Your Rights (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996 to address the
security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health
care system by encouraging the widespread use of electronic data interchange in the US health care system.
HIPAA is the commonly accepted nickname for the Health Insurance Portability and Accountability Act of 1996. This sweeping
body of legislation led to dramatic changes in virtually every administrative practice of the U.S. health care industry.
Specifically, the law assigned the U.S. Department of Health and Human Services (HHS) to develop, introduce, and enforce a
new system of rules to govern accountability and standards for patient information in the Internet age.
HIPAA was signed into law on August 21, 1996. To give all parties time to comply with the new guidelines, however, the law
contained a schedule for taking effect in gradual phases spread over the next decade. Most health care and insurance providers
had until April 2003 or 2004 to establish compliance with HIPAA’s main regulations. And some requirements remain open-ended as
to when and how they will take effect.
The primary motivation for the new law was to streamline health care processes by establishing standards for electronic
technology to transfer and process billing and health insurance transactions.
At the same time, however, many legislators saw advances in electronic technology as a risk to the privacy of patient health
information. Therefore, the law included a deadline of three years, until August 1999, for Congress to develop a corresponding
responsibility for privacy regulations fell to HHS.
HHS published a set of tentative privacy guidelines in November 1999 and asked the legislature and the public for comments on
About a year later, in December 2000, HHS published a final regulation that included rules for protecting the privacy of
"Individually Identifiable Health Information." This new body of law was incorporated into the existing HIPAA and came to be
known collectively as the privacy rule.
HIPAA's definition of "covered entity"
An individual or company whose work in a health-related field requires compliance with HIPAA requirements is called a
"covered entity." As defined by HIPAA, covered entities include:
- Health care providers who conduct certain transactions in electronic form
- Health care clearinghouses
- Health plans (defined as almost any party that pays medical costs, such as insurance companies, HMOs, employer-sponsored group
health plans, Medicare/Medicaid, etc.)
Clinical laboratories affiliated with a health care provider or other "covered entity" are subject to HIPAA and thus required by
law to provide patient access to their laboratory records. If a laboratory is not affiliated with a covered entity, then state laws
for patient access apply instead of HIPAA.
In California, for example, clinical laboratories not directly affiliated with health care providers are not subject to state disclosure
laws; this was an intentional exclusion by the legislature to protect patients from lay misinterpretation of raw test data. California access
laws require a physician who orders a laboratory test to be the person who reports the test results to a patient [CA Health & Safety Code Section
123148]. However, these test results must be recorded by the physician in the patient's records — and, if requested by the patient under HIPAA,
they must be reported in plain language within a reasonable time.
The privacy rule explained
The HIPAA privacy rule embodied the first comprehensive federal protection for the privacy of patient health information. The
regulations introduced in 2000 were modified in August 2002 to balance the patient’s privacy rights with the provider’s ability to
provide effective medical treatment; that is, "to improve workability and avoid unintended consequences that could have impeded patient
access to delivery of quality health care."
The privacy rule is federal law and supersedes any state laws that are less protective of consumer rights to privacy. State civil laws that offer
greater rights or protection for consumers than the privacy rule remain in effect. For example, a health care provider, Peoplechart, or any entity must comply
with California laws governing disclosure and handling of medical information, because these state laws are more restrictive of disclosure
and more protective of patient privacy than the HIPAA privacy rule.
Other areas where stricter state laws might override HIPAA could include fees charged for copying and retrieving information; time limits to
respond to patient requests; and limits to situations where a provider can deny access to records.
The Office for Civil Rights (OCR), a division of HHS, is the federal agency responsible for administering and enforcing the privacy rule.
Penalties for violations of the privacy rule can include fines or, in extreme cases, imprisonment. Consumer complaints should be filed with
OCR within 180 days after the violation becomes known.
Your legal rights under the privacy rule
Under the terms of the HIPAA privacy rule:
- Consumers have an enforceable legal right to review and copy their medical records, based on the theory that access is the cornerstone of
to review records. If the information is not accessible onsite, the covered entity has 60 days to comply, though an extension can be given if
the covered entity provides a written statement of the reasons for delay and the specific date by which it will comply.
- Consumers have the right to amend incorrect data in their medical records (45 CFR 164.526). Within 60 days of request, a covered entity must
amend a patient's information (with limited exceptions) as indicated and provide the amendment to all entities known to have received the objectionable
information. Similar to the Fair Credit Reporting Act, if a request to amend or supplement information is denied, the HIPAA privacy rule gives the
individual the right to file a statement disagreeing with the denial, which will be included in the records.
- Consumers have the right to an accounting of all disclosures of their personal information to third parties by a covered
entity (45 CFR 164.528).
- Consumers have the right to a written summary of their health condition. At the individual's request, a provider must write a summary or explanation
of the individual's health condition.
- Exceptions: A patient may be denied access to records if a provider believes such access could endanger the physical safety of the individual or
others. Also patient access may be denied for some psychotherapy notes, for information compiled for a lawsuit, or for certain other limited
circumstances. All denials of patient access are subject to review and appeal.
- The content of most patient records falls within the definition of Protected Health Information (PHI).
- The Office for Civil Rights enforces compliance of the HIPAA privacy rule and has full responsibility for correcting and/or punishing violations.
Mandatory versus voluntary consent for disclosure
In August 2002, the privacy rule's requirement that providers ask patients for consent to disclose any personal information was replaced
with "voluntary consent" for certain functions viewed as essential to providing quality health care. Continuing to require mandatory consent
for these functions was regarded as impractical and a potential impediment to delivering care.
Permission from the patient is asked or not asked at the discretion of the providers for the purposes of treatment, payment, and health care.
Examples include pharmacists filling prescriptions, hospitals reviewing patient notes from a referring physician, telemedicine, and emergency
HHS inserted a cautionary note: "Although the Rule is no longer mandatory, the Rule still affords individuals the opportunity to engage in important
discussions regarding the use and disclosure of their health information through the 'strengthened notice requirement' while allowing activities that
are essential to quality health care to occur unimpeded. These modifications will ensure that the Rule protects patient privacy as intended without
harming consumer's access to care or to the quality of that care."
- The privacy rule permits a provider to disclose a complete medical record that includes portions that were created by another provider, assuming that
the disclosure is for a purpose permitted by the privacy rule, such as treatment
- Under HIPAA, situations such as a medical emergency fall into voluntary consent, where judgment is exercised depending on the situation and provider
has the option to request or not request consent for reviewing or sharing patient information
- Federal law leaves privacy rights in medical emergencies largely under the jurisdiction of state law, which may differ as to when or where they
permit disclosure of protected health information in an emergenc.
Limits on fees and timing for providing patients with access to medical records
- A commentary made by DHHS on the privacy rule disapproves of a covered entity charging a fee for the search or retrieval of a patient's
requested records, though does permit reasonable per-page fee to cover the costs of photocopies and/or postage. This has not been enacted
- This fee imposed by physicians or health care providers must not exceed any maximum cap on copying charges set by the governing state.
However, for some states, the charges are not specific to the dollar and cents. As an example, Hawaii stipulates that a requesting person
shall expect to bear any "reasonable" costs incurred by a health care provider in making copies of medical records. Without specificity in
the maximum charge, expect to pay copying fees that vary from state to state and from provider to provider within a state
- Under California's Patient Access Laws, for example, copies of records must be "sent within 15 days of the provider's receipt of a
written request, subject to copying costs of not over 25 cents per page plus reasonable clerical costs" (HSC 123110(b))
- If the physician, health care provider organization, or health plan does not actually maintain the individual's records, but knows
where the information is available, it must direct the individual to the source of his/her records
- If the patient requests, a physician or provider must prepare a summary or explanation of the patient's health information or condition
and may charge a fee for preparing this document
HIPAA information resources
Agency for Healthcare Research and Quality
Phone: 1 (800) 358-9295
Specific Information: http://www.ahrq.gov/consumer/20tips.htm