Your Personal Rights Under HIPAA

Learn about your rights at HealthIT.gov.

Most of us believe our medical and other health information is private and should be protected. Most of us also want to know who has access to this private information. The Privacy Rule gives you rights over your health information and sets rules and limits on who can look at and receive your health information.

Protected Information

The following information is always protected for each individual:

• information your doctors, nurses, and other health care providers put in your medical records
• conversations your doctor has about your care or treatment with nurses and others
• information about you in your health insurer’s computer system
• billing information about you at your clinic
• most other health information about you held by those who must follow these laws

Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly. They must also have procedures in place to limit who can view and access your health information, as well as implement training programs for employees about how to protect your health information.

Individual Rights

You have a right to see your individual health information.

Under HIPAA, you are entitled to more information about and more control over your individual health information.

1. Access to Information – You can request and receive a copy of your health information and may request the copy in electronic form. The covered entity may charge a reasonable fee for providing the copy either in paper or electronic form.
2. Amend information – You may ask for your information to be amended to correct errors but covered entities are only responsible for making changes in the records that they created.
3. Accounting of disclosures – You may request a list of all the times your information was released improperly.
4. Notice of Privacy Practices – You have the right to receive a written notice of privacy practices from covered entities that details rights of the individual and duties of the covered entity under HIPAA.

Employers and Health Information in the Workplace

The Privacy Rule controls how a health plan or covered health care provider discloses protected health information (PHI) to an employer, including your manager or supervisor.

Employer Requests

The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs, or health insurance.

If your employer asks for your health care provider directly for information about you, your provider cannot disclose the information without your authorization. Covered health care providers must also have your authorization to disclose this information to your employer, unless other laws require them to disclose it.

Generally, the Privacy Rule applies to disclosures made by your health care provider, not to the questions of your employer.

Employment Records

The Privacy Rule does not protect your employment records, even if the information in those records is health-related. Generally, the Privacy Rule also does not apply to the actions of an employer, including the actions of a manager in your workplace.

If you work for a health plan or covered health care provider:

• The Privacy Rule does not apply to your employment records.
• The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.

Your health care provider may share personal information face-to-face, over the phone, or in writing.

Sharing Health Information

Under HIPAA, your health care provider may share your personal information face-to-face, over the phone, or in writing. A health care provider or health plan may share your relevant information if:

• You give your provider or plan permission to share the information.
• You are present and do not object to sharing the information.
• You are not present, and the provider determines, based on professional judgment, that it’s in your best interest.

Sharing Information with a Family Member or Friend

HIPAA requires most doctors, nurses, hospitals, nursing homes, and other health care providers to protect the privacy of your health information. However, if you don't object, a health care provider or health plan may share relevant information with family members or friends involved in your health care or payment for your health care in certain circumstances.

Examples

• An emergency room doctor may discuss your treatment in front of your friend if you ask that your friend comes into the treatment room.
• A doctor’s office may discuss your bill with your adult daughter who is with you at your medical appointment and has questions about the charges.
• A doctor may discuss the drugs you need to take with your health aide who has accompanied you to a medical appointment.
• A doctor may give information about your mobility limitations to your sister who is driving you home from the hospital.
• A nurse may discuss your health status with your brother if you give permission or do not object. But, a nurse may NOT discuss your condition with your brother after you have stated you do not want your family to know about your condition.

Incapacitated or Not Present Patient

If you are not present or are incapacitated, a health care provider may share your information with family, friends, or others when the health care provider determines it is in your best interest.

When someone other than a friend or family member is involved, the health care provider must be reasonably sure you asked the person to be involved in his or her care or payment for care. Again, the health care provider may discuss only the information the person involved needs to know about your care or payment.

Examples

• A surgeon who did emergency surgery on you may tell your spouse about your condition while you are unconscious.
• A pharmacist may give a prescription to your friend sent to pick up the prescription.
• A hospital may discuss your bill with your adult son who calls the hospital with questions about charges to your account.
• A health care provider may give information regarding your drug dosage to your health aide who calls the provider with questions about the particular prescription.

However, a nurse may not tell your friend about a past medical problem unrelated to your current condition. Also, a health care provider is not required by HIPAA to share your information when you are not present or are incapacitated, and can choose to wait until you have an opportunity to agree to the disclosure.

Disclosing PHI to Law Enforcement

The HIPAA Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue.

The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual's written authorization, under specific circumstances including, but not limited to:

• To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.
• To respond to a request for PHI about a victim of a crime, and the victim agrees.
• To report PHI to law enforcement when required by law to do so.
• To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.

For a more complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the HHS FAQ Page for this topic.

How to File a Complaint

An employee, or representative of an employee, who believes he or she has been retaliated against for disclosing HIPAA-protected information when reporting or complaining about a workplace safety or health issue, may file a complaint with OSHA within 30 days of the retaliation.

The complaint should be filed with the OSHA office responsible for enforcement activities in the geographical area where the employee resides or was employed. It also may be filed with any OSHA officer or employee.

For more information, contact your closest OSHA Regional Office.

Check your Work

Click on the "Check Quiz Answers" button to grade your quiz and see your score. You will receive a message if you forgot to answer one of the questions. After clicking the button, the questions you missed will be listed below. You can correct any missed questions and check your answers again.

Videos

This first video provides a high-level overview of the HIPAA access rights and introduces the topics of fees, timing and sharing health information with a third party. Length 3:27

Video 2 tells the story of Hannah, who is moving across the country. At her last visit with her current doctor, Hannah asks to have a copy of her records to take with her. The video helps explain the associated fees, forms and the time it may take for Hannah to get a copy of her records. Length 5:14

Video 3 tells the story of Martin, who would like to share the health information in his medical record with a heart health application on his smartphone. The video provides information on the right to provide access to a third party, including a mobile application device. Length 3:16

Next Module