What is the HIPAA Privacy Rule?

By: LawInfo

Published: 02/2009

Essentially, the Privacy Rule under the Health Insurance Portability and Accountability Act (“HIPAA”) sets forth your privacy rights to your medical and health information. The Privacy Rule defines who may have access to your medical information, and under what circumstances another person or organization can have access to that information.

The Privacy Rule applies only to “covered entities”, which include most health insurance plans and health care providers who might have your medical information, such as doctors, hospitals, nursing homes, and pharmacies. All of the information in your medical records, as well as conversations between doctors and other medical staff about your medical condition(s), are covered by the Privacy Rule. However, it is important to know that the Privacy Rule does not apply to many other organizations that might also have access to your medical information, such as law enforcement agencies, life insurance companies, school districts, and employers.

Under the Privacy Rule, covered entities must all have systems in place to protect your confidential medical information. In creating these privacy systems, covered entities must minimize the disclosure of your medical information, limit access to your medical information, use procedures to ensure that any contractors keep your medical information private, and implement training programs for their employees in order to educate them about safeguarding your medical information.

The Privacy Rule also gives you certain rights with regard to your medical information. For instance, covered entities must allow you to view and/or get a copy of your medical records, and make any corrections to those records that you request. Covered entities must give you a detailed explanation of their privacy practices each year, and you have a right to control how, when, and to whom your medical information is shared.

Plus, the Privacy Rules governs how your medical information may be disclosed. For example, a covered entity may release your medical information to other medical providers in order to properly treat you, or to protect the public’s health. Under the Privacy Rule, however, a covered entity may not release your medical information to your employer, or use your medical information for marketing or advertising without your knowledge and consent.

If you believe that a covered entity has violated the Privacy Rule with regard to your medical information, you can file a complaint with the entity itself, or file a complaint with the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”). Your complaint must be in writing, and must specifically identify the person that you believe violated the Privacy Rule. Generally, you must file a complaint within 180 days of the date that you knew or should have known of the violation, although the OCR can extend this deadline for good cause. While you don’t need to use a specific form to file a complaint under the Privacy Rule, you can use the OCR’s form to file a complaint, which you can request from your regional OCR office, or which you can find online at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. If you have questions about filing a complaint under the Privacy Act, you can also contact the OCR via e-mail at OCRMail@hhs.gov.