street - Room 248
Kansas City, MO 64106
Toll Free: (866) 627-7748
(816) 426-7278; (816) 426-7065 (TDD)
(816) 426-3686 FAX
E-mail: OCRComplaint@hhs.gov
Website: http://www.hhs.gov/ocr/hipaa

Close