Privacy issues

About HIPAA: The Health Insurance Portability and Accountability Act

HIPAA is public law enacted by congress to help members of the general public protect the security and confidentiality of their medical health records. You have several rights you may assert under HIPAA, which can help to further protect the privacy of your medical health records.

The main changes to HIPAA under the Affordable Care Act include more stringent guidelines on how doctors and health care plans must protect your information. These new rules require health care providers covered under the act to update their Business Associate Agreements and their Notices of Privacy Practices and they will require that these providers understand the importance of encrypting electronic health information. In addition, HIPAA further restricts how health care providers can use your personal information for purposes such as marketing related services to you.

The Affordable Care Act also expands provisions in HIPAA that support administrative simplification. Although these changes have ramifications for doctors and health care providers, the protections provided to the general public are largely similar.

Because the Affordable Care Act has changed the HIPAA guidelines for health care institutions, you should request an updated HIPPA policy from your health care providers if you haven’t reviewed their HIPAA or privacy policies recently.

Information Collected

The information collected by any health care provider, health care plan or health care clearinghouse (an entity who handles transfers of information from one organization to another), will vary in every situation. Generally the information that HIPAA strives to protect is all individually identifiable health information held or transmitted by a Covered Entity.


Upon entry to the hospital you will be asked to sign an authorization form. The substance of the authorization form will vary by institution, but generally, you are authorizing the hospital to treat you and to access your medical history. The authorization will also set forth any potential disclosures of your medical information and how you may go about requesting an accounting of any disclosures. In general, the health care provider is authorized to use your personal information for their own purposes to provide appropriate care for you, and to complete billing for the services.  They are also authorized to share necessary information about you with other organizations who would be considered Business Associates to conduct their business.  These Business Associates will be held to the same privacy standards as your original health care provider.

Right to Revoke

You have the right to revoke your authorization at anytime. Should you decide to revoke your authorization you should notify the hospital in writing.


The requirements in your medical authorization are negotiable, but only to a very limited degree. You have the right to request that any Covered Entity not share your health information with certain parties or only use your information in a way that you deem proper. However, providers are not required to agree to your restrictions.

Uses of Information

In general, most institutions use your information for the purposes of treatment, payment, education and training of staff, research, family notification, advertising and fundraising. Under the Affordable Care Act some of your information may be traded among various agencies for the purpose of making sure that you are receiving all essential benefits in your health insurance coverage. The specific uses of your information will be set out in the health care provider’s HIPAA Notice of Privacy Practices packet. If you want to know how your information will be used by an institution, you should request a copy of this packet, though it is required that one be given to you at your first encounter.  In addition, you have the right to ask for an accounting at any point as to who has accessed your personal information including your medical record

Permitted Disclosures

Under HIPAA, permitted disclosures include disclosures to you, disclosures authorized by you, disclosures for treatment, payment and health care operations, disclosures incident to an otherwise permitted use or disclosure, disclosures related to public interest and benefit activities and limited data set information for the purposes of research, public health or health care operations.

Required Disclosures

Disclosures are required when requested by you or your personal representative, when it is feared that you may harm a third party or for HHS compliance and other police investigations, or when ordered by a court of law.

Pennsylvania Statute on Alcohol and Drug Treatment

In Pennsylvania, records for treatment for drug or alcohol abuse are protected under state law, which provides greater protections than HIPAA. 71 Pa.C.S 1690.108. Records of drug and alcohol treatment may not be disclosed except, “with the patient's consent and only (i) to medical personnel exclusively for purposes of diagnosis and treatment of the patient or (ii) to government or other officials exclusively for the purpose of obtaining benefits due the patient as a result of his drug or alcohol abuse or drug or alcohol dependence.”
There are only a limited number of other circumstances when your records for treatment of drug or alcohol abuse may be disclosed under Pennsylvania law.

Accounting, Disclosure and Access

Under HIPAA you are permitted to access your records at any time by requesting a copy be provided to you. Additionally, you are permitted to make amendments to your personal health information at any time by requesting that your records be amended or corrected. Health organizations are not required to make the requested amendments, but they must give careful consideration to your request.

You have the right to request an accounting of any disclosures made by health institutions with regard to your personal health information except for disclosures made for the purposes of treatment, payment and health care operations. These accountings generally only include disclosures made within the past six years.

Minimum Necessary Standard

A general principle of HIPAA is that, when making disclosures, health institutions must make efforts to release only the minimum necessary amount of information. A Covered Entity must take steps to use, disclose, and request only the minimum amount of protected health information needed in order to accomplish the intended goal.

Health Records of Deceased Patients

HIPAA provides that people have the same privacy rights in death as they do in life. Therefore health care providers and facilities may only release medical records to those people authorized by the patient in writing, the executor of the patient’s estate, or a person who is deemed a personal representative by state law. A patient’s estate will only have an executor if the patient’s will is probated. In Pennsylvania, a judge will issue the personal representative of the deceased patient a document either called a “short certificate” or a “grant of letters” which authorizes the individual to act on behalf of the deceased patient. In the absence of a written authorization from the patient prior to his or her death, proof of status as the patient’s executor, a short certificate or a grant of letters, you will not be able to obtain the medical records of a deceased patient.

Filing Complaints

Before filing a formal complaint for unauthorized disclosure of your medical records you should try to resolve the issue with the individual health care provider. If you are unable to remedy the problem you should try contacting the following organizations to file a formal complaint.  Keep in mind that you as an individual have no private cause of action against a provider for violation of HIPAA, but there are serious sanctions provided for by the law which are enforced generally through the Office of Civil Rights, Department of Health and Human Services.

Pennsylvania Department of Health:
Health and Welfare Building
8th Floor West
625 Forster Street
Harrisburg, PA 17120

Office of Civil Rights, Health and Human Services:

Pennsylvania Department of State:
Complaints Office
2610 North Third St.
P.O. Box 2649
Harrisburg, PA 17105

Useful Links

US Department of Health: Summary of the HIPAA Privacy Rule
Georgetown University: Joy Pritts, J.D.; Your Medical Rights in Pennsylvania

Penn Medicine: HIPAA Notice of Privacy Practices