Linda Ross represents individuals who have had their medical privacy right invaded. Contact Linda today at 415-692-7689 to determine if your rights have been infringed upon.
Medical Privacy Frequently Asked Question:
- Does HIPAA guarantee privacy for my medical information?
- Do I have a right to my medical records?
- Do I have to pay for copies of my medical records?
- How do I get access to my own medical records?
- When can I expect to get my medical records?
- Is my consent required before my doctor can disclose my health information?
- Can a minor consent to health care without parental notification?
- Is my boss able to inquire about what kind of doctor I'm going to see when leaving work for an appointment?
- Someone has disclosed my medical history to an attorney without my written permission. What recourse, if any, is available to me under the law?
- If I request copies of my medical file, is the provider allowed to use an outside copying service such as Staples or Kinkos?
- I understand that HIPAA provides a minimum standard of privacy for medical records. How can I find out if my state has stronger laws?
- How can family members of a deceased individual obtain the deceased individual's medical information that is relevant to their own health care?
- I was injured at work and I have been asked to provide a release of my medical history for the workers' compensation case. I am not comfortable doing this. What are my rights?
- I am concerned that my health care provider outsources some of their clerical work to foreign countries. Do they need my permission before giving my medical information to someone overseas?
- Can I find out who has accessed my health records?
- What can I do if my rights under HIPAA have been violated?
- Can information about an unpaid medical bill be disclosed to a debt collector?
1. Does HIPAA guarantee privacy for my medical information?
No. This is a major misconception about privacy in general. There is no universal privacy rule, even for sensitive medical information. Any privacy you do have depends on a number of things, primarily who has your information.
HIPAA provides some limited privacy protections. But, HIPAA only applies to "covered entities," that is health care providers, health plans, and what HIPAA calls "health care clearinghouses," that is, those that transmit payment information electronically.
If your medical information is in the hands of your employer, the courts, or an insurer that is not covered by HIPAA, it is protected, if anything, to a different set of privacy standards.
2. Do I have a right to my medical records?
Yes. The HIPAA medical privacy law gives you the right to see and get copies of your own medical records. There are a few exceptions. For example, HIPAA does not give you the right to access psychotherapy notes or information compiled for use in litigation. Your request may also be denied if the provider decides access to the records could result in harm to you or another person.
In addition to HIPAA, many states have laws that allow patients or their designated representatives access medical records. State laws may give you more, but not less, privacy than HIPAA.
3. Do I have to pay for copies of my medical records?
You can be charged "reasonable" fees based on the costs of materials and staff time spent copying your records. You cannot be charged for time spent searching for your records. State laws usually allow health care facilities to charge a "reasonable" fee for copying records.
4. How do I get access to my own medical records?
HIPAA requires health care providers to allow you access to your medical records upon request. The privacy notice you receive must include information about how you can obtain copies of your medical records. If a written request is necessary, the privacy notice should also tell you this.
5. When can I expect to get my medical records?
HIPAA gives providers 30 days to provide the records. One 30-day extension is allowed for "good reason." State laws may give a provider less time to comply with your request.
6. Is my consent required before my doctor can disclose my health information?
The short answer to your question is that your medical provider does NOT need your consent to share your medical information for treatment, payment, and or what HIPAA calls health care operations.
7. Can a minor consent to health care without parental notification?
It depends on the situation. HIPAA, the federal privacy law, says generally that parents may receive protected health information of minors. However, HIPAA sets a minimum standard, which allows states to create stronger laws.
Some states have enacted laws allowing minors to consent to certain types of medical treatment. To see if a minor can consent to a particular treatment you should consult state law.
8. Is my boss able to inquire about what kind of doctor I'm going to see when leaving work for an appointment?
This is a question we've heard before, but unfortunately we don't have a "black and white" answer. This is an employment law question, not a HIPAA question. HIPAA only covers employers in a very limited way. Employers may, for example, receive limited information when setting group health premiums. Unless there's a workplace health or safety question involved, your doctor would ordinarily need your consent to disclose information to your employer.
Other laws, such as the Family Medical Leave Act, may dictate the extent of medical information your employer can ask you to provide. The U.S. Department of Labor says an employer can ask for a "certification" of serious illness.
It is possible the situation is covered in an employee manual or union agreement -- if your organization has a union. Your Human Resources Department should be able to tell you if either case applies.
9. Someone has disclosed my medical history to an attorney without my written permission. What recourse, if any, is available to me under the law?
You have probably heard of HIPAA, the federal rule that protects medical information. But, HIPAA only applies to information disclosed by doctors, hospitals, pharmacies, health plans.
In short, HIPAA doesn't always protect medical information. If the person who disclosed your information was not a doctor, hospital, pharmacy or a person working for your health plan, HIPAA would probably not apply. Further, federal law does not give a private individual the right to sue for violations of HIPAA. However, state laws may allow individuals to sue for violations of health privacy laws.
Only an attorney who is familiar with all the circumstances can properly advise you. You may find a name through your local attorney referral service, usually listed in the telephone directory.
10. If I request copies of my medical file, is the provider allowed to use an outside copying service such as Staples or Kinkos?
HIPAA allows doctors, hospitals, and other "covered entities" to disclose information to "business associates." A business associate may include individuals or companies that perform services such as copying, billing, accounting, data input and transcription. HIPAA requires that business associate agreements be in writing.
11. I understand that HIPAA provides a minimum standard of privacy for medical records. How can I find out if my state has stronger laws?
For a state-by-state guide to health privacy laws, go to http://hpi.georgetown.edu/privacy/records.html and choose your state from the list on the right.
12. How can family members of a deceased individual obtain the deceased individual's medical information that is relevant to their own health care?
Note: The following answer comes from the U.S. Department of Health and Human Services Questions and Answers web site, available at http://answers.hhs.gov.
The HIPAA Privacy Rule recognizes that a deceased individual's protected health information may be relevant to a family member's health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.
First, disclosures of protected health information for treatment purposes--even the treatment of another individual - do not require an authorization; thus, a covered entity may disclose a decedent's protected health information, without authorization, to the health care provider who is treating the surviving relative.
Second, a covered entity must treat a deceased individual's legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation. Therefore, if it is within the scope of such personal representative's authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure.
13. I was injured at work and I have been asked to provide a release of my medical history for the workers' compensation case. I am not comfortable doing this. What are my rights?
Workers' compensation is covered by states. I suggest you contact your state Insurance Commissioner to find out what the rules for workers' compensation are in your state. You can contact your state insurance commissioner through the web site for the National Association of Insurance Commissioners, www.naic.org.
Moreover, workers' compensation is not covered by HIPAA. Other types of insurance not covered by HIPAA include:
- Disability insurance.
- Coverage issued as a supplement to liability insurance
- Automobile medical payment insurance.
- Coverage for on-site medical clinics
A doctor covered by HIPAA would ordinarily need your permission to disclose your medical information for workers' compensation or one of the other insurers listed above. However, since these insurers are not subject to HIPAA, a different set of privacy standards would apply once your records are in the hands of the third-party.
14. I am concerned that my health care provider outsources some of their clerical work to foreign countries. Do they need my permission before giving my medical information to someone overseas?
Probably not. If the foreign company is considered a "business associate" under HIPAA, your permission if not required. This includes international business associates.
Services provided by a business associate can include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. These business relationships are established with a written contract.
15. Can I find out who has accessed my health records?
Yes, for the most part. A listing of disclosures of your health information is required by HIPAA. You can find out who has accessed your health records for the prior six years, although there are several exceptions to the disclosure requirement.
For example, a listing is not required when records are disclosed to the many individuals who see your records for treatment, payment, and health care operations (TPO). Those involved in TPO do not need to be listed in the disclosure log. Incidental disclosures permitted under HIPAA also do not have to be accounted for.
16. What can I do if my rights under HIPAA have been violated?
You don't have the right to sue under HIPAA. The most you can do is file a complaint.
Every HIPAA "covered entity" is required to appoint a "privacy officer." The privacy notice you receive should identify the organization's privacy officer and tell you how to contact that person. The notice should also tell you how to contact the U.S. Department of Health and Human Services (DHHS) Office of Civil Rights. This is the government office charged with enforcing the HIPAA Privacy Rule.
You must file your complaint within 180 days of the violation, but DHHS can extend that time. HIPAA says you cannot be denied treatment because you file a complaint.
Upon receipt of a complaint, the DHHS may decide to investigate and/or try to resolve the issue informally. A person or organization that is obliged to follow the Privacy Rule may face a civil fine of up to $25,000. In extreme cases, the U.S. Department of Justice (DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000.
Even though the HIPAAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy. If you feel your rights have been violated, you may want to discuss the situation with an attorney.
17. Can information about an unpaid medical bill be disclosed to a debt collector?
Yes. Your consent is not required to disclose information from your medical files if it is made in connection with payment.
An unpaid bill, like any other debt claimed to be owed, may be reported to a collection agency. What's more, an unpaid medical bill can appear as a negative entry on your credit report. Information that can be disclosed to a collection agency about you includes:
- Your name and address
- Date of birth
- Social Security number
- Payment history
- Account number
- Name and address of the health care provider or health plan that says you owe the money.
