Most of us believe our medical and other health information is private and should be protected. Most of us also want to know who has access to this private information. The Privacy Rule gives you rights over your health information and sets rules and limits on who can look at and receive your health information.
The following information is always protected for each individual:
Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly. They must also have procedures in place to limit who can view and access your health information, as well as implement training programs for employees about how to protect your health information.
Under HIPAA, you are entitled to more information about and more control over your individual health information.
The Privacy Rule controls how a health plan or covered health care provider discloses protected health information (PHI) to an employer, including your manager or supervisor.
The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs, or health insurance.
If your employer asks for your health care provider directly for information about you, your provider cannot disclose the information without your authorization. Covered health care providers must also have your authorization to disclose this information to your employer, unless other laws require them to disclose it.
Generally, the Privacy Rule applies to disclosures made by your health care provider, not to the questions of your employer.
The Privacy Rule does not protect your employment records, even if the information in those records is health-related. Generally, the Privacy Rule also does not apply to the actions of an employer, including the actions of a manager in your workplace.
If you work for a health plan or covered health care provider:
Under HIPAA, your health care provider may share your personal information face-to-face, over the phone, or in writing. A health care provider or health plan may share relevant information if:
HIPAA requires most doctors, nurses, hospitals, nursing homes, and other health care providers to protect the privacy of your health information. However, if you don't object, a health care provider or health plan may share relevant information with family members or friends involved in your health care or payment for your health care in certain circumstances.
If are not present or are incapacitated, a health care provider may share your information with family, friends, or others when the health care provider determines it is in your best interest.
When someone other than a friend or family member is involved, the health care provider must be reasonably sure you asked the person to be involved in his or her care or payment for care. Again, the health care provider may discuss only the information the person involved needs to know about your care or payment.
However, a nurse may not tell your friend about a past medical problem unrelated to your current condition. Also, a health care provider is not required by HIPAA to share your information when you are not present or are incapacitated, and can choose to wait until you have an opportunity to agree to the disclosure.
The HIPAA Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue.
The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual's written authorization, under specific circumstances including, but not limited to:
For a more complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the HHS FAQ Page for this topic.
An employee, or representative of an employee, who believes he or she has been retaliated against for disclosing HIPAA-protected information when reporting or complaining about a workplace safety or health issue, may file a complaint with OSHA within 30 days of the retaliation.
The complaint should be filed with the OSHA office responsible for enforcement activities in the geographical area where the employee resides or was employed. It also may be filed with any OSHA officer or employee.
For more information, contact your closest OSHA Regional Office.
Click on the "Check Quiz Answers" button to grade your quiz and see your score. You will receive a message if you forgot to answer one of the questions. After clicking the button, the questions you missed will be listed below. You can correct any missed questions and check your answers again.
This first video provides a high-level overview of the HIPAA access rights and introduces the topics of fees, timing and sharing health information with a third party. Length 3:27
Video 2 tells the story of Hannah, who is moving across the country. At her last visit with her current doctor, Hannah asks to have a copy of her records to take with her. The video helps explain the associated fees, forms and the time it may take for Hannah to get a copy of her records. Length 5:14
Video 3 tells the story of Martin, who would like to share the health information in his medical record with a heart health application on his smartphone. The video provides information on the right to provide access to a third party, including a mobile application device. Length 3:16