Medical Privacy

Two federal rules help protect the privacy of consumers’ health information.  The “Privacy Rule” and the “Security Rule” were implemented by the United States Department of Health and Human Services under the Health Insurance Portability and Accountability Act, commonly known as “HIPAA.” 

The following is a brief summary of each rule. If you want more detailed information about the rules, HIPAA or the enforcement of HIPAA and the rules, please visit the Department’s website at www.hhs.gov.  

The Privacy Rule

The Privacy Rule addresses the use and disclosure of consumers’ protected health information by organizations subject to the Rule. The Rule also provides standards to help consumers understand and control how their health information is used.

Who Must Comply with the Privacy Rule?

The Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions that are covered under HIPAA.

What Information Is Protected?

The Rule protects consumers’ “individually identifiable health information,” which includes information that identifies or can be used to identify a consumer (name, address, birth date or Social Security number), as well as demographic data about:

  • the consumer’s  past, present or future physical or mental health;
  • health care the consumer has received or
  • past, present or future payments the consumer made or makes for such health care.

Generally, a covered entity may not use or disclose a consumer’s protected health information without the consumer’s written authorization. However, the entity may disclose the consumer’s information without authorization:

  • to the consumer unless the consumer’s authorization is required for access or for the accounting of disclosures;
  • for treatment, payment or health care operations;
  • when the consumer has an opportunity to agree or object to the disclosure;
  • when the disclosure is incident to an otherwise permitted use or disclosure;
  • when the disclosure or use involves the public interest or is otherwise required by law; and
  • in limited data sets involving research, public health or health care operations.

A covered entity must obtain a consumer’s written authorization to use or disclose protected health information for marketing purposes.  However, several exceptions to this rule exist and the definition of “marketing” is limited.  For a complete discussion of this topic, please visit www.hhs.gov.

Who Enforces the Rule?

The Department of Health and Human Service’s Office for Civil Rights enforces the Privacy Rule and consumers who believe a covered entity has violated the Rule can file a complaint with the office. Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.

The Security Rule

The Security Rule establishes standards that dictate what technical and non-technical safeguards all HIPAA-covered entities must implement to secure consumers’ electronic protected health information (e-PHI).

A more detailed discussion of the Rule, including compliance and enforcement issues, is available at www.dhhs.gov.

What Standards Does the Rule Require?

To protect e-PHI, covered entities must maintain reasonable and appropriate administrative, technical and physical safeguards that

  • ensure the confidentiality, integrity and availability of e-PHI;
  • protect against reasonably anticipated threats to the security of e-PHI;
  • protect against reasonably anticipated or impermissible uses or disclosures of e-PHI; and
  • ensure employee compliance.

What Must a Covered Entity Do If My Information Is Released?

Covered entities must notify affected consumers of the security breach. Notice must be in writing and sent by mail or email within 60 days of the breach. The notice must provide:

  • a description of what occurred, if known, and a description of the investigation into the breach;
  • what information was released,
  • how the consumer can prevent additional harm, such as identity theft; and
  • contact information for the covered entity. 

Where Can I File a Complaint If I Suspect a Security Breach?

The U.S. Department of Health and Human Service’s Office of Civil Rights enforces the Security Rule.  Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.

You also can report suspected security breaches to the Federal Trade Commission, which has independent authority over personal health record vendors and their third-party service providers under the Health Information Technology for Economic and Clinical Health (HITECH) Act.  You can file a complaint with the FTC at www.ftc.gov.