In 2003, federal privacy rules went into effect to protect the privacy of individuals concerning their medical records and other health information. These privacy rules were circulated by the U.S. Department of Health and Human Services (HHS) in response to a Congressional order under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The privacy rules cover “protected” health information, which includes information related to 1) a patient’s past, present, or future physical or mental health; 2) health care services provided to a patient; or 3) payments for a patient’s health care services.
Q: Who must comply with the privacy rules?
A: The privacy rules apply to a variety of individuals and organizations that handle and produce protected health information. Among them are:
• health care providers, including doctors, pharmacies, hospitals, clinics and nursing homes;
• health insurance companies, HMOs, and many employer group health plans;
• government programs, such as Medicare and Medicaid, which pay for health care services.
Q: Can my doctor or hospital ever use my protected health information?
A: Yes. Doctors and hospitals (as well as all others subject to the privacy rules) may use and share your protected health information for such things as treatment and care, to pay health care providers for their services, to protect the public health and to make required reports to law enforcement agencies. Generally with the patient’s informal permission, health care providers may also use protected health information for such things as facility directories, and to provide information to family members and friends. Individuals and organizations that must follow the privacy rules must get formal written permission to provide health information for uses other than treatment, payment, or health care operations, or other uses not otherwise permitted by the privacy rules. For example, the use of psychotherapy notes and the use of your protected health information for marketing purposes would require formal written authorization.
Q: Must my doctor or hospital notify me before using my protected health information?
A: With certain exceptions, doctors, hospitals and other organizations subject to the privacy rules must notify patients of their privacy practices. The notice must contain certain elements, such as how the organization may use and disclose your protected health information, your rights regarding the use of such information, and information about who you may contact for further information or to make complaints to the organization.
Q: Can I get a copy of my health records?
A: The privacy rules provide that, with certain exceptions, an individual must be given the opportunity to inspect and get copies of his or her protected health information. Doctors, hospitals and other organizations subject to this rule may, however, impose reasonable limitations on this access and may charge you for the cost of copying and mailing health records.
Q: What other rights do I have under the privacy standards?
A: You also have a right to have corrections made to your health information and to get a report about when and why your health information was shared with others. You also have a right to ask for additional restrictions to be placed on the use of your health information. However, your doctor, hospital or other organization subject to the privacy rules is not required to agree to such additional restrictions.
Q: Who can I contact if I feel my rights have been violated?
A: If you believe that your rights are being violated, or that your protected health information is not being protected, you may 1) file a complaint with your provider, health insurer or group health plan; and/or 2) file a complaint with the U.S. Department of Health and Human Services (HHS). Additional information regarding your rights, as well as to how to file a complaint, may be found at the HHS Web site, at www.hhs.gov/ocr/hipaa, or by calling 866-627-7748.
Law You Can Use is a weekly consumer legal information column provided by the Ohio State Bar Association (OSBA). This article was prepared by Robert D. Nauman, an attorney with the Columbus office of Squire, Sanders & Dempsey L.L.P.