Header graphic for print
Privacy Law Blog

HHS Empowers Consumers to Know (and Enforce) their Rights Under HIPAA

Posted in Electronic Communications, HIPAA, Medical Privacy

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail below and are available in eight languages on OCR’s website at:  www.hhs.gov/ocr/privacy/hippa/understanding/consumers.

I.            OCR Consumer Factsheet: “Your Health Information Privacy Rights”

  • OCR tells consumers that HIPAA gives them rights over their health information including the right to get a copy of their information, make sure it is correct and know who has seen it.
  • OCR says that in most cases consumers must be given a copy of their medical record and other health information within 30 days.
  • Consumers can ask to change any wrong information in their file if they believe that something is missing or incomplete.  OCR states, “Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file.”
  • OCR summarizes how a consumer’s health information can be used and shared for specific reasons not directly related to the consumer’s care (i.e., “making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or reporting as required by state or federal law”). 
  • OCR encourages consumers to learn how their health care providers and health insurers are using and sharing their health information.
  • OCR encourages consumers to let their health care providers and health insurers know if there is information that they do not want to be shared.
  • OCR also tells consumers that they can make reasonable requests to direct their health care provider to contact them at a different place or in a different manner.  For example, if the doctor’s office usually sends a postcard with an appointment reminder, the consumer may request that the appointment reminder be sent in an envelope instead.

II.          OCR Consumer Factsheet: “Privacy, Security, and Electronic Health Records”

  • OCR explains that electronic health records (EHRs) are electronic versions of the consumer’s paper medical record and includes health information such as medical history, notes, diagnoses, medications, lab results, and immunizations. 
  • OCR tells consumers that their privacy rights are the same whether the health information is stored as paper or in an electronic form.
  • In the factsheet, OCR summaries the benefits of health care providers using EHRs.  Consumers should expect “improved quality of care”, “more efficient care”, and “more convenient care.” 
  • OCR summarizes certain protections that can safeguard EHR systems including access controls like passwords and PIN numbers, encrypting, and an audit trail feature.
  • OCR describes for the consumers the breach notification requirement for health care providers.

III.        OCR Consumer Factsheet: “Understanding the HIPAA Notice”

  • OCR provides a four step process for consumers to follow to make sure that they understand the “Notice of Privacy Practices” and their rights under HIPAA.
  • Step 1: OCR encourages consumers to “Get a Copy of the Notice of Privacy Practices”
  • Step 2: OCR encourages consumers to “Read the Notice”
    • The Notice explains how the health care provider or insurer is allowed to use or share their information
    • Explains the consumers’ privacy rights
    • Explains the doctor or insurer’s legal duties to protect consumers’ health information
    • Provides the contact information about the doctor or insurance company’s privacy polices.
  • Step 3: OCR encourages consumers to “Ask Questions about the Notice or Your Rights”
  • Step 4: OCR encourages consumers to “Know What You are Signing”
    • HIPAA requires the consumer’s doctor, hospital, or other health care provider to ask for written proof that he or she received the Notice of Privacy Practices acknowledgement of receipt. 
    • Consumers are not required to sign the acknowledgment of receipt; however providers must keep a record that the consumer decided not to sign the form.  Providers must still care for consumers who do not sign the acknowledgment of receipt. 

IV.         OCR Consumer Factsheet: “Sharing Health Information with Family Members and Friends”

  • OCR summarizes and provides examples of when a health care provider or health plan may share relevant information with family members or friends involved in the consumer’s health care or payment for health care.
  • OCR states that under HIPAA, a health care provider may share a consumer’s information face-to-face, over the phone, or in writing … if:
    • The consumer gives the provider or plan permission to share the information.
    • The consumer is present and does not object to sharing the information.
    • The consumer is not present, and the provider determines based on professional judgment that it is in the consumer’s best interest.
  • OCR provides frequently occurring examples for each of these scenarios. 
    • The consumer’s hospital may discuss the consumer’s bill with his or her daughter who is with the consumer and has a question about the charges, if the consumer does not object.
    • The consumer’s doctor may discuss the drugs the consumer needs to take with the consumer’s health aide who has accompanied the consumer to his or her appointment.
    • The consumer had emergency surgery and is still unconscious.  The consumer’s surgeon may tell the consumer’s spouse about his or her condition, either in person or by phone, while the consumer is unconscious.
    • A doctor may not tell a consumer’s friend about a past medical problem that is unrelated to the consumer’s current condition.

Finally, OCR provides information to consumers on who to contact if their HIPAA rights are being denied or their health information is not being protected.