The Health Insurance Portability and Accountability Act (HIPAA), along with its implementing regulations and subsequent rules that build on HIPPA, create a national standard for medical privacy. These privacy laws give patients greater control over their personal health information. Healthcare providers -- including doctors, dentists, pharmacists, psychotherapists -- as well as hospitals and most health plans, must adopt and follow policies to safeguard the privacy of your health information.
Below is an overview of consumers’ rights under health privacy laws. Learn what you can do if you believe your rights have been violated. If a health provider or plan is found to be in violation of the law, they may be subject up to $50,000 per violation with an annual maximum of $1.5 million, and one to ten years in prison. For information on how to file a complaint and additional resources, see the complaint form and other resources at the Center for Democracy and Technology.
Use of Health Information
The health privacy law sets limits on how health providers and plans may use individually identifiable health information. Under the law, health providers and plans may use your individual health information for treatment, payment, or healthcare operations without obtaining your permission. Personal health information may generally not be used for purposes not related to health care. And the release of health information must be limited to the minimum amount necessary for the purpose of the disclosure.
Notice of Rights
You must now be given a notice of your privacy rights when you see your doctor, dentist, pharmacist, or any other healthcare provider. The notice explains how your health information will be used and also tells you about your privacy rights. Providers are required to make a good faith effort to get you to acknowledge that you received the notice or your privacy rights by signing it, but you are not required to sign the notice.
What are my rights under the privacy regulations?
- You can inspect, photocopy, and request corrections in your medical records. Medical records include doctors’ notes, x-rays, and lab results. Photocopies of the records must be provided within 30 days of a request. Your health care provider can charge you a “reasonable fee” for copying the records. If your provider uses electronic health records, your electronic record must be transmitted directly to you upon request.
- You can find out who else has seen your medical records. At your request, doctors, hospitals, and health plans must disclose who has seen your medical records.
- If you are admitted to a hospital, you have the right to not have your name and health status be made publicly available through the hospital. If you choose to opt out of the hospital’s directory, the hospital will not confirm that you are a patient to outside callers. If you are listed in the directory, the hospital will disclose your general condition to callers who ask for you by name.
- Mental health providers must obtain a patient’s voluntary authorization before disclosing notes to health plans. Before the privacy law, health plans could access psychotherapy notes to justify further treatment.
- Your healthcare provider and health plan are not allowed to disclose any identifiable health information to your employer.
Can my doctor or dentist office use a sign-in sheet or call out the names of patients in the waiting room?
No. Sign-in sheets can be used, as long they do not ask the reason for the visit or display medical information. Any incidental disclosures of information are permitted, such as hearing the names of other patients in the waiting room, or seeing names on a sign-in sheet. The health care provider must have reasonable safeguards in place to protect health information.
Must hospitals and doctor’s offices provide private rooms and soundproof walls to avoid the possibility that a conversation is overheard?
No. While health providers must have in place appropriate safeguards to protect health information and make reasonable efforts to prevent disclosures, facility restructuring is not required. Examples of modifications that may be needed to safeguard health privacy include: use of cubicles, dividers or curtains in large health clinics to separate the areas where health professionals talk to patients; pharmacies asking waiting customers to stand a few feet back from the counter used for patient counseling; and doctors using discretion when talking to a patient who shares a hospital room.
Can I have a friend or family member pick up a prescription for me?
Yes. A pharmacist can use professional judgment and common sense to make sure it is in the patient’s best interest to allow another person to pick up a prescription. If a friend or relative comes to the pharmacy to pick up your prescription, that means they are involved in your care. You do not need to give the pharmacist the names of such persons in advance.
Can I communicate with my doctor by phone or e-mail, and can appointment reminders be mailed to me?
Yes. Health care providers can communicate with their patients at their homes through the mail, by phone, or in some other manner. If your provider phones and you are not at home, messages can be left on answering machines, or with a family member or other person answering the phone if a limited amount of information is disclosed. For example, leaving only a name and number or other information to confirm an appointment, or requesting that the patient call back. Email communication is encouraged, as long as a secure network is used and the messages are encrypted.
You can request that your doctor or health care provider communicate with you in a confidential manner, such as only getting calls at the office and not at home, or have any mail delivered in a closed enveloped and not as a postcard. If such requests are reasonable, your provider must comply.
Can my personal health information be used by marketers?
While HIPPA privacy law sets restrictions on the use of health information for marketing purposes, communications about treatment, disease management, wellness programs and health promotion are not considered marketing.
More specifically, the law requires that a person’s prior written authorization be obtained in order to use or disclose protected health information for marketing. However, the definition of marketing does not include communications related to health care. Communications that are not considered marketing include those that describe health-related products or services available to health plan members, those made for treatment, those more for case management or care coordination, and those made to recommend alternative therapies, providers or settings of care.
For additional information on the your health privacy laws: