Your Rights Under HIPAA

Your rights as a patient

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

HIPAA Right of Access Videos

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and with the option for Spanish captions) that help you understand your rights under HIPAA to access and receive a copy of your health information.

  • Individual’s Right under HIPAA to Access their Health Information
  • HIPAA Access Associated Fees and Timing
  • HIPAA Access and Third Parties

HIPAA Right of Access Infographic

OCR has also created a one-page fact sheet, with illustrations, called Your Health Information, Your Rights!. It provides an overall summary of your rights under HIPAA.

HIPAA General Fact Sheets

To further educate individuals, OCR has developed several general fact sheets on HIPAA:

  • Your Health Information Privacy Rights
  • Privacy, Security, and Electronic Health Records
  • Sharing Health Information with Family Members and Friends

Who Must Follow These Laws

We refer to the entities that must follow the HIPAA regulations as “covered entities.” Covered entities include:

  • Health Plans: This includes health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers: This includes most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists that conduct certain business electronically, such as electronically billing your health insurance.
  • Health Care Clearinghouses: These are entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must also follow parts of the HIPAA regulations. Business associates are entities that provide services to covered entities and need access to individuals’ health information.

Who Is Not Required to Follow These Laws

It is important to note that many organizations that have health information about you do not have to follow these laws. Examples of organizations that do not have to abide by the Privacy and Security Rules include:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices

What Information Is Protected

HIPAA protects various types of health information, including:

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer’s computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow these laws

How This Information Is Protected

Covered entities and business associates must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly. This includes:

  • Implementing procedures to limit who can view and access your health information
  • Training programs for employees about how to protect your health information
  • Using and disclosing your health information only as necessary
  • Putting in place security measures for health information in electronic form

What Rights Does the Privacy Rule Give Me over My Health Information?

Health insurers and providers who are covered entities must comply with your right to:

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Request that a covered entity restrict how it uses or discloses your health information
  • Get a report on when and why your health information was shared for certain purposes

If you believe your rights are being denied or your health information isn’t being protected, you can file a complaint with your provider or health insurer, or file a complaint with HHS.

Who Can Look at and Receive Your Health Information

The Privacy Rule sets rules and limits on who can look at and receive your health information. Your health information may be used and shared:

  • For your treatment and care coordination
  • To pay doctors and hospitals for your health care and to help run their businesses
  • With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
  • To ensure quality care and a safe environment
  • To protect the public’s health
  • To make required reports to the police, such as reporting gunshot wounds

Your health information cannot be used or shared without your written permission unless allowed by law. For example, your provider generally cannot give your information to your employer, use or share your information for marketing or advertising purposes, or sell your information.

To learn more about your health information privacy rights, you can ask your provider or health insurer questions about your rights.

Remember, your health information is important, and understanding your rights under HIPAA empowers you to protect it.

FAQs

[Add relevant FAQs here]

Conclusion

In conclusion, understanding your rights under HIPAA is crucial for protecting your health information. The Privacy Rule and Security Rule set rules and limits on who can access and receive your health information. Covered entities, such as health plans and most health care providers, must follow these rules and have safeguards in place to protect your information. Business associates must also adhere to the regulations when handling individuals’ health information. It’s important to know your rights, including the ability to access your health records, request corrections, and control how your information is used and shared. By familiarizing yourself with your rights, you can actively safeguard your health information and maintain your privacy.