Q1: What does the HIPAA Privacy Rule do?

A: The HIPAA Privacy Rule created national standards to protect individuals’ personal health information.

  • It gives patients more control over their health information.
  • It sets boundaries on the use and disclosure of health records.
  • It requires persons and organizations to implement appropriate safeguards that will protect the privacy of any health information they create, maintain, or transmit.
  • It can impose civil and criminal penalties against anyone who violates a patient’s privacy rights.
  • It seeks to strike a balance when public responsibility supports disclosure of some forms of data; for example, to protect public health.
  • It enables patients to find out how their information may be used, and about certain disclosures of their information that may have been made.
  • It generally limits release of information to the ‘minimum necessary’ , that is, disclosing only what is reasonably needed for the purpose of the disclosure.
  • It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.

Q2: Why is the HIPAA Privacy Rule needed?

A: The personal information of patients has moved among hospitals, doctors’ offices, insurers and other third party payers for years, relying on a national patchwork of Federal and State laws to protect its privacy. Under the patchwork of laws existing prior to the adoption of HIPAA and the Privacy Rule, personal health information could be used, disclosed and distributed – without notice to, or authorization from, the patient – for reasons that had nothing to do with the patient’s medical treatment or payment for care.
For example, unless otherwise forbidden by a State or local law and without the Privacy Rule, patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient’s application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes basic Federal-level safeguards to protect the confidentiality of medical information nationwide. State laws which provide stronger privacy protections continue to apply over and above the Federal privacy standards.

Health care providers have a strong tradition of safeguarding private health information. However, in today’s world, with information broadly held and transmitted electronically, the old systems for keeping paper records in locked filing cabinets is not enough. The Privacy Rule provides clear standards for the protection of personal health information in all formats and situations.

Q3: Who must comply with HIPAA privacy standards?

A: Covered Entities, that is:

  • Health plans,
  • Health care clearinghouses, and
  • Health care providers who transmit health information electronically.

These entities are bound by the privacy standards even if they contract with others (business associates) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies (such as employers, life insurance companies, or public agencies that deliver social security or welfare benefits). See the fact sheet and frequently asked questions on the HHS/OCR website about the standards for Business Associates for a more detailed discussion of covered entities’ responsibilities when they engage others to perform essential functions or services for them.

Q4: Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?

A: For the average covered entity (health care provider or health plan), the Privacy Rule requires activities such as:

  • Notifying patients about their privacy rights and how their information can be used.
  • Adopting and implementing privacy procedures for its practice, hospital, or plan.
  • Training all employees so that they understand the privacy procedures.
  • Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Securing patient records containing individually identifiable health information so that they are not easily accessible to those who do not have a legitimate need for them.

Responsible health care providers and businesses have always taken many of the kinds of steps required by the Rule to protect patients’ privacy. Covered entities of all types and sizes are required to comply with the Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives some flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs.

Q5: If I believe that my privacy rights have been violated, how and where can I submit a complaint?

A: Activities occurring before April 14, 2003, are not subject to the Privacy Rule’s enforcement actions. From that date forward, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file a written complaint with the covered entity, either verbally, on paper, or electronically. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.

Persons may also file complaints with the Office of Civil Rights (OCR). This complaint must be filed within 180 days of when the complainant knew or should have known that the act occurred. The OCR provides further information on its website about how to file a complaint.
Privacy Notice

Q6: If patients request copies of their medical records, as permitted by the Privacy Rule, are they required to pay for the copies?

A: The Privacy Rule permits the covered entity to impose reasonable, cost-based fees when copies of records are requested for purposes other than treatment. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a fee for preparation of the summary or explanation.

Q7: Does the HIPAA Privacy Rule permit a provider to disclose a complete medical record even though portions of the record may have been created by other providers?

A: Yes, the Privacy Rule permits a provider to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment, and also assuming there is not a State law to the contrary.

Q8: Can a physician’s office FAX patient medical information to another physician’s office?

A: The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes; however, the Rule does not prescribe methods of communication. Covered entities must have in place reasonable and appropriate safeguards to maintain the privacy of protected health information that is disclosed by any method, including use of a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician’s office, placing the fax machine in a secure location to prevent unauthorized access to the information, and always using a cover sheet for faxes that includes the entity’s Confidentiality Statement.

Q9: Are hospitals able to inform family members, visitors, and the clergy about individuals in the hospital?

A: Yes, the HIPAA Privacy Rule allows hospitals to tell family members, visitors, and the clergy about an individual’s presence in the hospital, under the following conditions:

  • The patient has been informed of this possible disclosure and has not “opted out” of the hospital’s directory,
  • The family member or visitor asks for the person by name, and
  • In the case of clergy, the individual has not objected to such a disclosure.

The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual’s name, location in the facility, health condition expressed in general terms, and religious affiliation, if any. Directory information, except for religious affiliation, may be disclosed only to persons who ask for the individual by name. But a hospital may disclose all the names of, for example, Methodist patients to a Methodist minister, unless a patient has restricted such disclosure.

Q10: Does the HIPAA Privacy Rule require that covered entities document all oral communications and provide patients with access to oral information?

A: No. The Privacy Rule does not require covered entities to document oral information used or disclosed for treatment or health care operations. Similarly, the Privacy Rule only requires covered entities to provide individuals with access to protected health information about themselves contained in the “designated record set” maintained by the covered entity. The term “record” pertains to information that has been recorded in some manner. The Rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape recorded information after transcription. Such records are maintained and used to make decisions about the individual, however, they may meet the definition of “designated record set.” For example, a health plan is not required to provide a member access to tapes of a telephone advice line interaction if the tape is maintained only for customer service review and not for making decisions about the member.

Back to Top
Back to Top