How HIPAA Privacy Rules Affect You—in Plain English

Male physician with his finger across his lips saying
HIPAA privacy rules make health care providers and insurers keep information about you private.. Image © Pedro Castellano/Getty Images

HIPAA stands for the Health Insurance Portability and Accountability Act. Passed in 1996, it affects health care consumers in several ways.

HIPAA's Privacy Rules

HIPAA created strict rules about keeping health care related personal information private. Now, health care providers, health insurers, and the companies they work with must keep any personally-identifiable health information private. Providers and health insurers can’t disclose your personally-identifiable information unless it’s to a person who needs the information because they’re involved in your care, processing payment for your care, or the information is necessary to facilitate health care operations.

This means nurses can’t chat about patients in the hospital cafeteria where they might be overheard. Your physician can’t disclose information about your care to your ex-spouse or your church pastor unless you authorize it. If a coworker calls the hospital to see how you’re doing after your surgery, unless you’ve given your permission for the hospital to share your information with the caller, the caller will get no information.

Health care providers are allowed to share your protected health information if necessary to facilitate health care operations. Here are a couple of examples:

  • Hospitals are required to engage in quality assurance and improvement activities. Although the quality improvement nurse isn’t involved in your care when you’re hospitalized with pneumonia, she accesses your medical record to get information for an audit examining how quickly patients hospitalized with pneumonia receive their first dose of antibiotics.
  • Your doctor’s office is changing the software vendor for its electronic health records. The day of your doctor’s appointment, Sandy, a representative from the new software vendor, is working with the office staff to help them learn the new software. As Sandy works with the office nurse, she will see your protected health information being entered into the new electronic medical record. She has to in order to ensure the nurse is using the software correctly. However, because Sandy is a business associate of your health care provider, she is also bound by HIPAA privacy regulations and must keep any protected health information she becomes privy to confidential.

    Exceptions to the Privacy Rule

    There are exceptions to the privacy rule for purposes of law enforcement and public health. For example, even though the results of a child’s physical exam are considered protected health information, the pediatrician, emergency room doctor, or nurse caring for the child must share those results with child protective services if the exam is suspicious for child abuse.

    Likewise, even though the results of your syphilis test are considered protected health information, your health care provider must report positive results to public health authorities so measures can be taken to control the spread of the disease. Additionally, your provider or insurer must share your protected health information when commanded to do so by a court order.

    What to Do if Your Privacy Has Been Violated

    If you feel your HIPAA privacy rights have been violated, you have some options. Before deciding what to do, ask yourself what kind of outcome you’re hoping for. Are you looking for an apology?

    Do you want a change to procedures or systems so that a similar privacy violation won’t occur again? Do you want the person or entity responsible for the breach to be punished? Do you want to be compensated financially?

    Depending on your goals, consider one of the following actions:

    • Speak directly with the provider you feel is responsible for the violation.
    • Speak with the privacy officer of the hospital, nursing home, facility, or health plan.
    • Speak with the risk manager of the hospital, nursing home, or facility. Sometimes the risk management department goes by a marketing-friendly name like “Patient Safety Department.”
    • Make a formal complaint to the Office of Civil Rights, U.S. Department of Health & Human Services.
    • Contact an attorney if you feel you need to pursue a civil case for financial damages caused by the privacy violation.

    Continue Reading