Patient’s Guide to HIPAA – Overview: (FAQ 1- 3)
You are reading the Introduction to the Patient’s Guide to HIPAA, FAQ 1-3 .
HIPAA Guide Quick Links:
Introduction and Purpose
The purpose of this guide is to help you understand how to make health privacy laws work to protect your privacy. We don’t offer detailed technical explanations for every provision and every nuance. Instead, this guide concentrates on those parts of health privacy laws and rules that will be most helpful to real people. Even so, this guide is not short. We encourage you to use the summary and list of questions to find what you want. If you are viewing this guide on the web site, you can also use the menu at the top to navigate to different parts of the guide.
The most important acronym we use here is HIPAA, which stands for the Health Insurance Portability and Accountability Act. HIPAA has several important parts, including the health privacy rule and the security rule. We introduce this right away because this guide talks mostly about the HIPAA health privacy rule. The federal Department of Health and Human Services issued the HIPAA rules. The health privacy rule establishes a minimum set of health privacy practices for physicians and health plans. We will remind you repeatedly that other state and federal laws that provide stronger privacy protections remain in effect. The HIPAA rule may not be the only place to look.
In this guide, we talk about laws, rules, regulations, act, and statutes. Lawyers can find real and technical differences between these terms, but the differences don’t matter much to patients. For our purposes, the terms are generally interchangeable references to legally binding policies or obligations.
In order to keep this guide streamlined, we mostly avoid lengthy explanation of minutiae, unless absolutely necessary. This means that some sections may not describe every possible detail of a rule. One way to tell that we have streamlined a discussion is use of the word generally. That word signals that there are more details, exceptions, explanations, etc., in the text of the rule or elsewhere.
When we can, we offer a rule of thumb that cuts through the legalisms. Our rules of thumb are correct but may not be complete. They may leave out details, exceptions, and special cases not of great importance to the majority of people. We also look outside the formal rules and suggest other ways to accomplish reasonable privacy goals.
You can always read the full rule itself to find out what we left out.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html. However, those who aren’t used to “bureaucratese” may find the rule daunting. Most everyone will find it to be long. There’s a “redline” version of the HIPAA rule with the 2013 changes posted by a law firm; this is available at http://www.jdsupra.com/legalnews/be-prepared-redline-version-of-the-hipa-44999/. The redline shows the changes from the previous version of the rule. Another website has the current version of the rule without any marking of the 2013 changes, and this may be easier for some to use. http://www.hipaasurvivalguide.com/hipaa-regulations/164-501.php.
Feel free to look around the HHS website at http://www.hhs.gov/ocr/privacy/ or at http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html for other helpful materials. HHS has its own FAQ on HIPAA at http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html. Many of the questions there provide answers for those implementing the law, but patients may learn something useful as well.
FAQ 1: What is the World Privacy Forum?
The World Privacy Forum is a nonprofit, non-partisan, 501(c)(3), public interest research group. The WPF focuses on privacy, especially health privacy. You can find out more about our work at http://www.worldprivacyforum.org.
The WPF prepared the first report ever done on medical identity theft, a subset of identity theft, coining the term and bringing the problem to public attention. Medical identity theft occurs when someone uses an individual’s name and sometimes other parts of their identity – such as insurance information – without the individual’s knowledge or consent to obtain medical services or goods. Another variation of medical identity theft occurs when someone uses an individual’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous information in existing medical records, often in the name of the victim. Harms to victims include wrongful medical treatment because of the incorrect information and the use of health insurance benefits by someone not entitled to them.
If you want to learn more about medical identity theft, go to
http://www.worldprivacyforum.org/resource-page-medical-identity-theft-information/ If you think you were a victim of medical identity theft, see the FAQ for victims at http://www.worldprivacyforum.org/2012/04/faq-medical-id-theft-victims-how-to-recover-from-medical-id-theft/. The answers there specifically address the needs of identity theft victims.
FAQ 2: Where Else Can I Find Help?
If you want the official view – as well as the text of the federal health rule known as HIPAA and related materials – go to the website of the Office of Civil Rights (you will often see this office referred to as its acronym, OCR) of the federal Department of Health and Human Services (HHS) at http://www.hhs.gov/ocr/privacy/. The website offers fact sheets, FAQs, formal summaries of the HIPAA privacy rule, and more. The official materials are formal and even useful at times, but there is a lot to wade through. We seek to tell it like it is. The Office of Civil Rights tells it like it is supposed to be. Both views have relevance.
Why does responsibility for the federal health privacy rule rest with the Office of Civil Rights? The Department had to put the health privacy function somewhere, and it chose the Office of Civil Rights. The Office of Civil Rights is also supposed to enforce violations of the HIPAA privacy rule. Some complained that the Office of Civil Rights was not focused on health privacy. It didn’t bring enforcement actions for years after the health care world had to comply with health privacy rule. However, enforcement by OCR has been much more aggressive recently, and you have a reasonable chance that your complaint will receive appropriate attention. In fact, there’s a much greater chance that a health privacy complaint at OCR will result in an investigation than a similar privacy complaint will result in action by the Federal Trade Commission.
You can find other guides to HIPAA on the Internet. However most of them are for health care providers like hospitals and doctors trying to comply with the law. Hospitals and health plans sometimes offer patient-oriented privacy materials. Overall, we were surprised at how few free, detailed patient-oriented materials are available.
Consumer Action has materials on health privacy for California patients. http://www.consumer-action.org/english/articles/health_records_privacy_in_california. That information is also available in Spanish. http://www.consumer-action.org/spanish/articles/health_records_privacy_in_california_sp. Consumer Action has other health privacy resources as well. http://www.consumer-action.org/.
The HIPAA rule may not be the only health privacy law relevant to you. The federal HIPAA rule establishes a “floor” of privacy protection. If state law or another federal law gives you more rights, greater access to your medical records, more limits on disclosure, or lower fees for copies of your medical records, then those other laws supersede HIPAA. This can be very important at times. The Center for Law, Ethics, and Applied Research in Health Information at Indiana University’s database on state health privacy laws (http://clearhealthinfo.iu.edu/sites/clearhealthinfo.iu.edu/files/Copy%20of%20StateHealthInfoLaws.aggregate%20chart%201.1.12.xls) has citations of state health privacy laws and may be the most up-to-date resource. Once you have the citations, you have to look to find the laws. Knowing where to look is half the battle, however. There are Internet resources for state law in many places. There’s a very expensive state law resource at http://www.statehipaastudy.com/, but you might be able to do a few free searches. Always, look carefully to see if the information on these websites is current. It may be hard to tell.
Be aware that state laws change, and the information on any state law website can be outdated. Pay attention to the dates of any discussion of state laws.
If the Privacy Act of 1974, a law applicable to federal agencies like Medicare and the Department of Veterans Affairs, is relevant to you, you can find a guide at https://www.fas.org/sgp/foia/citizen.html. Federal agencies subject to HIPAA and the Privacy Act of 1974 must give you the best of both laws.
FAQ 3: What Federal Laws Are Relevant to Health Privacy?
HIPAA is the most important federal health privacy law for almost everybody in the United States. Most of this guide explains what you should know about HIPAA.
We also highlight some other federal laws that may be relevant to your health privacy. There are five federal laws beyond HIPAA we think you should know about. Each of these touches on privacy in a slightly different way.
- Privacy Act of 1974
- Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
- Family Educational Rights and Privacy Act (FERPA)
- Americans with Disabilities Act (ADA)
- Genetic Information Nondiscrimination Act (GINA)
We discuss each of these other laws briefly below.
Privacy Act of 1974
An important general purpose federal privacy law is the Privacy Act of 1974 (http://www.law.cornell.edu/uscode/text/5/552a). The Privacy Act of 1974 covers nearly all personal records (not just health records) maintained by federal agencies and some federal contractors. It applies to military health records, veterans’ records, Indian Health Service records, Medicare records, and medical records of other federal agencies. HIPAA also applies to most of those same federal records. So if a federal agency has medical information about you, you are entitled to the best protections in both laws. HIPAA is sometimes better, but rights under the Privacy Act of 1974 are often better than HIPAA.
You can learn more about the Privacy Act of 1974 from a detailed guide published by the Department of Justice (http://www.justice.gov/opcl/1974privacyact-overview.htm). Warning: The Privacy Act of 1974 is just as complicated as HIPAA, and maybe even more so because there have been decades of litigation under the Privacy Act of 1974 (and very little under HIPAA). Remember that the Privacy Act of 1974 does not apply to most hospitals, clinics, or physicians. The Privacy Act of 1974 does not apply to them even though they may receive federal funds or are tax-exempt. Remember, the Act applies to federal agencies, not federal funds recipients.
Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
The Confidentiality of Alcohol and Drug Abuse Patient Records Regulations (42 Code of Federal Regulations Part 2) are an important set of federal rules for some health records. These rules provide privacy protections for records of federally funded substance abuse (alcohol and drug abuse) health care providers. You can find more information at http://www.samhsa.gov/HealthPrivacy/http://www.gpo.gov/fdsys/pkg/CFR-2000-title42-vol1/pdf/CFR-2000-title42-vol1-part2.pdf.
Rule of Thumb
The alcohol and drug abuse rules contain the strictest privacy protections of just about any law. The rules allow many fewer disclosures than HIPAA, and the restrictions generally follow the records. That means that if a record is subject to the rules, it remains subject to the rules if the record is disclosed to anyone. That is a very unusual but very privacy protective policy.
The Substance Abuse and Mental Health Services Administration (SAMHSA) administers the alcohol and drug abuse rules. SAMHSA is part of the Department of Health and Human Services. You can find a document that discusses how HIPAA and the substance abuse privacy rule relate at http://www.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pdf.
Family Educational Rights and Privacy Act (FERPA)
Health records at most schools and colleges (at least those receiving federal funds) are not covered by HIPAA but by the Family Educational Rights and Privacy Act (FERPA). You will find more information about FERPA and a link later in this guide. (See FAQ 9.) In general, FERPA’s protections are better than HIPAA in some ways and not as good in others. There’s a simple Q&A on FERPA and HIPAA at http://www.hhs.gov/ocr/privacy/hipaa/faq/ferpa_and_hipaa/513.html, and a more detailed guide at http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf. Be warned that the interplay between HIPAA and FERPA can be very complex.
Americans with Disabilities Act (ADA)
The Americans with Disabilities Act (ADA) provides employees with disabilities some protections against discrimination in the workplace. The law includes limited workplace privacy protections as well. You can learn more about the ADA at the Equal Employment Opportunity Commission’s website. http://www.eeoc.gov/laws/types/disability.cfm.
Genetic Information Nondiscrimination Act (GINA)
The Genetic Information Nondiscrimination Act provides some federal protection from genetic discrimination in health insurance and employment. Genetic discrimination occurs when people are treated differently by their employer or insurance company because they have a genetic change that causes or increases the risk of an inherited disorder. GINA is a federal law designed to protect people in the United States from this form of discrimination. Most states have similar laws.
Title I of GINA makes it illegal for health insurance providers to use or require genetic information to make decisions about a person’s health insurance eligibility or coverage. This part of the law went into effect on May 21, 2009. Title II makes it illegal for employers to use a person’s genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law went into effect on November 21, 2009. For more on GINA, see http://ghr.nlm.nih.gov/spotlight=thegeneticinformationnondiscriminationactgina. GINA has been controversial in some respects. Some think that the protections of GINA are not all that useful. The privacy provisions of GINA are discussed briefly in FAQ 55.
Some other federal privacy laws may apply at times to health records held by some records keepers (e.g., banks and credit bureaus). We don’t think that these laws are relevant enough to most people to explain here. There are other general privacy resources at the World Privacy Forum website (www.worldprivacyforum.org) and at the website of the Privacy Rights Clearinghouse (http://privacyrights.org).
Roadmap: Patient’s Guide to HIPAA: Overview: (FAQ 1- 3)