HIPAA, also known as Health Insurance Portability & Accountability Act of 1996, is public law enacted by Congress to help members of the general public protect the security and confidentiality of their medical health records. You have several rights you may assert under HIPAA which can help to further protect the privacy of your medical health records.
The information collected by any health care provider, health care plan, or health care clearinghouse will vary in every situation. Generally the information that HIPAA strives to protect is all individually identifiable health information held or transmitted by a covered entity.
Upon entry to the hospital you will be asked to sign an authorization form. The substance of the authorization form will vary by institution, but generally, you are authorizing the hospital to treat you and to access your medical history. The authorization will also set forth any potential disclosures of your medical information and how you may go about complaining about disclosures or requesting an accounting of any disclosures.
Right to revoke
You have the right to revoke your authorization at anytime. Should you decide to revoke your authorization you should notify the hospital in writing.
All of the requirements in your medical authorization are negotiable. You have the right to request that any covered entity not share your health information with certain parties or only use your information in a way that you deem proper. Hospitals are not required to agree to your restrictions, but most have procedures in place for making accommodations.
Uses of information
In general, most institutions use your information for the purposes of treatment, payment, education and training of staff, research, family notification, advertising and fundraising. The specific uses of your information will be set out in the hospital’s HIPAA Notice of Privacy Practices packet. If you want to know how your information will be used by the requisite institution, you should request a copy of this packet.
Under HIPAA, permitted disclosures include disclosures to you, disclosures authorized by you, disclosures for treatment, payment and health care operations, disclosures incident to an otherwise permitted use or disclosure, disclosures related to public interest and benefit activities, and limited data set information for the purposes of research, public health, or health care operations.
Disclosures are required when requested by you or your personal representative, when it is feared that you may harm a third party, or for Health and Human Services compliance investigations.
Pennsylvania Statute on Alcohol and Drug Treatment
In Pennsylvania, records for treatment for drug or alcohol abuse are protected under 71 Pa.C.S 1690.108. Records of drug and alcohol treatment may not be disclosed except, “with the patient's consent and only (i) to medical personnel exclusively for purposes of diagnosis and treatment of the patient or (ii) to government or other officials exclusively for the purpose of obtaining benefits due the patient as a result of his drug or alcohol abuse or drug or alcohol dependence.”
There are only a limited number of other circumstances when your records for treatment of drug or alcohol abuse may be disclosed under Pennsylvania law.
Accounting, disclosure and access
Under HIPAA you are permitted to access your records at any time by requesting a copy be provided to you. Additionally, you are permitted to make amendments to your personal health information at anytime by requesting that your records be amended or corrected. Health organizations are not required to make the requested amendments, but they must give careful consideration to your request.
You have the right to request an accounting of any disclosures made by health institutions with regard to your personal health information except for disclosures made for the purposes of treatment, payment, and health care operations. These accountings generally only include disclosures made within the past six years.
Minimum necessary standard
A general principle of HIPAA is that, when making disclosures, health institutions must make efforts to release only the minimum necessary amount of information. A covered entity must take steps to use, disclose, and request only the minimum amount of protected health information needed in order to accomplish the intended goal.
Health records of deceased patients
HIPAA provides that people have the same privacy rights in death as they do in life. Therefore health care providers and facilities may only release medical records to those people authorized by the patient in writing, the executor of the patient’s estate, or a person who is deemed a personal representative by state law. A patient’s estate will only have an executor if the patient’s will is probated. In Pennsylvania, a judge will issue the personal representative of the deceased patient a document either called a “short certificate” or a “grant of letters” which authorizes the individual to act on behalf of the deceased patient. In the absence of a written authorization from the patient prior to his/her death, proof of status as the patient’s executor, a short certificate or a grant of letters, you will not be able to obtain the medical records of a deceased patient.
Before filing a formal complaint for unauthorized disclosure of your medical records you should try to resolve the issue with the requisite health institution. If you are unable to remedy the problem you should try contacting the following organizations to file a formal complaint.
Pennsylvania Department of Health:
Health and Welfare Building
8th Floor West
625 Forster Street
Harrisburg, PA 17120
Office of Civil Rights, Health and Human Services:
Pennsylvania Department of State:
2610 North Third St.
P.O. Box 2649
Harrisburg, PA 17105
US Department of Health: Summary of the HIPAA Privacy Rule
Georgetown University: Joy Pritts, J.D.; Your Medical Rights in Pennsylvania
Pennsylvania Department of Health: Notice of Privacy Practices for Protected Health Information
Penn Medicine: HIPAA Notice of Privacy Practices