Introduction and Purpose (FAQs 1- 3)
The purpose of this guide is to help you understand how to make health privacy laws work to protect your privacy. We don't offer detailed technical explanations for every provision and every nuance. Instead, this guide concentrates on those parts of health privacy laws and rules that will be most helpful to real people. Even so, this guide is not short. We encourage you to use the summary and list of questions to find what you want. If you are viewing this guide on the web site, you can also use the menu at the top to navigate to different parts of the guide.
The most important acronym we use here is HIPAA, which stands for the Health Insurance Portability and Accountability Act, which is also known as HIPAA. HIPAA has two important parts, the health privacy rule and the security rule. We want to introduce this right away because this guide talks mostly about the HIPAA health privacy rule. The federal Department of Health and Human Services issued the HIPAA rules. The health privacy rule establishes a minimum set of health privacy practices for physicians and health plans. We will remind you repeatedly that other state and federal laws that provide stronger privacy protections remain in effect. The HIPAA rule may not be the only place to look.
In this guide, we talk about laws, rules, regulations, act, and statutes. Lawyers can find real and technical differences between these terms, but the differences don't matter much to patients. For our purposes, the terms are generally interchangeable references to legally binding policies or obligations.
In order to keep this guide streamlined, we mostly avoid lengthy explanation of minutiae, unless absolutely necessary. This means that some sections may not include every possible detail. One way to tell that we have streamlined a section is when we use the word generally. That word signals that there are more details, exceptions, explanations, etc. to be found in the text of the rule or elsewhere.
When we can, we offer a rule of thumb that cuts through the legalisms. Our rules of thumb are correct but may not be complete. They may leave out details, exceptions, and special cases not of great importance to the majority of people. We also look outside the formal rules and suggest other ways to accomplish reasonable privacy goals.
You can always read the rule itself – http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html– to find out what we left out. However, those who aren't used to “bureaucratese” may find the rule daunting. Most everyone will find it to be long.
1. What is the World Privacy Forum?
The World Privacy Forum is a nonprofit, non-partisan, 501(c)(3), public interest research group. The World Privacy Forum focuses its work on privacy, and health privacy is one of our core areas of work. You can find out more about our work at www.worldprivacyforum.org. You can also find out how to support our work (such as this guide) there.
The World Privacy Forum prepared the first report ever done on medical identity theft, a subset of identity theft. Medical identity theft occurs when someone uses an individual's name and sometimes other parts of their identity – such as insurance information – without the individual's knowledge or consent to obtain medical services or goods. Another variation of medical identity theft occurs when someone uses an individual's identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous information in existing medical records, often in the name of the victim. Harms to victims include wrongful medical treatment because of the incorrect information and the use of health insurance benefits by someone not entitled to them.
If you want to learn more about medical identity theft, go to www.worldprivacyforum.org/medicalidentitytheft.html. If you think you were a victim of medical identity theft, see the FAQ for victims at www.worldprivacyforum.org/FAQ_medicalrecordprivacy.html. The answers there specifically address the needs of medical identity theft victims.
2. Where Else Can I Find Help?
If you want the official view – as well as the text of the federal health rule known as HIPAA and related materials – go to the website of the Office of Civil Rights (you will often see this office referred to as OCR) of the federal Department of Health and Human Services (HHS) at www.hhs.gov/ocr/hipaa. The website offers fact sheets, FAQs, formal summaries of the HIPAA privacy rule, and more. The official materials are formal and even useful at times, but there is a lot to wade through. We seek to tell it like it is. The Office of Civil Rights tells it like it is supposed to be. Both views have relevance.
Why does responsibility for the federal health privacy rule rest with the Office of Civil Rights? The Department had to put the health privacy function somewhere, and it chose the Office of Civil Rights. The Office of Civil Rights is also supposed to enforce violations of the HIPAA privacy rule. Some complain that the Office of Civil Rights is not very focused on health privacy. It didn't bring enforcement actions for years after the health care world had to comply with health privacy rule.
You can find other guides to HIPAA on the Internet, however most of them are designed to help health care providers like hospitals and doctors comply with the law. Hospitals and health plans sometimes offer patient-oriented privacy materials. Overall, we were surprised at how few free, detailed patient-oriented materials are available.
The Center on Medical Record Rights and Privacy at Georgetown University's Health Policy Institute has a good website that concentrates on patient access rights. The Privacy Rights Clearinghouse has a wealth of materials on privacy in general as well as some facts sheets on medical privacy (www.privacyrights.org/medical.htm#FactSheets).
The HIPAA rule may not be the only health privacy law relevant to you. The federal HIPAA rule establishes what is called a “floor” of privacy protection. If state law or another federal law gives you more rights, greater access to your medical records, more limits on disclosure, or lower fees for copies of your medical records, then those other laws supersede HIPAA. This can be very important at times. The Health Policy Institute website can be a useful source of information about state law. The Health Privacy Project at the Center for Democracy and Technology also has policy and instructional materials about the HIPAA health privacy rule. The California Office of Privacy Protection has materials on California's state health law as well as HIPAA.
3. What Federal Laws Are Relevant to Health Privacy?
HIPAA is the most important federal health privacy law for almost everybody. Most of this guide explains what you should know about HIPAA. This guide also highlights some other federal laws that may be relevant to health privacy. There are five federal laws beyond HIPAA we think you should know about, each of these touch on privacy slightly differently.
We discuss each of these laws briefly below.
HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 federal statute. Most of this guide focuses on HIPAA. To read more about HIPAA, start with FAQ 4. To get a more complete overview of HIPAA, FAQs 4 through 12 offer a good starting point. Privacy Act of 1974.
An important federal privacy law is the Privacy Act of 1974 www.usdoj.gov/oip/privstat.htm. The Privacy Act of 1974 covers nearly all personal records (not just health records) maintained by federal agencies and some federal contractors. It applies to military health records, veterans' records, Indian Health Service records, Medicare records, and medical records of other federal agencies. HIPAA also applies to these same federal records. So if a federal agency has medical information about you, you are entitled to the best protections in both laws. HIPAA is sometimes better, but rights under the Privacy Act of 1974 are often better than HIPAA.
You can learn more about the Privacy Act of 1974 from a guide published by the Department of Justice. Warning: The Privacy Act of 1974 is just as complicated as HIPAA, and maybe even more so. Remember that the Privacy Act of 1974 does not apply to most hospitals, clinics, or physicians. The Privacy Act of 1974 does not apply to them just because they may receive federal funds or are tax-exempt. Remember, the Act applies to federal agencies, not federal funds recipients.
Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
The Confidentiality of Alcohol and Drug Abuse Patient Records Regulations are an important set of federal rules for some health records. These rules provide privacy protections for medical records of federally funded substance abuse (alcohol and drug abuse) health care providers.
The Substance Abuse and Mental Health Services Administration (SAMHSA) administers the alcohol and drug abuse rules. SAMHSA is part of the Department of Health and Human Services. You can find a document that discussed how HIPAA and the substance abuse privacy rule relate. However, there are few other useful privacy materials at the SAMHSA website.
Family Educational Rights and Privacy Act
Health records at most schools and colleges (at least those receiving federal funds) are not covered by HIPAA but by the Family Educational Rights and Privacy Act (FERPA). You will find more information about FERPA and a link later in this guide. (See FAQ 9.) In general, FERPA's protections are better than HIPAA in some ways and not as good in others. If you can't wait, you will find joint HHS-Department of Education guidance on student health records at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf. If you have not looked at FERPA recently, you should be aware that the Department of Education updated the FERPA regulation at the end of 2008.
Americans with Disabilities Act
The Americans with Disabilities Act (ADA) provides employees with disabilities some protections against discrimination in the workplace. The law includes limited workplace privacy protections as well. You can learn more about the ADA at the Equal Employment Opportunity Commission's website. www.eeoc.gov/types/ada.html.
Genetic Information Nondiscrimination Act (GINA)
The Genetic Information Nondiscrimination Act provides some federal protection from genetic discrimination in health insurance and employment. Genetic discrimination occurs when people are treated differently by their employer or insurance company because they have a genetic change that causes or increases the risk of an inherited disorder. GINA is a federal law designed to protect people in the United States from this form of discrimination. Most states have similar laws.
Title I of GINA makes it illegal for health insurance providers to use or require genetic information to make decisions about a person's insurance eligibility or coverage. This part of the law goes into effect on May 21, 2009. Title II makes it illegal for employers to use a person's genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law goes into effect on November 21, 2009. For more on GINA, see ghr.nlm.nih.gov. GINA has been controversial in some respects. Some think that the protections of GINA are not all that useful. Others see many loopholes in the GINA protections. See www.aacc.org.
Some other federal privacy laws may apply at times to health records held by some records keepers (e.g., banks and credit bureaus). For example, in 2008, the Federal Trade Commission issued Red Flag rules that tell creditors (including some health care providers) what to do to look for cases of identity theft. See www.ftc.gov/opa/2007/10/redflag.shtm and www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. We don't think that these laws are relevant enough to most people to explain here. If you want to know more about the Red Flag rules, see the World Privacy Forum report Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers at www.worldprivacyforum.org/pdf/WPF_RedFlagReport_09242008fs.pdf.