What Is The Health Insurance Portability and Accountability Act? (HIPAA)

HIPAA was enacted by Congress in 1996 to protect the privacy of your health information. The act prohibits health care providers from releasing health care information unless you have provided them with a HIPAA release form.  Unless you provided a signed release form, your health care providers are prohibited from discussing any aspect of your medical information with anyone who is not directly involved in your care.  You are entitled to keep your health information private. The HIPAA Privacy Authorization should be completed if you would like some person other than yourself to have access to your medical records and information. The form gives your health care providers written authorization to release your health information to those you have named. Since a Durable Power of Attorney for Health Care is only effective after you have lost your capacity to make or communicate decisions and does not authorize release of medical information to the person named while you remain competent, it is then necessary to complete and sign the HIPAA Privacy Authorization. You may complete a HIPAA Privacy Authorization whether or not you have a Durable Power of Attorney for Health Care. The HIPAA Authorization must be used with the Durable Power of Attorney for Health Care.


What Is The Difference Between “Consent” And “Authorization” Under The HIPAA Privacy Rule?

The Privacy Rule permits, but does not require, a Covered Entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations, Covered Entities that do so have complete discretion to design a process that best suits their needs.  By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives Covered Entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.  An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the Covered Entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, Covered Entities may not condition treatment or coverage on the individual providing an authorization.

Health Information Privacy Rights

Most people feel that health information is private and should be protected. That is why there is a federal law that sets rules for health care providers and health insurance companies about who can look at and receive health information. HIPAA gives rights over personal health information, including the right to get a copy of the information, make sure it is correct, and know who has seen it.  You can ask to see or get a copy of your medical record and other health information. If you want a copy, you may have to put your request in writing and pay for the cost of copying and mailing. In most cases, your copies must be given to you within 30 days. Check It. You can ask to change any wrong information in your file or add information to your file if you think something is missing or incomplete. If you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file. In most cases, the file should be updated within 60 days.


By law, your health information can be used and shared for specific reasons not directly related to your care, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or reporting as required by state or federal law. In many of these cases, you can find out who has seen your health information. You can learn how your health information is used and shared by your doctor or health insurer. Generally, your health information cannot be used for purposes not directly related to your care without your permission. Your doctor cannot give it to your employer, or share it for things like marketing and advertising, without your written authorization. You probably received a notice telling you how your health information may be used on your first visit to a new health care provider or when you got new health insurance. You can ask for another copy anytime. Let your providers or health insurance companies know if there is information you do not want to share.  You can ask that your health information not be shared with certain people, groups, or companies. If you go to a clinic, for example, you can ask the doctor not to share your medical records with other doctors or nurses at the clinic. You can ask for other kinds of restrictions, but they do not always have to agree to do what you ask, particularly if it could affect your care.


Finally, you can also ask your health care provider or pharmacy not to tell your health insurance company about care you receive or drugs you take, if you pay for the care or drugs in full and the provider or pharmacy does not need to get paid by your insurance company. Ask to be reached somewhere other than home. You can make reasonable requests to be contacted at different places or in a different way. For example, you can ask to have a nurse call you at your office instead of your home or to send mail to you in an envelope instead of on a postcard.


Sharing Health Information With Family Members And Friends

HIPAA sets rules for health care providers and health plans about who can look at and receive your health information, including those closest to you, your family members and friends.  HIPAA ensures that you have rights over your health information, including the right to get your information, make sure it’s correct, and know who has seen it.  HIPAA requires most doctors, nurses, hospitals, nursing homes, and other health care providers to protect the privacy of your health information. However, if you don’t object, a health care provider or health plan may share relevant information with family members or friends involved in your health care or payment for your health care in certain circumstances.


When Your Health Information Can be Shared?

Under HIPAA, your health care provider may share your information face-to-face, over the phone, or in writing. A health care provider or health plan may share relevant information if: You give your provider or plan permission to share the information. You are present and do not object to sharing the information. You are not present, and the provider determines based on professional judgment that it’s in your best interest.  Here are some examples:

  • An emergency room doctor may discuss your treatment in front of your friend when you ask your friend to come into the treatment room.

  • Your hospital may discuss your bill with your daughter who is with you and has a question about the charges, if you do not object.

  • The MD may discuss drugs you need to take with health aide who came to the appointment with you.

  • Your nurse may not discuss your condition with your brother if you tell her not to.

  • HIPAA also allows health care providers to give prescription drugs, medical supplies, x-rays, and other health care items to a family member, friend, or other person you send to pick them up.

  • A health care provider or health plan may also share relevant information if you are not around or cannot give permission when a health care provider or plan representative believes, based on professional judgment, that sharing the information is in your best interest.

  • You had emergency surgery and are still unconscious. Your surgeon may tell your spouse about your condition, either in person or by phone, while you are unconscious.

  • The doctor may discuss your drugs with caregiver who calls doctor with question about right dosage.

  • A doctor may not tell your friend about a past medical problem unrelated to your current condition.


Who Must Follow These Laws?

Entities that must follow the HIPAA regulations are called "Covered Entities", they include:

  • Health Plans, including health insurance companies, HMOs, company health plans

  • Certain government programs that pay for health care, such as Medicare and Medicaid.

  • Most Health Care Providers, those that conduct certain business electronically, such as electronically billing your health insurance—including doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.

  • Health Care Clearinghouses, entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.


In addition, Business Associates of Covered Entities must follow parts of the HIPAA regulations.  Often, contractors, subcontractors, and other outside persons and companies that are not employees of a Covered Entity will need to have access to your health info when providing services to the Covered Entity are called “Business Associates.” These include:

  • Companies that help doctors get paid for providing health care, including billing companies

  • Companies that process health care claims

  • Companies that help administer health plans

  • People like outside lawyers, accountants, and IT specialists

  • Companies that store or destroy medical records


Also, Covered Entities must have contracts in place with their Business Associates, ensuring that they use and disclose health information properly and safeguard it appropriately.  Business Associates must also have similar contracts with subcontractors. Business Associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.


Who Is Not Required to Follow These Laws?

Organizations that do not have to follow the Privacy and Security Rules include:

  • Life insurers

  • Employers

  • Workers compensation carriers

  • Most schools and school districts

  • Many state agencies like child protective service agencies

  • Most law enforcement agencies

  • Many municipal offices


What Information Is Protected?

  • Information your doctors, nurses, and other health care providers put in your medical record

  • Conversations your doctor has about your care or treatment with nurses and others

  • Information about you in your health insurer’s computer system

  • Billing information about you at your clinic

  • Most other health information about you held by those who must follow these laws


How Is This Information Protected?

Covered Entities and Business Associates must:

  • Put in place safeguards to protect your health information

  • Ensure they do not use or disclose your health information improperly

  • Reasonably limit uses and disclosures to the minimum necessary to achieve their intended goal

  • Have procedures in place to limit who can view and access your health information

  • Implement training programs for employees about how to protect your health information

  • Put in place safeguards to protect your health information

  • Ensure they do not use or disclose your health information improperly


What Rights Does the Privacy Rule Give Me Over My Health Information?

Health insurers and providers who are Covered Entities must comply with your right to: 

  • Ask to see and get a copy of your health records

  • Have corrections added to your health information

  • Receive a notice that tells you how your health information may be used and shared

  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing

  • Get a report on when and why your health information was shared for certain purposes


Who Can Look at and Receive Your Health Information?

The Privacy Rule sets rules and limits on who can receive health info.  To make sure that it is protected and does not interfere with your health care, information can be used and shared:

  • For your treatment and care coordination

  • To pay doctors and hospitals for your health care and to help run their businesses

  • With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object

  • To make sure doctors give good care and nursing homes are clean and safe

  • To protect the public's health, such as by reporting when the flu is in your area

  • To make required reports to the police, such as reporting gunshot wounds


Frequently Asked Questions From US Department of Health & Human Services


Filing A Complaint

If you believe that a HIPAA-Covered Entity or its Business Associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against Covered Entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their Business Associates.


Afsar Estate Planning provides a HIPAA Release for each Clients' Estate Plan.