The Health Insurance Portability and Accountability Act (HIPAA) provides rights and protections for participants and beneficiaries in group health plans. The Privacy Rule, a federal law, grants consumers rights over health information and promulgates rules and limitations on who can look at and receive personal health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral.
The Security Rule, a Federal law that protects electronic health information, requires HIPAA-covered entities to ensure that electronic protected health information is secure.
Additionally, HIPAA includes protections limiting exclusions for preexisting conditions; prohibits discrimination against employees and dependents based on health status; and allows an opportunity to enroll in a new plan to individuals in certain circumstances. HIPAA may also grant a right to purchase individual coverage if no group health plan coverage is available, and for those who may have exhausted COBRA or other continuation coverage.
You have the right to receive a copy of your health records
You can ask to see and get a copy of your medical records and other health information. In most cases, copies must be provided within 30 days of being requested, though there may be a fee associated with the cost of copying and mailing.
You can ask to have corrections added to your health information
You can ask that any misinformation in your file be corrected, or you may request to add information to an incomplete file. For example, if you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to note your disagreement in your file. In most cases the file should be changed within 60 days of the request to amend or change.
You can receive a notice that tells you how your health information is used and shared
You have the right to know how your health information is being used and shared. Your provider or insurer must give you a notice that tells you exactly how they may use and share your health information. In most cases, you should receive this notice on your first visit to a provider, or in the mail from your health insurer. Additionally, you may request a copy at any time.
You can decide whether to give your permission before your information can be used or shared
Generally speaking, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you grant express permission by signing anauthorization form. This authorization form must tell you who will get your information and what the information will be used for.
Who must follow this law?
Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and other health care providers. Also required to follow this law are health insurance companies, HMOs, most employer group health plans, and certain government programs such as Medicare and Medicaid.
Who receive and view your health information
To ensure your health information is protected in a way that does not interfere with treatment, your information can be used and shared:
- For treatment and care coordination;
- To compensate doctors and hospitals for your health care and help run their businesses;
- With your family, relatives, friends, or others you identify who are involved with your health care or payment, unless you object;
- To ensure doctors give good care and nursing homes are clean and safe;
- To protect the public’s health, such as by reporting when there is a flu outbreak; and
- For mandatory reports to the police, such as reporting gunshot wounds.
Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:
- Give your information to your employer;
- Use or share your information for marketing or advertising purposes; or
- Share private notes about your health care.
You may request that your information not be shared
You can ask your provider or health insurer not to share your health information with certain people, groups, or companies, such as with other doctors or nurses in a particular hospital or clinic. However, they do not have to agree to do what you ask.
You have the right to file a complaint
You may file a complaint with your provider or health insurer if you suspect your information was used or shared in a way that is disallowed under the privacy law, or if you feel you were unable to exercise your rights.
Who Is Not Required to Follow These Laws
- Life insurers;
- Workers compensation carriers;
- Most schools and school districts;
- Many state agencies, for example child protective services;
- Most law enforcement agencies; and
- Many municipal offices.
When you make an original visit to a doctor’s office, hospital, or other health care provider, you should be given a copy of your HIPAA rights, which you will be asked to sign. Make sure you read the entire document, and request a copy for your own files.
How to file a complaint
Notice of privacy practices
Summary of HIPAA privacy rule (PDF)
U.S. Department of Labor HIPAA pages