What you need to know about health information privacy

Lupus Foundation of America

Resource Content

Frequently asked questions about protecting your confidential health information in research and healthcare settings.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA’s purpose is to protect the privacy and security of protected health information (PHI).

PHI is individual information relating to health care, payment for health care, or physical or mental health condition. HIPAA protects PHI by limiting information shared with others without patient consent and ensuring that a patient’s private medical conditions are not shown or talked about in public.
Covered entities, or organizations that must follow HIPAA regulations, include:

Health insurance companies, HMOs, company health plans, certain government health care programs such as Medicare and Medicaid, doctors offices, clinics, hospitals, psychologists, chiropractors, dentists, nursing homes and pharmacies.
Information that is protected under HIPAA includes all Information that your doctors, nurses, and other health care providers put in your medical record. Also protected is information about you in your health insurer’s computer system and billing information about you at your clinic. Conversations your doctor has about your care or treatment with nurses and others are also protected.
HIPAA grants you the right to:

Ask to see and get a copy of your health records, have corrections added to your health information, receive a notice that tells you how your health information may be used and shared, decide if you want to give your permission before your health information can be used or shared for certain purposes (such as marketing), and receive a report on when and why your health information was shared for certain purposes.

If you believe your rights are being denied or your health information isn’t being protected, you can file a complaint with your provider, health insurer, or the U.S. Government.
To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared in the following circumstances:

For your treatment and care coordination; to pay doctors and hospitals for your health care and to help run their businesses; with your family, relatives, friends, or others you identify who are involved with your health care or your health care bills (though you are able to object to this).

Your health information may also be shared to make sure doctors give good care and nursing homes are clean and safe; to protect the public's health, such as by reporting when the flu is in your area; to make required reports to the police, such as reporting gunshot wounds.

Your health information cannot be used or shared without your written permission in circumstances not covered by this law. For example, without your consent, your provider generally cannot give your information to your employer or share your information for marketing or advertising uses.
The short answer is yes. However, the patient must agree to it in advance and must be present and have the capacity to make health care decisions. If this is the case, the covered entity (doctor, health care professional, etc.) may discuss this information with family and friends.

Some examples: A doctor may give information about a patient’s mobility limits to a friend driving the patient home from the hospital. A hospital may discuss a patient’s payment options with her adult daughter. A doctor may tell a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
By law, health care providers (including doctors and hospitals) had until April 14, 2003, to comply with the HIPAA Privacy Rule. Activities that happened before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement. After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or online. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.