Version 2.0 Prepared by Robert Gellman for the World Privacy Forum, with assistance from Pam Dixon, executive director, World Privacy Forum. John Fanning, former privacy advocate, U.S. Department of Health and Human Services, and Dr. Lewis Lorton, health technology and privacy expert contributed to the first edition of the Guide. Robert Gellman and the World Privacy Forum take responsibility for the judgments and accuracy of information in this guide. Nothing in this guide constitutes legal advice. Patient’s Guide to HIPAA World Privacy Forum

www.worldprivacyforum.org © 2019 Robert Gellman, Pam Dixon All rights reserved. No portion of this book may be reproduced in any form without permission from the publisher, except as permitted by U.S. copyright law. Cover by John Emerson

Ebook/Digital: ISBN-13: 978-0-9914500-0-8 Hide

This guide is for patients. It offers a roadmap through the thicket of health privacy laws and rules that patients confront everyday. The purpose of this guide is to help patients understand how to make health privacy laws work to protect their privacy and recognize the limits of those laws. The guide focuses mostly on the federal health privacy rule known as HIPAA. This federal privacy rule establishes a baseline of protection that applies to health care providers and health care insurers throughout the United States. The guide also discusses other federal laws that cover some health records. This guide does not offer detailed, technical explanations for every provision and every nuance of HIPAA. Instead, this guide concentrates on those parts of HIPAA that will are likely to be most helpful to real people. This guide does not review state law, and you need to know that a stronger state law can provide additional privacy protections. If you work at a covered entity, this guide will still be useful to you, but it will not tell you everything you need to know to carry out your HIPAA responsibilities. It still offers a good introduction to the things that most patients care about. You can read this guide cover-to-cover or you can use the index to Frequently Asked Questions (FAQs) to jump to the part of the guide that covers your particular question or problem. In some places, we include a sidebar to offer an illustration, explanation, or comment. From time to time, you will also find a “rule of thumb” offering a simple way to understand complex issues. Hide

For a list of all FAQ questions, please see the complete list in the HIPAA Guide Index. If you have general questions about HIPAA, jump to Part I, Learning about HIPAA. If you have questions about the seven patient rights of privacy, jump to Part II, Basic Patient Rights. If you have questions about signing consent forms and other forms at your doctor’s office or at a hospital, jump to Part III, What You Should Know About Uses and Disclosures. Hide

You can navigate through the HIPAA Guide several ways. Use the HIPAA Guide Index as your starting page. This page lists all of the frequently asked questions about HIPAA that the Guide covers. To get to the information, click on any question you see in the index.

At the top of each FAQ, you will find a link to the Index of FAQs so you can jump quickly through the guide. Hide

The Patients Guide to HIPAA was originally published March, 2009. Since then, it has received two major updates. Changes in the revised 2019 edition This guide is up to date with the HIPAA health privacy rule as of January 1, 2019. Changes include minor updates and edits throughout; updating of Internet links, with additional links to HHS guidance; coverage of immunization registries; discussion of blocking robocalls; consideration of privacy and adult children covered under parental health insurance; and a discussion of the 21st Century Cures Act relating to mental health treatment of adults and communication with their caregivers. Changes in the revised 2013 edition This guide reflects the HIPAA health privacy rule in effect as of September 23, 2013. It includes the changes that the Department of Health and Human Services adopted early in 2013 and that took effect on September 23, 2013. These changes cover amendments made by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and by the Genetic Information Nondiscrimination Act of 2008 (GINA). Notice the big gap between the dates of these laws and the effective date of the implementing regulation. It takes a long time to convert new laws into working rules. In December we updated FAQ 52, Pay Out of Pocket. Hide

The purpose of this guide is to help you understand how to make health privacy laws work to protect your privacy and to recognize the limits of the law. We don’t offer detailed technical explanations for every provision and every nuance. Instead, this guide concentrates on those parts of health privacy laws and rules that will be most helpful to real people. Even so, this guide is not short. We encourage you to use the summary and list of questions to find what you want. If you view this guide on the WPF web site, you can also use the menu to navigate to different parts of the guide. The most important acronym we use here is HIPAA, which stands for the Health Insurance Portability and Accountability Act. HIPAA has several important parts, but the health privacy rule is the main focus here. The federal Department of Health and Human Services issued the HIPAA rules. The health privacy rule establishes a minimum set of health privacy practices for physicians and health plans. We will remind you repeatedly that other state and federal laws that provide stronger privacy protections remain in effect. The HIPAA rule may not be the only place to look. There are other HIPAA rules beyond the privacy rule. One covers security requirements, and is called the HIPAA security rule. (http://www.hhs.gov/hipaa/for-professionals/security/index.html) One covers reporting of data breaches to the Secretary of HHS by HIPAA-covered entities, which is called the HIPAA breach notification rule: (http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html) Another HIPAA rule covers enforcement procedures, the HIPAA enforcement rule: (http://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html) This guide focuses on the HIPAA privacy rule: (https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html). Because the other rules are of less interest to individuals, we don’t explain them here in detail. In this guide, we talk about laws, rules, regulations, act, and statutes. Lawyers can find real and technical differences between these terms, but the differences don’t matter much to patients. For our purposes, the terms are generally interchangeable references to legally binding policies or obligations. In order to keep this guide streamlined, we mostly avoid lengthy explanation of minutiae, unless absolutely necessary. This means that some sections may not describe every possible detail of a rule. One way to tell that we have streamlined a discussion is use of the word generally. That word signals that there are more details, exceptions, explanations, etc., in the text of the rule or elsewhere. When we can, we offer a rule of thumb that cuts through the legalisms. Our rules of thumb are correct but may not be complete. They may leave out details, exceptions, and special cases not of great importance to the majority of people. We also look outside the formal rules and suggest other ways to accomplish reasonable privacy goals. You can always read the full rule itself to find out what we left out. You can find the full HIPAA privacy rule here: (http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html). However, those who aren’t used to “bureaucratese” may find the rule daunting. Everyone will find it to be long. There’s a “redline” version of the HIPAA privacy rule with the 2013 changes posted by a law firm; this is available at: (http://www.jdsupra.com/legalnews/be-prepared-redline-version-of-the-hipa-44999/). The redline shows the changes from the previous version of the rule. Another website has the current version of the privacy rule without any marking of the 2013 changes, and this may be easier for some to use. (http://www.hipaasurvivalguide.com/hipaa-regulations/164-501.php) Feel free to look around the HHS website at (http://www.hhs.gov/ocr/privacy/).for other helpful materials. HHS has its own FAQ on HIPAA at (http://www.hhs.gov/hipaa/for-professionals/faq). Many of the questions there provide answers for those who have responsibility for implementing the law, but patients may learn something useful as well. There are also useful guidance materials at (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html). Hide

The World Privacy Forum is a nonprofit, non-partisan, 501(c)(3), public interest research group. The WPF focuses on privacy, and health privacy is one of our key areas of work. You can find out more about our work at: (https://www.worldprivacyforum.org). The World Privacy Forum provides a wide variety of consumer and policy advice as well as resources relating to privacy matters. The WPF wrote the first report ever done on medical identity theft, a subset of identity theft, coining the term and bringing the problem to public attention. Medical identity theft occurs when someone uses an individual’s name and sometimes other parts of their identity — such as insurance information — without the individual’s knowledge or consent to obtain medical services or goods. Another variation of medical identity theft occurs when someone uses an individual’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous information in existing health records, often in the name of the victim. Harms to victims include wrongful medical treatment because of the incorrect information and the use of health insurance benefits by someone not entitled to them. If you want to learn more about medical identity theft, go to (https://www.worldprivacyforum.org/category/med-id-theft/).If you think you were a victim of medical identity theft, see the FAQ for Victims of Medical ID Theft at (http://www.worldprivacyforum.org/FAQ_medicalrecordprivacy.html). The answers there specifically address the needs of identity theft victims. This same page also links to consumer tips for medical ID theft and other resources. Hide

If you want the official view — as well as the text of the federal health rule known as HIPAA and related materials — go to the website of the Office of Civil Rights (you will often see this office referred to as its acronym, OCR) of the federal Department of Health and Human Services (HHS) at (http://www.hhs.gov/hipaa/index.html or http://www.hhs.gov/hipaa/for-individuals/index.html). The website offers fact sheets, FAQs (http://www.hhs.gov/hipaa/for-individuals/faq/index.html), formal summaries of the HIPAA privacy rule, and more. If you are a covered entity looking for guidance on implementing HIPAA, HHS has webpages for you as well. Start at (http://www.hhs.gov/hipaa/for-professionals/index.html). The official materials are formal and even useful at times, but there is a lot to wade through. We seek to tell it like it is. The Office of Civil Rights tells it like it is supposed to be. Both views have relevance. Why does responsibility for the federal health privacy rule rest with the Office of Civil Rights? The Department had to put the health privacy function somewhere, and it chose the Office of Civil Rights. The Office of Civil Rights also enforces violations of the HIPAA privacy rule. Some complained that the Office of Civil Rights was not focused on health privacy. It didn’t bring enforcement actions for years after the health care world had to comply with health privacy rule. However, enforcement by OCR became much more aggressive in recent years, and you have a reasonable chance that your complaint will receive appropriate attention. In fact, there’s a much greater chance that a health privacy complaint at OCR will result in an investigation than a similar privacy complaint will result in action by the Federal Trade Commission. You can find other guides to HIPAA on the Internet. However most of them are for health care providers like hospitals and doctors trying to comply with the law. Hospitals and health plans sometimes offer patient-oriented privacy materials. Overall, we were surprised at how few free, detailed patient-oriented materials are available. The Privacy Rights Clearinghouse (https://www.privacyrights.org) has a wealth of useful materials on privacy in general as well as some facts sheets on medical privacy (https://www.privacyrights.org/topics/health-medical). The Center on Medical Record Rights and Privacy at Georgetown University’s Health Policy Institute had a good website focused on patient access rights. But it is out of date. You might find something relevant under the medical privacy tab at ( http://hpi.georgetown.edu/papers.html). The Center for Law, Ethics, and Applied Research in Health Information at Indiana University also has a variety of useful materials on health privacy at (https://medicine.iu.edu/research/centers-institutes/bioethics/research/health-information/). Consumer Action has materials on health privacy for California patients. (http://www.consumer-action.org/english/articles/health_records_privacy_in_california). That information is also available in Spanish. (http://www.consumer-action.org/spanish/articles/health_records_privacy_in_california_sp). Consumer Action has other health privacy resources as well. (http://www.privacy-information.org/publications/P0/topics/medical). The federal HIPAA rule may not be the only health privacy law relevant to you. The HIPAA rule establishes a “floor” of privacy protection. If state law or another federal law gives you more rights, greater access to your health records, more limits on disclosure, or lower fees for copies of your health records, then those other laws supersede HIPAA. This can be very important at times. The National Conference of State Legislators has a site dedicated to HIPAA impacts and actions by states: (http://www.ncsl.org/research/health/hipaa-a-state-related-overview.aspx). Your state health department may also have useful information on its website. So might a state hospital association. After you have the citations, you have to look to find the laws. Knowing where to look is half the battle, however. Always, look carefully to see if the information on these websites is current. It may be hard to tell. Be aware that state laws change, and the information on any state law website can be outdated. Pay attention to the dates of any discussion of state laws. If the Privacy Act of 1974, a law applicable to federal agencies like Medicare and the Department of Veterans Affairs, is relevant to you, you can find a guide at (https://www.fas.org/sgp/foia/citizen.html). Federal agencies subject to HIPAA and the Privacy Act of 1974 must give you the best of both laws. Hide

HIPAA is the most important federal health privacy law for almost everybody in the United States. Most of this guide explains what you should know about HIPAA. We also highlight some other federal laws that may be relevant to your health privacy. There are five federal laws beyond HIPAA we think you should know about. Each of these touches on privacy in a slightly different way. They are: Privacy Act of 1974

Confidentiality of Alcohol and Drug Abuse Patient Records Regulations

Family Educational Rights and Privacy Act (FERPA)

Americans with Disabilities Act (ADA)

Genetic Information Nondiscrimination Act (GINA) We discuss each of these other laws briefly below. Hide

Privacy Act of 1974 →

An important general purpose federal privacy law is the Privacy Act of 1974 (http://www.law.cornell.edu/uscode/text/5/552a). The Privacy Act of 1974 covers nearly all personal records (not just health records) maintained by federal agencies and some federal contractors. It applies to military health records, veterans’ records, Indian Health Service records, Medicare records, and health records of other federal agencies. HIPAA also applies to most of those same federal records. So if a federal agency has health information about you, you are entitled to the best protections in both laws. HIPAA is sometimes better, but rights under the Privacy Act of 1974 are often better than HIPAA. You can learn more about the Privacy Act of 1974 from a detailed guide published by the Department of Justice (http://www.justice.gov/opcl/1974privacyact-overview.htm). Warning: The Privacy Act of 1974 is just as complicated as HIPAA, and maybe even more so because there have been decades of litigation under the Privacy Act of 1974 (and very little under HIPAA). Remember that the Privacy Act of 1974 does not apply to most hospitals, clinics, or physicians. The Privacy Act of 1974 does not apply to them even though they may receive federal funds or are tax-exempt. Remember, the Act applies to federal agencies, not federal funds recipients. The National Institutes of Health — part of the Department of Health and Human Services — may be one of the few major health care institutions in the United States not covered by HIPAA. However, the Privacy Act of 1974 still applies to the NIH. More at (https://oma.od.nih.gov/forms/Privacy Documents/Documents/NIH Privacy FAQs March 2013.pdf). Hide

Confidentiality of Alcohol and Drug Abuse Patient Records Regulations →

The Confidentiality of Alcohol and Drug Abuse Patient Records Regulations (42 Code of Federal Regulations Part 2) are an important set of federal rules for some health records. These rules provide privacy protections for records of federally funded substance abuse (alcohol and drug abuse) health care providers. You can find more information at (https://www.samhsa.gov/laws-regulations-guidelines/medical-records-privacy-confidentiality). The actual rules are also at (https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=b7e8d29be4a2b815c404988e29c06a3e&rgn=div5&view=text&node=42:1.0.1.1.2&idno=42). HHS updated the Part 2 rules in 2017. See https://www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records. RULE OF THUMB The alcohol and drug abuse rules contain the strictest privacy protections of just about any law. The rules allow many fewer disclosures than HIPAA, and the restrictions generally follow the records. That means that if a record is subject to the rules, the record remains subject to the rules if the record is disclosed to anyone. That is an unusual but very privacy protective policy. The Substance Abuse and Mental Health Services Administration (SAMHSA) administers the alcohol and drug abuse rules. SAMHSA is part of the Department of Health and Human Services. You can find a document that discusses how HIPAA and the substance abuse privacy rule relate at (http://www.samhsa.gov/sites/default/files/part2-hipaa-comparison2004.pdf). Hide

Family Educational Rights and Privacy Act (FERPA) →

Health records at most schools and colleges (at least those receiving federal funds) are not covered by HIPAA but by the Family Educational Rights and Privacy Act (FERPA). You will find more information about FERPA and a link later in this guide. (See FAQ 9.) In general, FERPA’s protections are better than HIPAA in some ways and not as good in others. There’s a simple Q&A on FERPA and HIPAA at (https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html), and a more detailed guide at (http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf) and at (https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf). Be warned that the interplay between HIPAA and FERPA is very complex. Hide

Americans with Disabilities Act (ADA) →

The Americans with Disabilities Act (ADA) provides employees with disabilities some protections against discrimination in the workplace. The law includes limited workplace privacy protections as well. You can learn more about the ADA at the Equal Employment Opportunity Commission’s website. Hide

Genetic Information Nondiscrimination Act (GINA) →

The Genetic Information Nondiscrimination Act provides some federal protection from genetic discrimination in health insurance and employment. Genetic discrimination occurs when people are treated differently by their employer or insurance company because they have a genetic change that causes or increases the risk of an inherited disorder. GINA is a federal law designed to protect people in the United States from this form of discrimination. Most states have similar laws. Title I of GINA makes it illegal for health insurance providers to use or require genetic information to make decisions about a person’s health insurance eligibility or coverage. This part of the law went into effect on May 21, 2009. Title II makes it illegal for employers to use a person’s genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law went into effect on November 21, 2009. For more on GINA, see: (https://ghr.nlm.nih.gov/primer/testing/discrimination). GINA has been controversial in some respects. Some think that the protections of GINA are not all that useful. We discuss the privacy provisions of GINA briefly in FAQ 56. Some other federal privacy laws may apply at times to health records held by some records keepers (e.g., banks and credit bureaus). We don’t think that these laws are relevant enough to most people to explain here. There are other general privacy resources at the World Privacy Forum website and at the website of the Privacy Rights Clearinghouse. Hide

Part I: Learning About HIPAA

You can’t get very far into health privacy without running across the acronym HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 US federal statute. Although many people associate HIPAA just with health privacy, the Act actually covers many topics unrelated to privacy. The part of the Act relevant to privacy directed the Department of Health and Human Services to write a health privacy rule. The rule originally took effect on April 14, 2003. Some refer to it as the health privacy rule, the HIPAA rule, or just plain HIPAA. Other HIPAA rules also exist, but they don’t relate to health privacy. When we say HIPAA in this document, it means the HIPAA health privacy rule unless we state otherwise. There is a HIPAA security rule for health records, a breach notification rule, and an enforcement rule. These rules all relate to health privacy in some way. Other HIPAA rules also exist, but most address topics unrelated to health privacy. HIPPA or HIPAA? People often incorrectly abbreviate HIPAA as HIPPA (two Ps rather than two As). If you do an Internet search for hippa, you may be surprised at how often the wrong acronym is used. The HIPAA security rule requires the health care world to comply with security standards for health information. HHS issued security standards under the authority granted by the HIPAA statute. Responsibility for the security rule had been assigned to the Centers for Medicare & Medicaid Services (CMS), but it now belongs to the Office of Civil Rights at HHS. You can find more information on the security rule at (http://www.hhs.gov/hipaa/for-professionals/security/index.html). We won’t cover the security rule in detail here because it is of interest primarily to health care providers and insurers who have to implement it. Health Care Data Breaches We receive many questions about the rules covering health care data breaches. The HIPAA breach notification rule tells those covered by the HIPAA privacy and security rules how to handle and respond to data breaches. (http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html). HHS posts data breaches involving over 500 records on its website at: (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf). The World Privacy Forum has a data visualization tool that visually shows a history of the data breaches listed on HHS at www.worldprivacyforum.org, click the Maps, Apps, and Data Visualizations category tag or search for “data breach” on the WPF site. FAQ 65 discusses breach notification. Hide

Interestingly, HIPAA does not use the term patient. Not everyone who is the subject of a health record is a patient. For example, you may be the beneficiary of a health insurance policy. The insurer has information about you, but you are not the insurer’s patient. Even if that information is only your name, address, and plan number, it is protected health information (PHI), and that is covered by HIPAA. The HIPAA rule uses the term individual to cover patients, beneficiaries, and others protected by the rule, but we find the term a bit jarring. We use the more familiar term patient here because just about everyone is a patient eventually. HIPAA’s individual and our patient are identical. (For more about what we mean by the term protected health information, see FAQ 8.) Health Files and Your Information The individual who is the subject of a health file is the patient. Information about one individual may appear in someone else’s file. For example, information about your health condition may be part of your sibling’s family history. Generally, you only have rights under HIPAA with respect to information in your health file held by a covered entity. What is PHI? When use the term PHI — all caps — we mean the HIPAA-related abbreviation that means “protected health information.” PHI is any information that a health care provider (or any other entity covered under HIPAA) holds about a patient. PHI covers everything from demographic information like your name, to financial information, and of course, health information. Hide

Yes, but it is complicated. The basic answer is that if a child has a right to make a health care decision about himself or herself, then the child has the right to control information associated with that decision. Otherwise, a parent or guardian or person acting in loco parentis can exercise privacy rights on behalf of a child. To state the rule more specifically, a child can exclusively exercise his or her own privacy rights with respect to a health care service if: The child is emancipated; the child consents to the health care service and no other consent is needed; the child may lawfully obtain the service without a parent’s consent; or the parent or guardian consented to an agreement of confidentiality between the child and the health care provider. Legal technicalities can make a big difference here. In addition, a special rule addresses cases where a covered entity has a reasonable belief that the child is a victim of domestic violence, abuse, or neglect. (A covered entity here is generally a hospital or other health care provider, or possibly a health plan that is required to comply with HIPAA. For more on what is a “covered entity,” see FAQ 9.) The covered entity may decide that it is not in the best interest of the abused child to allow the parent to act on behalf of the child. It gets even more complicated for minors because the HIPAA rule recognizes that States may have other policies governing privacy, health, and children. When state law specifically addresses disclosure of health information about a minor to a parent or guardian, that law preempts (supersedes) HIPAA whether it prohibits, mandates, or allows discretion about a disclosure. RULE OF THUMB Normally, HIPAA defers to a state law that is stronger than HIPAA. However, for minors, HIPAA defers to all state law, whether the law is stronger or weaker. When does a child become an adult? That depends entirely on state law. Hide

Not in the way that they did before. Until the rule changed in 2013, a patient’s privacy rights survived death and lasted forever. The 2013 change means that privacy protections remain in place for fifty years after the date of death. However, if a State has a law that provides for additional privacy protection, that law remains in force. Further, the professional responsibilities of health care providers may require that patient records receive longer protection. After a patient dies, that patient’s legally authorized executor or administrator, or a person otherwise legally authorized to act on the behalf of the deceased patient or patient’s estate, can exercise the deceased patient’s privacy rights. It is important to know that disclosures for treatment do not require consent or authorization of the patient or the patient’s representative. (For more on authorizations, see FAQs 64-66). That means, for example, if information about the deceased patient is relevant to the care of the surviving spouse, the information can be disclosed by a health care provider to the health care provider for the surviving spouse. Privacy for the dead can be especially messy when questions arise in the period after death and before anyone is formally authorized to act for the patient or the patient’s estate. For many individuals, there may be no formal legal process following death. Another 2013 change helps here. It clarifies that a covered entity may disclose a decedent’s information to family members and others involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. This gives health care providers and health plans the discretion to do what they consider to be the right thing for families of recently deceased patients. Hide

HIPAA introduces the term protected health information or PHI. The actual definition is a conglomeration of nested and complex terms with even longer exceptions. It is too messy to bother with here. Instead, we offer a rule of thumb that works just fine most of the time. [RULE OF THUMB] Any information that a covered entity (e.g., health care provider or insurer) has about you is PHI. It doesn’t matter if the information is medical, financial, or otherwise. We tend to use the more traditional term — health record here, but we mean PHI. HIPAA Myth A common myth about the HIPAA privacy rule is that it only covers electronic information. That is false. The health privacy rule applies to PHI in any form or medium. If a covered entity records your information on paper, computer disk, or tree bark, it is subject to HIPAA. However, the HIPAA security rule only applies to electronic Protected Health Information. For more on covered entities, see FAQ 9. A 2009 change in the statute made it clear that genetic information is PHI. That really didn’t change anything because genetic information is no different than any other information in a health record. Genetic information was already PHI. Hide

HIPAA doesn’t apply to every health record keeper or to every health record. Only covered entities must comply with HIPAA. Get used to the term covered entity because it comes up a lot. HIPAA recognizes and regulates three types of covered entities. This is a complicated area, and this is one of the longest FAQs in this guide. There are lots of types of entities, some covered by HIPAA, some partly covered, and some not at all. HIPAA generally covers health information maintained by or for a covered entity. HIPAA generally does NOT cover health information held by those who are not covered entities. This is an especially important point that many people in the health care world do not understand clearly. Health information that is protected when held by a covered entity (like a health record held by a hospital) may have no privacy protections when the information is held by a someone who is not a covered entity. In other words, health privacy protections depend on who has the information and not on the nature of the information. The covered entity concept is complicated. We explain related terms — business associates and hybrid entities — later in this FAQ. Covered entities under HIPAA are: 1) Health care clearinghouses Health care clearinghouses transmit information (typically claims and billing information) between other players in the health care system. For example, a hospital may send the bill for your treatment to a health care clearinghouse that reformats and submits the information to your insurance company. Clearinghouses are of no interest to the average patient because their function is usually invisible. Patients rarely, if ever, come into contact with them. But clearinghouses have the same obligations as other covered entities, and that is important if you ever have an issue with a clearinghouse. Otherwise, don’t worry about clearinghouses. We won’t mention them again in this guide. 2) Health plans Health plans are covered entities. Health insurers, health maintenance organizations (HMOs), and Medicare are examples of health plans subject to HIPAA. So are plans covering uniformed service members. Nearly all health plans are covered entities, but some small group health plans (fewer than 50 participants) may not be covered entities. We use health plan and insurer interchangeably here. 3) Health care providers Health care providers are covered entities, at least most are. Generally, a health care provider is a doctor, hospital, dentist, podiatrist, pharmacist, laboratory, optometrist, and just about anyone else licensed to provide health care. The formal legal definition of health care provider is so complex that it makes lawyers wince. It is important to understand that HIPAA does not automatically cover all health care providers. It generally depends on whether a provider bills (directly or indirectly) for services electronically. The reason for this odd, even silly, standard has to do with the structure of the health care system and the Department of Health and Human Service’s authority to regulate. Unless you are a policy wonk, you probably don’t want to know more. RULE OF THUMB What organizations are covered under HIPAA? A simple rule of thumb is that any health care provider who bills an insurance company or health plan is a covered entity under HIPAA. If your doctor accepts Medicare, for example, the doctor is a covered entity. A free health clinic may not be subject to HIPAA because it doesn’t bill anyone. A doctor who charges every patient $25 cash and does not submit a bill to any insurance company may not be covered by HIPAA. A first aid room at your workplace may or may not be covered by HIPAA. If you want to know if the organization you are dealing with is a HIPAA-covered entity, ask. If you don’t get a straight answer, ask for a copy of its privacy policy. If it has a privacy policy, the policy will explain about HIPAA’s application. If it doesn’t have a written privacy policy, then it is either not covered by HIPAA or it is violating the rule. Hybrid Entities (Supermarket pharmacies, etc.) Do you use a pharmacy at a supermarket? If so, the pharmacy’s records are subject to HIPAA because the pharmacy is a health care provider that submits electronic bills. What about the records that the supermarket maintains as part of a frequent shopper program? The answer is the supermarket’s other customer records are almost certainly not protected by HIPAA. An organization with both health care functions and other functions can define itself as something called a hybrid entity. HIPAA will then apply only to the part of the organization that does health care and not to the rest. This should all be explained in the covered entity’s notice of privacy practices. School health records Most school health records are not subject to HIPAA. Instead, school records (private schools are a major exception) are usually covered by another federal privacy law, the Family Educational Rights and Privacy Act (FERPA). The federal Department of Education oversees FERPA. A school nurse is likely to be subject only to FERPA. A university hospital that runs a student clinic on behalf of the university is also subject to FERPA. However, other university hospital records about students could also be subject to HIPAA, depending on the circumstances. The relationship between HIPAA and FERPA is very complicated. For more, see (http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf). Which law is better for privacy? The short answer is that privacy rights under FERPA can be better in some ways than under HIPAA and worse in other ways. Many states maintain immunization data systems (“Immunization Information Systems”) for school children and other individuals. The privacy of records in these registries is subject to standards set of the Centers for Disease Control. (http://www.cdc.gov/vaccines/programs/iis/func-stds.html). The immunization records in these systems may or may not be subject to HIPAA. Business associates and subcontractors If a covered entity hires another organization to perform a function that requires access to health information, that other company may be a business associate of the covered entity. This happens routinely, for example, when a hospital hires an accounting firm to audit its records. Many covered entities have dozens of business associates. Business associates of a covered entity are now directly covered by HIPAA. That means that a business associate of a covered entity can be penalized for violations in the same way as a covered entity. This is a good thing, as the possibility of penalties may result in better compliance with the law. A covered entity must have a contract with each business associate. The contract must require the business associate to comply with all relevant HIPAA provisions. The basic idea is that a covered entity cannot avoid the privacy rule by hiring someone else to process health records. If a business associate hires another entity to help process PHI, then that entity (called a “subcontractor”) is also subject to HIPAA. If a subcontractor hires another subcontractor, all are covered by HIPAA. Covered entities, business associates, and subcontractors must all process your health records according to HIPAA rules. There’s a lot of complexity here, but it is not the patient’s problem. Other health record holders Who else has health records but isn’t subject to HIPAA? Many organizations have health information about you, but neither the organizations nor the records are subject to HIPAA. The list of unregulated health record keepers is shockingly long. These include gyms, medical and fitness apps and devices not offered by covered entities, health websites not offered by covered entities, Internet search engines, life and casualty insurers, Medical Information Bureau, employers (but this one is complicated), worker’s compensation insurers, banks, credit bureaus, credit card companies, many health researchers, National Institutes of Health, cosmetic medicine services, transit companies, hunting and fishing license agencies, occupational health clinics, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alternative medicine practitioners, disease advocacy groups, marketers of non-prescription health products and foods, some workplace wellness programs, and some urgent care facilities. Commercial providers of Personal Health Records have health records but are not covered entities. However, PHRs maintained by or on behalf of your health care provider or insurer are covered by HIPAA. Employers may offer wellness programs. Some wellness programs do collect health information. For more about HIPAA and workplace wellness programs, see HHS guidance at (https://www.hhs.gov/hipaa/for-professionals/privacy/workplace-wellness/index.html?language=es). Wait … who outside of my health care provider has my health information? Did you wonder why a hunting and fishing license agency made this list of organizations with health records? Some states give discounted licenses to those who are disabled. How do you prove entitlement to a discount? You must provide adequate health information to the agency. This is just one example how your health information can end up in the hands of many different types of organizations that have no direct health care or payment responsibilities. This is also why protecting the privacy of health information is so difficult. The information turns up in places that you might not expect. Have you ever filled out a survey asking if you or a household member has a particular medical condition? Unless you gave the survey directly to your doctor, odds are that a marketing company asked for the information. Marketers are not subject to HIPAA, and they can use and sell your information without any restriction as often as they want. For example, if you tell a marketer when you are 21 that you have allergies, that marketer can use or share the information to sell you products for the rest of your life. Is your Personal Health Record protected? If an organization or a business maintains a Personal Health Record (PHR) for you, that PHR may not always fall under HIPAA’s protections. Be cautious with PHRs because they are the subject of much attention and promotion. Many companies are trying to get in the business of storing your health records for you, especially online. But you need to know that unless a health care provider or insurer (or someone doing it on behalf of a provider or insurer) maintains the PHR, HIPAA does not apply. It’s always worth checking to be sure. Read the privacy policy to know. Here’s the most important point: if you give a commercial, advertising-supported PHR service consent to store your records, the records are probably not protected by HIPAA. The PHR service may be able to exploit the records as it pleases, subject only to its own privacy policy and terms of service. If you read the PHR company’s policy carefully, we bet that it says that the company can change the policy at any time. We would not give our health records to a PHR service not covered under HIPAA. We’re skeptical because some companies and websites are not forthright in describing how they use or disclose health information, even when they have a privacy policy. Even if they promise not to disclose your information for marketing, they may still use it for marketing. If the PHR service is ad-supported and if you click on an ad, a considerable amount of your PHI may be disclosed to the advertiser by your click alone. The advertiser may have a privacy policy that differs from the PHR service provider, or the advertiser may have no privacy policy at att. Further, it is easy for companies to change their privacy policies at a moment’s notice. This means that you can lose control of your sensitive health information if the company changes its business model, merges with another company, or goes bankrupt. For more on PHRs, see the World Privacy Forum report Personal Health Records: Why Many PHRs Threaten Privacy at (https://www.worldprivacyforum.org/2008/02/blog-legal-and-policy-analysis-personal-health-records-why-many-phrs-threaten-privacy/). A health record covered by HIPAA can lose its privacy protection if transferred to a third person who is not a HIPAA-covered entity. This is a very important aspect of HIPAA. Some would call it a loophole. The original record in the hands of the covered entity remains subject to HIPAA, but the copy sent to a non-HIPAA-covered entity falls outside the scope of the HIPAA privacy rule. We offer five examples of health information transfers that you may see it in daily life. However, each of our examples has a weasel word (“probably”) because the rule is complicated. If we stopped to explain this kind of thing further, this document would quadruple in size. You tell your doctor to give part of your health records to your employer to explain your absence from work. The record will probably not be subject to HIPAA in the hands of your employer. But your health information may have some protections under other laws covering your employer.

You download your health record from your health care provider to your mobile phone. When your record is at the provider, it is covered under HIPAA. But on your phone, the record is not covered.

A health researcher obtains your health records for use in a properly authorized research project. The records probably have no HIPAA protection in the hands of the researcher. However, if the researcher is treating you as part of the research (as in a clinical trial), then HIPAA is more likely to apply.

You apply for life insurance, and the insurance company obtains your health records with your consent. The records are not subject to HIPAA in the hands of the insurance company. The records may be subject to a state insurance privacy law. Some of the information you authorize the insurer to have may also end up at the Medical Information Bureau (MIB), another organization not subject to HIPAA. If you read the fine print in your application/authorization, you will learn that signing the form authorizes disclosure to MIB as well. MIB is subject to the Fair Credit Reporting Act, a different privacy law that provides you with some rights and some protections. (To assert your Fair Credit Reporting Act rights, you would, for example, request a copy of your consumer file from MIB. See (http://www.mib.com).

Your doctor tells you that you have a communicable disease (e.g., tuberculosis). The doctor must report your illness to the state public health department. The part of the health department that receives your record is probably not subject to HIPAA. We could list additional examples, but we offer a rule of thumb instead. [RULE OF THUMB] If a covered entity discloses a health record to anyone who isn’t a covered entity, the record is generally outside the scope of HIPAA in the hands of the recipient. This is a major way that health records escape from privacy protections. This is true online and offline. If you share health information with your family, a neighbor, or co-worker, the information that you share is not protected under HIPAA in the hands of the recipient. If you share your health information with a website that isn’t a covered entity under HIPAA, then the information you disclose is not protected under HIPAA in the hands of the website. This is a complex area that has created a lot of confusion among some consumers. Web sites that are medical web sites may very well not be covered under HIPAA, even if they say they are “HIPAA compliant.” See Rule of Thumb, HIPAA Compliant, or HIPAA Covered? [RULE OF THUMB] HIPAA Compliant, or HIPAA Covered? If a company is not covered by HIPAA, it may still say that it is “HIPAA compliant.” HIPAA compliant does not mean the same thing as being a HIPAA-covered entity. If you see the words HIPAA compliant, find out if the company is a HIPAA-covered entity. This is a yes or no question; there is no “maybe” answer here. If a company is HIPAA compliant but not a HIPAA-covered entity, we urge caution. The use of the term HIPAA compliant can be deceptive in that circumstance. HHS has a bit of guidance on misleading marketing claims at: (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/be-aware-misleading-marketing-claims/index.html?language=es). Hide

If you read the HIPAA privacy rule — and stayed awake while doing it — the rule would appear to be a welter of detailed and uncoordinated provisions. It actually has a structure, but that structure is difficult to appreciate unless you know about Fair Information Practices or unless you read the original preamble to the rule from 2000. The rule implements Fair Information Practices (FIPs), an established set of principles for addressing concerns about information privacy. FIPs are especially significant because they form the basis of many privacy laws in the United States and, to a much greater extent, around the world. Understanding FIPs makes it easier to make sense of the HIPAA privacy rules. The eight FIPs generally recognized are: Openness Use Limitation Purpose Specification Collection Limitation Data Quality Security Access and Correction Accountability. We could discuss FIPs here in more detail, but it would be a distraction. Different versions of FIPs exist, and the actual application of FIPs to any set of personal records can be complex, variable, and controversial. We just want you to know that there are basic principles of information privacy that HIPAA mostly implements. You can read a short introduction to FIPS here: (https://www.worldprivacyforum.org/2008/01/report-a-brief-introduction-to-fair-information-practices). Understanding FIPs is not essential to understanding HIPAA, but it may help some people. But if you are interested, you can find a longer history of FIPs at (http://bobgellman.com/rg-docs/rg-FIPshistory.pdf). Fair Information Practices are important for privacy of records other than health. Whenever you consider whether any record keeper properly protects the privacy of your personal information, you can use FIPs as a checklist for assessing privacy practices. If you see a privacy policy for an Internet site, a bank, or a government agency, try to determine if the policy addresses all eight FIPs. If it doesn’t, then you already know that the policy isn’t as good as it could be or should be. When a policy addresses FIPs, see how good a job the policy does in protecting your privacy. For example, a good policy may say that personal information is only disclosed when required by law or for necessary business purposes. A mediocre policy may allow for disclosure to affiliates for marketing or when disclosure is allowed by law. “Allowed” can be a major weasel word in a privacy policy. A weak policy may not address disclosure at all. Hide

This is a tough question to answer. Health care providers generally care about patient privacy, but health care providers have only some control over the records of their patients. Our complicated health care treatment and payment system places patient health information in the hands of many different providers, insurers, agencies, and others. Before HIPAA, we believe that the health care system mostly paid lip service to privacy. How many hospitals offered you a notice or privacy practices before HIPAA? How many trained their staff in privacy? How many told you that you had a right to see and copy your own records? Before HIPAA, active privacy policies were a rarity in health care. By this measure, HIPAA made some definite improvements. Our health care system — with third-party payors and lots of government involvement (e.g., Medicare and public health) — places many demands on health records. Everyone wants low-cost, high-quality health care for all. Achieving these objectives often affects privacy in negative ways. The trade-offs can be sharp. HIPAA is decidedly a mixed bag for privacy. It does some good things and some not-so-good things. It protects privacy rights in some ways and undermines those rights in other ways at the same time. HIPAA gives each patient some rights. There are seven formal rights, not all of which are new everywhere. (See the heading Basic Patient Rights to learn more about the seven rights HIPAA gives patients). However, some of the new rights are not especially meaningful. HIPAA also permits many uses and disclosures of health records without the patient’s consent. Many will find some of these uses and disclosures objectionable. A patient doesn’t have the opportunity to control most uses or disclosures of his or her records. If you just look at the disclosure provisions, then you might conclude that HIPAA allows many disclosures that you may not think are appropriate. For good or bad, many of those disclosures were routine before HIPAA. However, if you consider the overall state of privacy protections before HIPAA, you might see a marked improvement in many aspects of privacy today. So does HIPAA protect privacy? Everyone is entitled to his or her own answer to this question. We prefer to say that HIPAA offers patients Fair Information Practices. (See FAQ 10.) Whether the implementation of Fair Information Practices in HIPAA meets your own privacy standards is for you to say. Everyone has different privacy needs, preferences, and desires. Hide

In this guide, we point out some shortcomings with the HIPAA rule. The rule doesn’t require covered entities to do everything that you might want. It may not protect privacy sufficiently or define your rights as expansively as you think it should. In many instances, deficiencies in the rule can be addressed when covered entities (See FAQ 9) and patients work together in good faith to address problems that arise. The rule generally doesn’t prevent covered entities from treating patients better than the rule requires. We suggest that when the rule doesn’t give you a formal right that you think is reasonable, ask the covered entity to consider doing what you need anyway. The rule gives a covered entity discretion to take actions that can benefit patients and their privacy. If you ask politely and persistently for help, you may get it. If one person won’t bend the rules or procedures, then ask another person a supervisor, or to the Privacy Officer at the covered entity. Try to work cooperatively with the covered entity. This is a real story. A patient parks his car in a parking lot adjacent to a doctor’s office. Another individual leaves the doctor’s office, gets in her car, and backs into the car of the patient who just arrived. The damage is minor. The driver is not aware of the accident and drives away. The arriving patient goes into the doctor’s office to ask for the name and address of the patient who just left. Under the HIPAA rule, the office could not disclose the name of the patient driving the other car. None of the disclosure exceptions applies. However, this doctor’s office does the right thing, something not required by HIPAA. The office calls the driver and asks her to speak to the owner of the car that she hit. The driver agrees, and the problem is solved. The office facilitated the exchange of information between the two patients, but it disclosed no information in violation of HIPAA. The two individuals disclosed information to each other. The creative and cooperative action by everyone avoided much more complicated and expensive responses to the problem (e.g., calling the police to report a hit-and-run accident). Not everything needs to be a federal case. Hide

This section covers the rights that HIPAA grants to patients. The rule defines seven patient rights, but not all of those rights are meaningful. We discuss the rights in the order of importance as we view the rights. Your mileage may vary. Hide

A. Right to a Notice of Privacy Practices

The rule requires each covered entity, like a hospital, to publish a notice of privacy practices. You may see this abbreviated as NPP in some cases. The notice describes how each entity implements the rule. Notices from different health care institutions may look similar because the rule is the same for everyone. However, each notice should have some details (procedures, addresses, etc.) that are specific to the institution. If you want to learn more about health privacy, a notice of privacy practices is a good place to start. So is this FAQ! Hide

One answer is that the rule is long and complicated. Another answer is that lawyers write many of the notices. Often, lawyers write like…lawyers, and the results are sometimes complete, precise, and incomprehensible. Some privacy notices — and not just notices for health — are deliberately written to be obscure. Even other lawyers can’t understand them. Not every organization really wants you to understand or exercise your privacy rights. In the end, health privacy is a complex subject. Health records have quite a few uses and disclosures that you probably never thought about. All of these factors contribute to the length and complexity of the notices. Still, the notice is your friend and your guide if you want to pursue your rights. Hide

Only if you want to. Every expert says that people should know their rights and understand privacy. We agree, but we recognize that people often don’t have the time or interest needed for privacy management. Don’t feel guilty if you just don’t want to read the notice from your doctor, hospital, laboratory, or pharmacy today. What’s important is that the notice exists and that the record keeper who produced the notice has a privacy policy and — we hope — actually implements the policy appropriately. The HIPAA requirement that each covered entity prepare a notice was a big advance in privacy protection. That remains true even if most patients never read the notice. The notice also tells a covered entity’s employees what the privacy rules are. That is just as important as telling patients what the rules are. In the past, employees often didn’t know whether there were privacy rules or what those rules stated. To put it another way, you have privacy rights whether or not you know the details. Your rights do not depend on your level of understanding. You can do a better job of protecting your rights if you know more, of course. Here’s what’s really important: Read the notice when it matters to you. If you decide that you want a copy of your health records, that’s a time to read the notice and find out how to obtain the records.

If you think that there is an error in your record, read the notice and learn how to ask for a correction.

If you think that your records were improperly used or disclosed, read the notice to see if you are right.

If you have a privacy complaint, you can read about the complaint procedure that the rule provides. When it makes a difference to you, get a copy of the notice and read it. That could be today or two years from now. You can always ask for a copy, even if you are no longer someone’s patient. If a provider or insurer maintains a website, it should post a copy of its privacy policy on the website. That may make it easier for you to find the notices that you need. Hide

The rule generally requires a health care provider to make a good faith effort to obtain an acknowledgement that each patient received the notice. Some people think that it is a dumb requirement and a paperwork burden, but that’s what the rule says. Signing a standard acknowledgement does not waive your rights. You do not have to sign the acknowledgement. Your rights do not change if you sign or don’t sign. However, the requirement for a signature is poorly understood. Some receptionists think that a signature is mandatory, and they will hassle you if you don’t sign. Some will tell you that you must sign or you can’t see the doctor. That is wrong. You can fight about signing the acknowledgement if you want. We suggest, however, that this isn’t a fight worth having. Save your energy for another battle. The acknowledgement — if that’s all that the form contains — is meaningless. If you see something on the form that you don’t like, you can just cross it out. Odds are that no one will even notice what you did. We hear that some doctors are asking patients to sign broader forms that limit the ability of patients to file malpractice suits, that prevent patients from talking about the doctor to other people or on the Internet, or do accomplish other things that benefit the doctor and not the patient. We suggest being careful if offered these types of documents. We wouldn’t sign one. In the pre-HIPAA days, most patients were given actual consent forms to sign when they came to see the doctor. The forms often gave your health care provider permission to disclose your records to just about anyone. It was the privacy equivalent of a blank check. Most people signed the forms without reading or understanding them. HIPAA eliminated consent forms, something that some people find objectionable. However, the old consent forms mostly waived any rights that you had and did more to protect your provider than to protect you. HIPAA eliminated the need for routine consent forms, but at a price. The discussion later about uses and disclosures will make that price clearer. (See FAQs 55-67.) What you really need to know: When you visit your doctor’s office for the first time, someone should offer you a copy of the doctor’s notice. You may be offered the same notice on each visit because many offices find it easier to give every patient a notice on every visit rather than keeping track of first visits. Sometimes, the notice will be sitting on a counter or table. You have the right to take a copy home. Remember that you can always ask for a copy later or find it on the website of your doctor or insurer. If you don’t care about it today, it should be available to you later, even if you are no longer a patient of that doctor or covered by that insurer. Your health plan also will provide you a notice, but the rules for getting you the notice are somewhat different for health plans. Patients really don’t need to know those rules. You probably received a health plan notice in the mail, but you may have ignored it. If you want a notice from your health plan, ask for it or look on the health plan’s website. Hide

Almost any health privacy notice will tell you something that you probably didn’t know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make. These examples will likely be both enlightening and disturbing. Notices from most HIPAA-covered entities are quite similar because you have the same rights everywhere the rule applies. If you read one notice, you’ve generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states. When you want to exercise your rights at a particular covered entity, the local procedures described in the notice are likely to be different in each notice. That’s the time when reading the notice may matter a lot. Each notice should describe the covered entity’s procedures for exercising patient rights. Make sure you follow any specified procedures. Otherwise, here are some notable features to look for. What institutions are covered by the notice? If the notice is for a hospital or other large institution, read the description of which institutions and providers are covered. We have a notice for a hospital that says that more than a dozen different institutions in three states are part of the same institution. That means that patient information can be readily shared among all the affiliated organizations without your consent. That ability to share records widely may not be unusual or should not always be troubling. Further, being able to obtain care at related institutions may be a good thing. Consider, however, if your cousin works in a health care facility in a nearby state. You may not realize that facility is connected to the health care provider that you see regularly. You might not be happy knowing that your cousin may have access to your record. It may or may not be lawful for your cousin to do so, but the possibility may be unnerving. What are the directions for requesting amendments, copies of your health records, accounting of disclosures, and restrictions of disclosures? HIPAA contains seven rights for patients, and the notice of privacy practices is a good place to find out how you can utilize these rights. A notice should have clear instructions for you, as well as contact information, about how you can make requests and follow up on them. (For details about the basic rights of HIPAA, see FAQs 13-54.) What does the notice say about fundraising? A hospital can use your records in a limited way for fundraising. You have the right to tell the hospital not to use your records for fundraising. If you say nothing, then use of your records for fundraising is permissible. Each fundraising communication must include a clear and conspicuous opportunity to opt-out of future fundraising communications. Exercising this opt-out right may not be of critical importance, but it helps everyone if some people exercise opt-out rights when they exist. What does the notice say about disclosures for national security? Look for the national security disclosure provision. A covered entity can disclose your records for just about any national security purpose. The rule does not require a warrant, court order, subpoena, or any procedure prior to the disclosure. We point this out because it is perhaps the most privacy-invasive of the HIPAA disclosure provisions. You are also invited to look for other broad and objectionable disclosure provisions in the notice. Don’t blame the hospital or doctor. The rule allows these disclosures to be made, and privacy notices usually reserve the right for a covered entity to make allowable disclosures. However, the disclosures are not necessarily mandatory. In other words, a doctor can disclose your record to the CIA, but the doctor can usually say no. Provision allowing covered entity to change the notice There will be a provision that says a covered entity can change the notice at any time and with retroactive effect. This isn’t quite as bad as it looks. HIPAA limits the ability of a covered entity to change the policy. The covered entity must comply with HIPAA, and it cannot change the notice and take away your rights. However, if HHS changes HIPAA or if Congress passes new laws, then your rights can expand, diminish, or disappear. Most privacy policies elsewhere (such as on commercial websites like search engines or clothing retailers) are not based on formal legal requirements and are changeable at the discretion of the record keeper. Changes are not always bad, but it is okay to be a bit suspicious. Find the right to request alternate methods of communication Find the right to request alternate methods of communications. This right may be important to you, and the notice tells you how to exercise this right. We explain this right in full later. (See FAQs 25-28.) Contact information At the end of the notice is where your will probably find contact information for the covered entity’s privacy officer. If you have any questions or want to exercise your rights, the privacy officer for the covered entity is probably the first person to contact. Wait – the notice says my records can be disclosed without my consent. What’s up with that? If you read the notice, you will likely come away with the feeling that your health records aren’t really private. It’s not an unreasonable conclusion. The notice describes many uses and disclosures that do not need your consent and that are permissible even over your express objection. We don’t like it either. Still, we recognize that we have a complicated health care system, and there are many demands on health records for socially beneficial purposes. There is a legitimate policy justification for most of the disclosures permitted under HIPAA. Nevertheless, we think that some of the HIPAA standards for use and disclosure should be higher and that some of the procedures should create more barriers. Sadly, we don’t know any way to return to a health care system where only you and your doctor knew about your health and where no disclosures of your records were ever made without your approval. That system disappeared decades ago. We repeat again that we don’t like it either. We do like it, however, when an insurance company pays for our treatment or Medicare pays our doctor bills. We like it when researchers find new treatments for diseases. We also like it that public health authorities can alert people about contagious diseases. Patients do benefit at times when their records are shared for appropriate purposes and with appropriate protections. We wish some of those protections were better. In 1999, Maine implemented a health privacy law that required patient consent for many routine disclosures (e.g., to doctors, family members, hospital visitors). People hated the law so much that the legislature suspended the law within weeks after it took effect, and the consent requirements that upset people later disappeared. Some discretion is needed to make the world operate smoothly and in accordance with patient expectations. If you want to know more about the Maine experience, go to (http://www.worldprivacyforum.org/wp-content/uploads/2007/04/MaineHealthPrivacy1998_Gellman.pdf). Hide

B. Right to Inspect and Copy Your Record

HIPAA provides each patient with the right to inspect his or her record and to have a copy of the record. These are two different things. You cannot be charged a fee if you want to inspect your records. This means that you can always see your record, even if you don’t want to pay. If you want a copy of the record to take with you, then you can be charged a fee. You can also be charged an additional fee if you ask for a summary or explanation of your record. You do not have to ask for a summary or explanation. HHS has guidance for covered entities about patient access. While the guidance is for health professionals, individuals may find it useful at times because of the level of specificity. If you have a dispute about access with a covered entity, the official HHS guidance may help convince someone about the scope of your rights. (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?language=es). Hide

There are many reasons you might want to review your health record at your health care provider or insurer. Decide if any of these appeals to you: You plan to move to another city and want to bring your records to a new doctor so that the doctor has your current information on your first visit. You may not know who the new doctor is in advance so you cannot arrange a doctor-to-doctor transfer.

You want a second opinion from another doctor and want to avoid having duplicate tests. If you have the records, you don’t have to let your first doctor know about the second opinion.

You want to make sure that your new consulting doctor knows about earlier treatments and previous tests.

You want to keep a permanent copy of all your health records in one place and in your possession.

You are curious.

You want to make sure that your children have your records because you think that something in your record (e.g., genetic information or family history that they may not know) may eventually be relevant to their treatment.

You have given your medical power of attorney to your grandson, and you want him to have all of your records (not just those for your current treatment) so that he can make informed decisions or so he can obtain assistance in making choices. By the way, the records that you give to your grandson are not covered by HIPAA in his hands (except, perhaps, if he is a physician or other health care provider).

You want to talk to a lawyer about medical malpractice and don’t want your health care provider to know about it.

You think that there might be incorrect or irrelevant information in your record.

You think that you are a victim of medical identity theft.

You think that your insurance company improperly denied your claim, and you want to see the record about you that the company maintains.

You think that your doctor or insurance company is lying to you.

Any other reason or no reason. It is your right to see or have a copy of your record. You don’t need to have a reason. You do not have to tell anyone what your reason is. Hide

You can generally ask for your all of your records maintained by any covered entity, but the covered entity can withhold some records. We will cover that subject in FAQ 24. The copying of paper records is familiar to everyone. For electronic records that a covered entity maintains (whether or not the information is formally maintained in an electronic health record), you have the right to obtain the information from a covered entity in an electronic format. Generally, you can choose the electronic format you want as long as the information is readily reproducible in that format. In order words, a covered entity has to give you the format you want if it can without a great deal of trouble. Be sure to state your preference and ask for alternative formats if you can. You can also ask the covered entity what formats it is capable of providing and then make an appropriate choice. Remember that some electronic records (e.g., 3-D images created by an MRI) may be maintained in a format that requires special software to read. If your goal is to be able to share an electronic record with a physician, then the native format may be okay because your physician will likely to able to read it in that format even if you can’t. Depending on your purpose, you may be interested in records of your hospitalization, records from your family physician, records from your insurance company, records from your pharmacy or pharmacy benefit manager, or your records any other covered entity. You can ask every covered entity for all of your records, but the next few questions suggest reasons for narrowing your request. You can tell a covered entity to transmit your record directly to someone you designate. Your request must be in writing, signed, and clearly identify the designated person and where to send the copy of protected health information. This is not the same as an authorization, which has many more elements to it. Authorizations are discussed in later FAQs. We think this rule was needed because some hospitals made it hard for a patient’s lawyer to obtain the patient’s record. It’s fine to use this capability, but be careful that you don’t casually or accidentally sign a form that allows someone to get your health records. Whoever gets your records in this fashion may not be subject to HIPAA, and your records could conceivably be made public or used for marketing or profiling. If you allow a data broker or marketer to have a copy of your health records, you are not likely to be happy about the result. This particular change in the rule has potential for mischief, but your can protect yourself by being careful what you sign. That’s good advice all the time. Hide

A covered entity can charge a reasonable, cost-based fee for providing a copy. The fee may include only the cost of labor for copying, the cost of supplies for creating the paper copy or electronic media, and the cost of postage. Any other copying charges — including but not limited to administrative fees, overhead, retrieval costs for locating data — are improper. Don’t let anyone charge you more than is allowed by the HIPAA rule. If you don’t think that the fees are proper, complain about it. You have a right to complain to the Secretary of HHS (via the Office of Civil Rights), and that right will be covered later. (See FAQs 46-50, 51.) Remember that state law may establish lower fees than HIPAA allows or may not allow any fees at all. If you need records and can’t afford to pay, ask for a waiver of fees. Some covered entities may provide some or all records without charge or at a discount, but they are not required by HIPAA to do so. Standard copying costs can be as much as $1.00 a page or perhaps more. If you want a hard copy of an x-ray, the fee could be considerably more (but an electronic copy may be cost-free if transmitted to you electronically). Many health care institutions hire outside firms to handle copies. Copying hospital records is a business. Insurance companies and lawyers tend to be frequent requesters of records, and copying charges can be expensive because these requesters don’t much care about the cost and because there is no competition. The result is that the standard charge per page can be high. Your best strategy may be to narrow your request (see the discussion in FAQ 23 about what records to request) or just obtain an electronic copy of records that are already electronic. Copies of electronic records may be less expensive. Hide

Start by reviewing the covered entity’s copy of the notice of privacy practices. Remember that every covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website). The notice of privacy practices describes your right to inspect and to obtain a copy of your record. It should also tell you the local procedure for making a request. You will likely be asked to write a letter or fill out a form in order to make your request for access. A covered entity can insist on a written request and may ask you for identification. Asking for an ID is reasonable because you don’t want someone else to get your records without your consent. However, avoid letting a covered entity make a copy of your driver’s license. Someone with access to your health records may use that copy to make you a victim of identity theft. When you make a request, the covered entity must act on your request within 30 days. Don’t count on an instant response. The entity can take an additional 30 days to respond if it provides you with a written explanation of the delay. If you need the records more urgently, say so. It might help, but the rule allows the covered entity to wait 30 days or more no matter what. Your doctor might be responsive to your need for fast access, but bigger institutions have formal procedures and may not be inclined to do anything but the minimum required of them. This is a real-life example. A patient needed a copy of x-rays and CAT scans in order to get a second opinion on a critical injury that required immediate surgery. The hospital told the patient to make a written request and wait 30 days for a response. The patient’s medical needs were urgent, but the hospital didn’t care to help. The patient found another way. He explained the problem to a nurse who was sympathetic. The nurse quietly made an electronic copy of the needed records on a thumb drive and gave it to the patient. The nurse may not have followed the hospital’s internal procedures, but the disclosure to the patient did not violate the law. The lesson is that if the official methods don’t meet your needs, see if you can find another way. Just don’t break the law doing it. Remember to thank (and protect!) your sources. Hide

A covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld. (See the next FAQ.) Just figuring out who to ask and what to ask for can be complex. Don’t assume that you need a copy of all records from all health care providers and insurers. Obtaining your health records can be surprisingly complicated, may present some hard choices, may be expensive, will require some planning, and can take time. Managing many records from many different providers may be a challenge too. This FAQ tells you about the strategy for requesting health records. First, copying costs for paper records may be considerable. You may want to think about the costs involved before you ask. A hospital record can have hundreds or even thousands of pages. Think about whether inspecting your records will meet your needs. If you can inspect first, you might be able to narrow your request and cut the cost. Copies of electronic records may be much less expensive than copies of paper records. You might be able to inspect your records and make a copy with your digital camera, cell phone, or a portable scanner. If you try using your own equipment, don’t be surprised if the covered entity doesn’t like it and tries to stop you. However, if you can see the record, you should be able to make your own copy. Nothing in the HIPAA rule says that you can’t. However, if you want to wheel in a 500-pound copying machine, you’d better ask permission first. Second, if you have been using the same hospital or doctor for 20 years and the reason for your request relates only to your treatment from your last visit, you might limit your request to recent records, or records dating back one visit, one month, or one year. The same idea may work if you want records from your insurer. You may not know which records you need at first. The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA-covered entity. Most people have had dozens of health care providers and insurers in the course of their lives. Many records will not be important or worth the time and effort to find for most people. Old records from individual practitioners may be hard to locate and obtain. However, hospitals and other long-standing institutions are more likely to have older records, although they may be in storage offsite. If you want your records because you think you might have been a victim of an identity thief, you will find some more specific advice at the World Privacy Forum’s FAQ for Medical Identity Theft Victims, available at: (https://www.worldprivacyforum.org/2012/04/faq-victims-of-medical-id-theft/). It is possible that a thief used your name to obtain services from a health care provider, clinic, pharmacy, or laboratory that you never used yourself. Don’t be surprised if the trail leads you to unexpected places. One part of the health care world that few people recognize is the Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, government programs, and other insurers to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail. A PBM may have relevant records. Your health plan hires the PBM, and you may have to seek access to PBM records through the plan. The notice of privacy practices should tell you what you need to know on this front, or it should tell you how to find out. PBM records may duplicate records that exist elsewhere, but they can be important sources of information at times. If you are seeing more than one doctor, clinic, or hospital, PBM records are likely include information from different providers. It can be especially important to correct errors in Pharmacy Benefit Manager (PBM) records. If you apply for individually underwritten life insurance or certain other types of insurance, the insurance company will insist that you sign a consent for disclosure of your health records. The insurance company wants to know if you have a health condition that affects your insurability. The easiest place for the insurer to obtain your records may be from a PBM rather than from your doctor. PBM records are electronic and can be shared quickly. Your doctor may not respond to the insurer’s request as promptly Third, asking for a copy of your complete paper health record may provide more information than you need. It may also be especially expensive. Your health records may include results of x-rays and other diagnostic tests that may be costly to duplicate. On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form. You can ask for hard copy of electronic records, but the cost might be higher. Not all electronic records can be printed on paper. You can obtain electronic records in the format you want if the covered entity can reasonably provide them in that format. Consider how you might limit your request for access so that you limit your costs. See if you can talk to someone in the record keeper’s office when you make a request so that you can negotiate what you really need. One idea is to not ask for a hard copy of an x-ray unless you know that x-rays are essential. Even then, an electronic copy may be sufficient. If other records are especially expensive to duplicate, you may want to defer asking for those records too. Ask for a price list before requesting all records. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied. Fourth, once when you receive some records, you may be able to focus your later requests. You may find that the provider used a lab or other independent provider that has some of your records that you may want to have or that you may want to inspect. Fifth, there are health records and there are billing (and other administrative) records. These records may be controlled by different offices at a health care provider. You are entitled to both health and billing records, but you may not want both. It depends on your purpose. If you narrow your request, the response may be faster and less expensive. Finally, copying of electronic records can be very inexpensive. If you want a copy of all of your electronic records, you can ask for them. It’s a reasonable request. Understand that the records may not arrive in a single, chronological file, however. You may receive many different files in different formats. If you are planning to maintain your own health record archive for your lifetime, remember that computer record formats may change over time. Some formats go out of date. For example, it can be difficult or impossible today to read a file saved by a 1992 word processing program. Consider asking for records in formats likely to remain in use in the long run. Experts think that PDF may be one of those formats, but there may be others. This can be a complex issue to assess. More on requests for electronic health records There are many reasons why you might want to have an electronic copy of your health records, whether in whole or in part. We do not take issue with that in any way. We do, however, want to offer a thought from a different perspective. How are you going to secure that electronic record? Do you want to keep it on your phone? On your notebook computer or tablet? On your work computer? In the cloud? There are many options here, and each presents its own security issue. Security is neither simple nor automatic. Securing electronic information is hard to do, even if you are good at it. When you take possession of your own electronic health information, you take responsibility for the security of that information. If you lose your phone, if your computer gets hacked, if you accidentally attach the wrong file to an email message, the health record that you had may lose some of the legal and security protections it once had. If your child uses your desktop computer, there’s a chance that the child will find the health record stored there, whether it is his, yours, or your spouse’s record. You can’t withdraw the knowledge once the child obtains it, and that knowledge may affect family relations forever. If you accidentally share a document showing your diagnosis with your brother-in-law, there’s a chance that he will share it with other relatives. Failure to control health information in your possession may have major consequences for you and your family. The same thing can happen with paper records, of course, but it may be true that the dangers are greater with electronic records. Institutions that have your records, including health care providers and insurers, do not necessarily have perfect security all of the time. (There are regularly reported breaches of health care institutions.) However, we suggest that most health care institutions probably have better security for the health records they maintain than you do. The HIPAA security rule imposes many requirements on HIPAA-covered entities. Even if a covered entity does security poorly, it’s still probably better than the security on your phone or your local network at home. File this under “you have been warned”. Hide

Yes. In some situations, a covered entity can withhold records. First, the right of access under HIPAA does not extend to psychotherapy notes and materials compiled for litigation. Second, a covered entity can deny you access to some records, including records maintained by a prison, some records about research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one. Read the notice of privacy practices to learn if there is an appeal option. We recommend that you appeal to the head of the institution (or to the privacy officer) even if you don’t have the right to do so. An appeal may result in a review of the initial decision. If it doesn’t, then you only invested the energy of writing a letter. Third, a covered entity can deny you access to some records if a licensed health professional determines that access is reasonably likely to endanger the life or physical safety of you or another individual. Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual’s personal representative can also be denied if disclosure would cause substantial harm. If an institution withholds records for any of these reasons, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have. Remember that state law may grant you greater access rights than HIPAA. If state law has an access provision for health records — and many states do — then you may be able to obtain records exempt under HIPAA. If a federal agency has your records, rights of access under the Privacy Act of 1974 may be greater than the rights under HIPAA. To be complete, we will tell you that HIPAA has a complex definition for something called a designated record set. You can get access to records that meet this definition and that aren’t otherwise exempt. There may be some records about you that are not part of the designated record set, but they are likely to duplicate the records that you can see. This limitation in the rule solves some administrative problems, and it isn’t a sinister plot to deny you access. We suggest that you not worry about it. For example, if you had surgery, some of the records about your operation may be kept in the operating room records in addition to being in your main hospital health record. A patient normally doesn’t need to see the same information twice. However, if you request your records and the covered entity tells you that none of your records are part of a designated record set, something may be wrong. There must be some records that are part of a designated record set. Hide

C. Right to Request Confidential Communications

You have the right to ask a health care provider to communicate with you by alternative means or at alternative locations. This means, for example, that you can ask your fertility clinic not to call you at work or to send you an email notification of an appointment. You could ask your psychiatrist not to leave a message about an appointment at your home telephone voice mail. You might also ask a specialized clinic not to send you a post card reminder of your appointment but to use a closed envelope. A provider must accommodate reasonable requests. We think that all of the examples in this paragraph are generally reasonable. We also think that that asking for written communications — including bills — to be in plain envelopes with no identification of the provider in the return address is also reasonable. Did you ever get an unwanted robocall from your doctor, pharmacy, optometrist, dentist, or other health care provider? If you hate robocalls, you can use the right to request a confidential communication to ask that you not receive automated calls. In our opinion, a request for no robocalls is reasonable. You may be aware that the Telephone Consumer Protection Act (TCPA) limits robocalling with some exceptions. The TCPA rules are complex, and we won’t pause to explain them here. But the TCPA has a big exception for robocalls that comply with HIPAA. HIPAA allows a health care provider to communicate with you for treatment, case management, and under other circumstances, including prescription refill reminders. A provider can’t robocall you for marketing, but the distinction between a marketing call and a treatment call can be a fine one. An optometrist who calls saying it’s time to examine your eyes to see if you need new glasses wants to sell you goods and services, but that call (robocall or not) is probably allowed under HIPAA. You may be happy to have reminders from your health care providers (whether automated or not). If not, the next FAQ tells you how to go about making a request that stops robocalls. The right to receive a confidential communication is a real right that may be important to you. Not everyone will care or will care all the time. You may not object to a postcard from your dentist reminding you to make an appointment to have your teeth cleaned. However, many people would likely object to receiving a postcard informing them about a follow-up visit to a sexually-transmitted disease clinic. The right to receive a confidential communication is important because a provider doesn’t need express permission to contact a patient at home or to leave a message on an answering machine. For a patient who doesn’t want others in his or her family or household to know about a form of treatment, then exercising the right to receive a confidential communication will be crucial. For some, this right may provide a vital privacy protection that will make the greatest difference to your life or wellbeing. Hide

A provider may require you to make a written request to receive a confidential communication in writing. Read the notice of privacy practices to find out the local procedure. In a small office, an oral request may be sufficient. Still, if you orally tell the receptionist not to call you at your office, the doctor may not know about your request. A written request may be safer because it creates a formal record of the request. You should keep a copy of your written request. The rule says that a provider must permit a patient to make a request, but it does not expressly say that the provider must respond at all, or in writing. However, a provider must agree to a reasonable request. It’s a good idea to ask for a written acknowledgement and to save the acknowledgement. If you only receive an oral response, you might want to send a written confirmation to the provider, and keep a copy of your confirmation. The written confirmation should summarize the request and identify the person who agreed to comply. Ask the provider to respond if the summary is incorrect. You do not have to tell the provider why you made the request. Indeed, the rule expressly prohibits a provider from requiring an explanation as a condition of fulfilling the request. However, the rule does not prohibit the provider from asking for you reason. You don’t have to disclose your reason if you don’t want to. Here’s a draft letter that you can use as a model to make a request for confidential communications. We offer two different examples, one about robocalls and the other about emails to a work address. You can easily modify these examples to cover to redirect unwanted calls to a different phone number or to stop some other type of unwanted communication. Remember that a covered entity’s notice of privacy practices is likely to include details about how to make the request and where to send it. Check that notice before you sent your letter. Note that a HIPAA-covered entity can ask you to specify an alternative method of conduct so we include several options in the draft letter. You can choose one or both options or another option of your choice. Sample Letter Version 1: No Robocalls [Name and address of health care provider or health plan] This is a request for confidential communication pursuant to the HIPAA health privacy rule at 45 C.F.R. §164.522(b)(1). I request that [name of covered entity] stop calling me at [phone numbers] using an autodialer that delivers a pre-recorded message of any type. These calls are sometimes referred to as robocalls. As an alternative to robocalls, you may send me snail mail at [address]. I would appreciate a written response acknowledging and accepting this request. Thank you. Sample Letter Version 2: No Emails to my Work Address [Name and address of health care provider or health plan] This is a request for confidential communication pursuant to the HIPAA health privacy rule at 45 C.F.R. §164.522(b)(1). I request that [name of HIPAA-covered entity] stop sending me electronic mail at my work address. My work address is [me@employer.com]. As an alternative to electronic mail to my work address, you may send message to me by sending: electronic mail to my personal address at [me@personaladdress.com] or

postal mail to my home address, which is [Me, 1234 Main Street, City, State, Zip]. [Choose one, both, or another option] I would appreciate a written response acknowledging and accepting this request. Thank you. Confidential Communications We think that the right to receive a confidential communication is a real right that will be meaningful for some patients. If you don’t want your psychiatrist leaving an appointment reminder with your secretary, make a request for a confidential communication. Remember that a covered entity must agree to a reasonable request so don’t take a denial of your request from a lazy staff member without a fight. If you make a reasonable request and your provider doesn’t accept it, you can complain to HHS. Remember that having a written document about your request in your health record is a better protection than reliance on an oral agreement. The current receptionist may know of your request, but a new or temporary receptionist may not. Facebook and Health Confidentiality If you share your health information with a non-covered entity, and social media companies are generally not HIPAA-covered entities, you may lose some of your privacy. You can read more about this in our report on Personal Health Records where we discuss the risks to confidentiality when health files are stored at third party commercial web sites that are not covered entities under HIPAA. (https://www.worldprivacyforum.org/2008/03/resource-page-personal_health_records/) How does this apply to you? If you “like” your health care provider’s page on Facebook, don’t be surprised that others know you are a patient of that provider. You may care much less about the disclosure if the provider is a dentist than if the provider is a psychiatrist. If you reveal details about your health condition on commercial (or even non-commercial) health or social media websites using your real identity, privacy issues may arise. For example, if you join a disease advocacy group, others may assume that you or a member of your family suffers from that disease. Not all of this sharing may be troublesome for you. Concern about privacy varies widely. The point is that you should be aware what can happen when disclosing your protected health information with those outside the umbrella of HIPAA. Once you disclose health information to the world, it may be captured by an advertiser, marketer, database company, put in a profile about you or your household, and used to affect you (or your children) for the rest of your life. Hide

Yes, but the rule