Fact Sheet 8b:
Medical Privacy FAQ
Send to Printer
Privacy Rights Clearinghouse
- Does HIPAA guarantee privacy for my medical information?
- Do I have a right to my medical records?
- Do I have to pay for copies of my medical records?
- How do I get access to my own medical records?
- When can I expect to get my medical records?
- Is my consent required before my doctor can disclose my health information?
- Can a minor consent to health care without parental notification?
- Is my boss able to inquire about what kind of doctor I'm going to see when leaving work for an appointment?
- Someone has disclosed my medical history to an attorney without my written permission. What recourse, if any, is available to me under the law?
- If I request copies of my medical file, is the provider allowed to use an outside copying service such as Staples or Kinkos?
- I understand that HIPAA provides a minimum standard of privacy for medical records. How can I find out if my state has stronger laws?
- How can family members of a deceased individual obtain the deceased individual's medical information that is relevant to their own health care?
- I was injured at work and I have been asked to provide a release of my medical history for the workers' compensation case. I am not comfortable doing this. What are my rights?
- I am concerned that my health care provider outsources some of their clerical work to foreign countries. Do they need my permission before giving my medical information to someone overseas?
- Can I find out who has accessed my health records?
- What can I do if my rights under HIPAA have been violated?
- Can information about an unpaid medical bill be disclosed to a debt collector?
- Is MIB covered by HIPAA? What about MedPoint and IntelliScript?
- Are there any privacy protections for my genetic information?
- My doctor's office requires a copy of my driver's license. Can they do that?
No. This is a major misconception about privacy in general. There is no universal privacy rule, even for sensitive medical information. Any privacy you do have depends on a number of things, primarily who has your information.
HIPAA provides some limited privacy protections. But, HIPAA only applies to covered entities, that is health care providers, health plans, and what HIPAA calls "health care clearinghouses", that is, those that transmit payment information electronically.
If your medical information is in the hands of your employer, the courts, or an insurer that is not covered by HIPAA, it is protected, if anything, to a different set of privacy standards.
Yes. The HIPAA medical privacy law gives you the right to see and get copies of your own medical records. There are a few exceptions. For example, HIPAA does not give you the right to access psychotherapy notes or information compiled for use in litigation. Your request may also be denied if the provider decides access to the records could result in harm to you or another person.
In addition to HIPAA, many states have laws that allow patients or their designated representatives access medical records. State laws may give you more, but not less, privacy than HIPAA.
You can be charged "reasonable" fees based on the costs of materials and staff time spent copying your records. You cannot be charged for time spent searching for your records. State laws usually allow health care facilities to charge a "reasonable" fee for copying records.
You can find the answer to this and many other medical privacy questions on the Heath and Human Services web site www.hhs.gov. Just click on "questions" in the upper right corner and select the privacy rule in the drop down menu.
Also, read our HIPAA guide at www.privacyrights.org/fs/fs8a-hipaa.htm
HIPAA requires health care providers to allow you access to your medical records upon request. The privacy notice you receive must include information about how you can obtain copies of your medical records. If a written request is necessary, the privacy notice should also tell you this.
If you receive care in a federal medical facility, you have a right to obtain your records under the federal Privacy Act of 1974 (5 USC sec. 552a, www.usdoj.gov/opcl/1974privacyact-overview.htm).
We advise that you make your request in writing. If you are denied access, you can file a complaint with the U.S. Department of Health and Human Service's Office of Civil Rights. Your state's medical privacy law might also enable you to file a complaint with state regulators. For a state-by-state guide to health privacy law, go to hpi.georgetown.edu/privacy/records.html and chose your state from the list on the right.
For a sample letter on requesting access to your medical records, see www.privacyrights.org/Letters/medical2.htm.
HIPAA gives providers 30 days to provide the records. One 30-day extension is allowed for "good reason". State laws may give a provider less time to comply with your request.
The short answer to your question is that your medical provider does NOT need your consent to share your medical information for treatment, payment, and or what HIPAA calls health care operations.
Unfortunately, the complete answer to your question involves an extended explanation of the federal privacy law, known as HIPAA. Click here to go to our Fact Sheet 8a on HIPAA, http://www.privacyrights.org/fs/fs8a-hipaa.htm
It depends on the situation. HIPAA, the federal privacy law, says generally that parents may receive protected health information of minors. However, HIPAA sets a minimum standard, which allows states to create stronger laws.
Some states have enacted laws allowing minors to consent to certain types of medical treatment. To see if a minor can consent to a particular treatment you should consult state law.
The Guttmacher Institute has a guide to state laws, available at www.guttmacher.org/pubs/tgr/03/4/gr030404.pdf (2000)
For general information on your state's medical privacy law, go to http://ihcrp.georgetown.edu/privacy/records.html and choose your state from the list on the right.
This is a question we've heard before, but unfortunately we don't have a "black and white" answer. This is an employment law question, not a HIPAA question. HIPAA only covers employers in a very limited way. Employers may, for example, receive limited information when setting group health premiums. Unless there's a workplace health or safety question involved, your doctor would ordinarily need your consent to disclose information to your employer.
Other laws, such as the Family Medical Leave Act, may dictate the extent of medical information your employer can ask you to provide. The U.S. Department of Labor says an employer can ask for a "certification" of serious illness.
Here is a link to the Department of Labor's FMLA Fact Sheet. http://www.dol.gov/whd/regs/compliance/whdfs28.pdf
You may want to consider if the reason for your absence would qualify as a disability under The American with Disabilities Act (ADA). The government hotline for questions about the ADA is: 1-800-514-0301 (voice) 1-800-514-0383 (TTY).
It is possible the situation is covered in an employee manual or union agreement -- if your organization has a union. Your Human Resources Department should be able to tell you if either case applies.
If this is causing you problems at work, you may want to speak with an attorney. The web site www.nela.org or your local attorney referral service, listed in the telephone directory, can help you find a lawyer in your area.
You have probably heard of HIPAA, the federal rule that protects medical information. But, HIPAA only applies to information disclosed by doctors, hospitals, pharmacies, health plans.
In short, HIPAA doesn't always protect medical information. If the person who disclosed your information was not a doctor, hospital, pharmacy or a person working for your health plan, HIPAA would probably not apply. Further, federal law does not give a private individual the right to sue for violations of HIPAA. However, state laws may allow individuals to sue for violations of health privacy laws.
Only an attorney who is familiar with all the circumstances can properly advise you. You may find a name through your local attorney referral service, usually listed in the telephone directory.
HIPAA allows doctors, hospitals, and other "covered entities" to disclose information to "business associates." A business associate may include individuals or companies that perform services such as copying, billing, accounting, data input and transcription. HIPAA requires that business associate agreements be in writing.
You can find more information about business associates on the DHHS web site at http://privacyruleandresearch.nih.gov/pr_06.asp. DHHS also has a sample business associate agreement, available at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
For more information on HIPAA see our Fact Sheet 8(a), available at: www.privacyrights.org/fs/fs8a-hipaa.htm
For general information on your state's medical privacy law, go to http://ihcrp.georgetown.edu/privacy/records.html and choose your state from the list on the right.
Note: The following answer comes from the U.S. Department of Health and Human Services Questions and Answers web site, available at www.hhs.gov/ocr/privacy/hipaa/faq/index.html
The HIPAA Privacy Rule recognizes that a deceased individual's protected health information may be relevant to a family member's health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.
First, disclosures of protected health information for treatment purposes--even the treatment of another individual - do not require an authorization; thus, a covered entity may disclose a decedent's protected health information, without authorization, to the health care provider who is treating the surviving relative.
Second, a covered entity must treat a deceased individual's legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation. Therefore, if it is within the scope of such personal representative's authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure.
Workers' compensation is covered by states. You can contact your state Insurance Commissioner to find out what the rules for workers' compensation are in your state. You can contact your state insurance commissioner through the web site for the National Association of Insurance Commissioners, www.naic.org.
Workers' compensation is not covered by HIPAA. Other types of insurance not covered by HIPAA include:
- Disability insurance.
- Coverage issued as a supplement to liability insurance
- Automobile medical payment insurance.
- Coverage for on-site medical clinics
A doctor covered by HIPAA would ordinarily need your permission to disclose your medical information for workers' compensation or one of the other insurers listed above. However, since these insurers are not subject to HIPAA, a different set of privacy standards would apply once your records are in the hands of the third-party.
Probably not. If the foreign company is considered a "business associate" under HIPAA, your permission if not required. This includes international business associates.
Services provided by a business associate can include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. These business relationships are established with a written contract.
For more about business associates under the federal privacy rule HIPAA, visit our Fact Sheet on HIPAA, at www.privacyrights.org/fs/fs8a-hipaa.htm.
Yes, for the most part. A listing of disclosures of your health information is required by HIPAA. You can find out who has accessed your health records for the prior six years, although there are several exceptions to the disclosure requirement.
For example, a listing is not required when records are disclosed to the many individuals who see your records for treatment, payment, and health care operations (TPO). Those involved in TPO do not need to be listed in the disclosure log. Incidental disclosures permitted under HIPAA also do not have to be accounted for.
You don't have the right to sue under HIPAA. The most you can do is file a complaint.
Every HIPAA "covered entity" is required to appoint a privacy officer. The privacy notice you receive should identify the organization's privacy officer and tell you how to contact that person. The notice should also tell you how to contact the U.S. Department of Health and Human Services (DHHS) Office of Civil Rights. This is the government office charged with enforcing the HIPAA Privacy Rule.
You must file your complaint within 180 days of the violation, but DHHS can extend that time. HIPAA says you cannot be denied treatment because you file a complaint.
For more information about filing a complaint, visit the DHHS site here: www.hhs.gov/ocr/privacy/hipaa/complaints/.
Upon receipt of a complaint, the DHHS may decide to investigate and/or try to resolve the issue informally. A person or organization that is obliged to follow the Privacy Rule may face a civil fine of up to $25,000. In extreme cases, the U.S. Department of Justice (DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000.
Even though the HIPAAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy. If you feel your rights have been violated, you may want to discuss the situation with an attorney.
Yes. Your consent is not required to disclose information from your medical files if it is made in connection with payment.
An unpaid bill, like any other debt claimed to be owed, may be reported to a collection agency. What's more, an unpaid medical bill can appear as a negative entry on your credit report. Information that can be disclosed to a credit bureau about you includes:
- Your name and address
- Date of birth
- Social Security number
- Payment history
- Account number
- Name and address of the health care provider or health plan that says you owe the money.
A study by the Federal Reserve found that over half of all collections noted on credit reports were for unpaid medical bills, www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf. (See page 23.)
For more information about medical bills, see our Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic Age, www.privacyrights.org/fs/fs8a-hipaa.htm and our Fact Sheet 27: Debt Collection Practices: When Hardball Tactics Go Too Far, www.privacyrights.org/fs/fs27-debtcoll.htm.
MIB Group Inc. (formerly The Medical Information Bureau) is not a HIPAA covered entity. MIB is, however, a business associate of its member health insurance companies, which are covered entities. As a business associate MIB is required, by the Health Information Technology and Clinical Health Act (HITECH) to adopt safeguards to meet the standards of HIPAA's security rule.
MIB is also a consumer reporting agency that falls under the Fair Credit Reporting Act (FCRA). MIB gathers information about individuals' health history and issues reports to insurance companies when you apply for private health, life or disability insurance. Because MIB reports are governed by the FCRA, use of these reports by insurers triggers certain consumer rights. For example, if your insurance company denies you coverage based on something in an MIB report, the insurer must give you a copy of the report and instructions on how to dispute inaccurate information.
You are also entitled to a free copy of your MIB report once every 12 months. To order an MIB report, call 1-866-692-6901 or visit MIB's website at: http://www.mib.com/request_your_record.html Or, you may write to: MIB Disclosure Office, 50 Braintree Hill Park, Suite 400, Braintree, MA 02184
Two other companies are now known to compile information and issue reports to insurance companies when consumers apply for private health, disability or life insurance. OptumInsight (formerly Ingenix) MedPoint and IntelliScript, a database compiled by Milliman, gather information and issue reports to insurers on prescription drug histories.
If you have ever applied for private health, disability, or life insurance, you may want to find out whether either MedPoint or IntelliScript has issued a report to your insurer. To request a MedPoint report, call (888) 206-0335 or visit http://www.optuminsight.com/contact-us/customer-support/ and select "Medpoint Compliance (Consumer Requests)" from the dropdown menu. To request an IntelliScript report, call 877-211-4816.
Note: Beginning in 2014, the Affordable Care Act will make it unlawful for a health insurer to deny coverage or charge a higher premium to an applicant with a pre-existing condition. However, medical and prescription drug history reports may still be used by insurers to evaluate applicants for other types of insurance.
A 2008 federal law, the Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and most health insurance plans from denying you employment or health benefits based on genetic information. Further, GINA says that neither your employer nor your health insurer can request, require or purchase genetic information about you.
For tips on how to protect the privacy of your genetic information, see the website for the non-profit organization Council for Responsible Genetics (CRG): www.councilforresponsiblegenetics.org/geneticprivacy/tips.html
HIPAA does not dictate the kinds of information a healthcare provider can collect. However, once information that identifies you is in the files, it is considered personal health information (PHI) and thus covered by HIPAA.
Another federal rule, the Red Flags Rule, requires certain businesses to adopt programs to combat identity theft. Instances of so-called medical identity theft are on the rise. That is when someone uses your personal information to get treatment or file fraudulent insurance claims. Some providers may be more active in checking identification because of the rise in medical identity theft.
The Federal Trade Commission's Red Flags guidance for businesses points out that keeping copies of photo IDs may raise data privacy and security concerns. To read this publication, Fighting Fraud with the Red Flags Rule, go to Part D3: http://ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.