Frequently Asked Questions
Following are some of the questions received and answered by the Office
of Civil Rights concerning the Privacy Rule.
More detailed and complete information can be found at: http://www.hhs.gov/ocr/hipaa/privacy.html
- 1. What does the HIPAA Privacy Rule do?
- 2. Why is the HIPAA Privacy Rule needed?
- 3. Who must comply with HIPAA privacy standards?
- 4. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?
- 5. If I believe that my privacy rights have been violated, how and where can I submit a complaint?
- 6. If patients request copies of their medical records as permitted by the Privacy Rule, are they required to pay for the copies?
- 7. Does the HIPAA Privacy Rule permit a provider to disclose a complete medical record even though portions of the record may have been created by other providers?
- 8. Can a physician's office FAX patient medical information to another physician's office?
- 9.Are hospitals able to inform family members, visitors and the clergy about persons in the hospital?
- 10. Does the HIPAA Privacy Rule require that covered entities document all oral communications and provide patients with access to oral information?
Q1: What does the HIPAA Privacy Rule do?
A: The HIPAA Privacy Rule created national standards to protect individuals' personal health information.
- It gives patients more control over their health information.
- It sets boundaries on the use and disclosure of health records.
- It requires persons and organizations to implement appropriate safeguards that will protect the privacy of any health information they create, maintain, or transmit.
- It can impose civil and criminal penalties against anyone who violates a patient's privacy rights.
- It seeks to strike a balance when public responsibility supports disclosure of some forms of data; for example, to protect public health.
- It enables patients to find out how their information may be used, and about certain disclosures of their information that may have been made.
- It generally limits release of information to the 'minimum necessary', that is, disclosing only what is reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
Q2: Why is the HIPAA Privacy Rule needed?
A: The personal information of patients has moved among
hospitals, doctors' offices, insurers and other third party payers for years,
relying on a national patchwork of Federal and State laws to protect its
privacy. Under the patchwork of laws existing prior to adoption of HIPAA
and the Privacy Rule, personal health information could be used, disclosed
and distributed - without notice to, or authorization from, the patient
- for reasons that had nothing to do with the patient's medical treatment
or payment for care.
For example, unless otherwise forbidden by a State or local law and without
the Privacy Rule, patient information held by a health plan could, without
the patient's permission, be passed on to a lender who could then deny the
patient's application for a home mortgage or a credit card, or to an employer
who could use it in personnel decisions. The Privacy Rule establishes basic
Federal-level safeguards to protect the confidentiality of medical information
nationwide. State laws which provide stronger privacy protections continue
to apply over and above the Federal privacy standards.
Health care providers have a strong tradition of safeguarding private health
information. However, in today's world, with information broadly held and
transmitted electronically, the old systems for paper records in locked
filing cabinets is not enough. The Privacy Rule provides clear standards
for the protection of personal health information in all formats and situations.
[Top of Page]
Q3: Who must comply with HIPAA privacy standards?
A: Covered Entities, that is:
- Health plans,
- Health care clearinghouses, and
- Health care providers who transmit health information electronically.
These entities are bound by the privacy standards even if they contract
with others (business associates) to perform some of their essential functions.
The law does not give the Department of Health and Human Services (HHS)
the authority to regulate other types of private businesses or public agencies
(such as employers, life insurance companies, or public agencies that deliver
social security or welfare benefits). See the fact sheet and frequently
asked questions on the
HHS/OCR web site about the standards on Business Associates for a more
detailed discussion of covered entities' responsibilities when they engage
others to perform essential functions or services for them.
[Top of Page]
Q4: Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?
A: For the average covered entity (health care provider or health plan), the Privacy Rule requires activities, such as:
- Notifying patients about their privacy rights and how their information can be used.
- Adopting and implementing privacy procedures for its practice, hospital, or plan.
- Training all employees so that they understand the privacy procedures.
- Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
- Securing patient records containing individually identifiable health information so that they are not easily accessible to those who do not need them.
Responsible health care providers and businesses have always taken many of the kinds of steps required by the Rule to protect patients' privacy. Covered entities of all types and sizes are required to comply with the Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives some flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs.
Q5: If I believe that my privacy rights have been violated, how and where can I submit a complaint?
A: Activities occurring before April 14, 2003, are not subject to the Privacy Rule's enforcement actions. After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file a written complaint with the covered entity, either verbally, on paper, or electronically. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.
Persons may also file complaints with the Office of Civil Rights. This
complaint must be filed within 180 days of when the complainant knew or
should have known that the act had occurred. The OCR provides further information
on its web site about how to file a complaint.
[Top of Page]
Q6: If patients request copies of their medical records, as permitted by the Privacy Rule, are they required to pay for the copies?
A: The Privacy Rule permits the covered entity to impose
reasonable, cost-based fees when copies of records are requested for purposes
other than treatment. The fee may include only the cost of copying (including
supplies and labor) and postage, if the patient requests that the copy be
mailed. If the patient has agreed to receive a summary or explanation of
his or her protected health information, the covered entity may also charge
a fee for preparation of the summary or explanation.
[Top of Page]
Q7: Does the HIPAA Privacy Rule permit a provider to disclose a complete medical record even though portions of the record may have been created by other providers?
A: Yes, the Privacy Rule permits a provider to disclose
a complete medical record including portions that were created by another
provider, assuming that the disclosure is for a purpose permitted by the
Privacy Rule, such as treatment, and also assuming there is not a State
law to the contrary.
[Top of Page]
Q8: Can a physician's office FAX patient medical information to another physician's office?
A: The HIPAA Privacy Rule permits physicians to disclose
protected health information to another health care provider for treatment
purposes; however, the Rule does not allow or prohibit methods of communication.
Covered entities must have in place reasonable and appropriate safeguards
to maintain the privacy of protected health information that is disclosed
by any method, including using a fax machine. Examples of measures that
could be reasonable and appropriate in such a situation include the sender
confirming that the fax number to be used is in fact the correct one for
the other physician's office, placing the fax machine in a secure location
to prevent unauthorized access to the information, and always using a cover
sheet that includes the entity's Confidentiality Statement for faxes.
[Top of Page]
Q9: Are hospitals able to inform family members, visitors, and the clergy about individuals in the hospital?
A: Yes, the HIPAA Privacy Rule allows hospitals to tell family members, visitors, and the clergy about an individual's presence in the hospital, under the following conditions:
- The patient has been informed of this possible disclosure, and has not "opted out" of the hospital's directory.
- The family member or visitor asks for the person by name, and
- In the case of clergy, the individual has not objected to such a disclosure.
The Privacy Rule provides that a hospital or other covered health care provider
may maintain in a directory the following information about that individual:
the individual's name, location in the facility, health condition expressed
in general terms, and religious affiliation. Directory information, except
for religious affiliation, may be disclosed only to persons who ask for the
individual by name. But a hospital may disclose all the names of, for example,
Methodist patients to a Methodist minister, unless a patient has restricted
such disclosure.
[Top of Page]
Q10: Does the HIPAA Privacy Rule require that covered entities document all oral communications and provide patients with access to oral information?
A: No. The Privacy Rule does not require covered entities
to document oral information used or disclosed for treatment or health care
operations. Similarly, the Privacy Rule only requires covered entities to
provide individuals with access to protected health information about themselves
contained in the "designated record set" maintained by the covered
entity. The term "record" pertains to information that has been
recorded in some manner. The Rule does not require covered entities to tape
or digitally record oral communications, nor retain digitally or tape recorded
information after transcription. But if such records are maintained and
used to make decisions about the individual, they may meet the definition
of "designated record set." For example, a health plan is not
required to provide a member access to tapes of a telephone advice line
interaction if the tape is maintained only for customer service review and
not to make decisions about the member.
[Top of Page]
