What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services, these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country. HIPAA took effect on April 14, 2003. State laws providing additional protections to consumers are not affected by HIPPA.
Who must follow these laws?
The entities that must follow the HIPAA regulations are referred to as "covered entities."
Covered entities include:
- Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Most Health Care Providers - those that conduct certain business electronically, such as electronically billing your health insurance - including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health Care Clearinghouses - entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
In addition, business associates of covered entities must follow parts of the HIPAA regulations.
Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:
- companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims,
- companies that help administer health plans,
- outside lawyers, accountants, and IT specialists, and
- companies that store or destroy medical records
Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.
Who is not required to follow these laws?
Many organizations that have health information about you do not have to follow these laws.
Examples of organizations that do not have to follow the Privacy and Security Rules include:
- Life insurers
- Workers compensation carriers
- Most schools and school districts
- State agencies like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
What information is protected and how is it protected?
- Information your doctors, nurses, and other health care providers put in your medical record
- Conversations your doctor has about your care or treatment with nurses and others
- Information about you in your health insurer’s computer system
- Billing information about you at your clinic
- Most other health information about you held by those who must follow these laws
How this information is protected
- Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
- Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
- Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
- Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
What rights does the Privacy Rule give me over my health information?
Health insurers and providers who are covered entities must comply with your right to:
- Ask to see and get a copy of your health records
- Have corrections added to your health information
- Receive a notice that tells you how your health information may be used and shared
- Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
- Get a report on when and why your health information was shared for certain purposes
- If you believe your rights are being denied or your health information isn’t being protected, you can
- File a complaint with your provider or health insurer
- File a complaint with HHS
You should get to know these important rights, which help you protect your health information.
You can ask your provider or health insurer questions about your rights.
Who can look at and receive my health information?
The Privacy Rule sets rules and limits on who can look at and receive your health information
To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:
- For your treatment and care coordination
- To pay doctors and hospitals for your health care and to help run their businesses
- With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
- To make sure doctors give good care and nursing homes are clean and safe
- To protect the public's health, such as by reporting when the flu is in your area
- To make required reports to the police, such as reporting gunshot wounds
Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:
- Give your information to your employer
- Use or share your information for marketing or advertising purposes or sell your information
How can I file a patient privacy complaint?
If you believe your personal health information (PHI) has been or may have been used or disclosed in violation of HIPAA or the Texas Medical Records Privacy Act you may file a complaint with:
- the Texas agency that regulates the person or business you are complaining about; View the list of agencies and find out how to file your complaint.
- the Texas Attorney General's Consumer Protection Division; or
- the federal U.S. Dep't of Health and Human Services - Office of Civil Rights (OCR). The OCR accepts complaints electronically at its complaint portal website and also:
Marisa Smith, Regional Manager
Office for Civil Rights - Region VI
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202
OCR's Customer Response Center:
Does Texas have a law on medical records privacy?
Yes. Effective September 1, 2012, the Texas Medical Records Privacy Act provides additional protections to consumers. The Act is broader in scope than HIPAA because it applies not only to health care providers, health plans and other entities that process health insurance claims but also to any individual, business, or organization that obtains, stores, or possesses PHI as well as their agents, employees and contractors if they create, receive, obtain, use or transmit PHI.
Under the Act, these individuals, businesses and organizations must comply with several requirements including mandatory training for employees regarding PHI. In most instances, the Act prohibits covered entities from using or disclosing PHI without first obtaining an individual's authorization.
To learn more about the Texas Medical Records Privacy Act click here.
Read more about the State and health privacy laws here.
Where can I read other helpful resources?
CLICK HERE for more information on your privacy rights under HIPAA.
CLICK HERE for more information on HIPAA authorizations.
CLICK HERE for the Authorization to Disclose Protected Health Information form.
CLICK HERE for more information on filing a HIPAA violation complaint.
CLICK HERE to read the Texas Medical Records Privacy Act.
CLICK HERE for information on HIPAA rights in your workplace amidst the COVID-19 crisis.