hipaa logo

Part 1: Learning About HIPAA (FAQs 4 - 12)

 

4. What is HIPAA and Why Should You Care?

You can't get very far into health privacy without running across the acronym HIPAA, which stands for the Health Insurance Portability and Accountability Act, a 1996 federal statute. Although many people associate HIPAA just with health privacy, the Act actually covers many topics unrelated to privacy. The part of the Act relevant to privacy directs the Department of Health and Human Services to write a health privacy rule. The rule took effect on April 14, 2003. Some refer to it as the health privacy rule, the HIPAA rule, or just plain HIPAA. Other HIPAA rules also exist, but they don't relate to health privacy. When we say HIPAA in this document, it means the HIPAA health privacy rule unless we state otherwise.

SIDEBAR:

People often incorrectly abbreviate HIPAA as HIPPA (two Ps rather than two As). If you do an Internet search for "hippa," you may be surprised at how often the wrong acronym is used. For extra credit, see how many law firms you can find that use the wrong abbreviation or give the law the wrong name.

Another part of the HIPAA statute relevant here is the provision that requires the health care world to comply with security standards for medical information. This is the HIPAA security rule. HHS issued security standards under the authority granted by HIPAA and made the Centers for Medicare & Medicaid Services (CMS) responsible for the HIPAA security standards. You can learn more at www.cms.hhs.gov/SecurityStandard.

We won't cover the security rule in detail here because it is of interest primarily to health care providers and insurers who have to implement it. Of course, we acknowledge that security of health information is important, but patient privacy rights are found only in the HIPAA health privacy rule. To learn more about the HIPAA security rule, see www.cms.hhs.gov/SecurityStandard/.

SIDEBAR:

You may have noticed that different components of the Department of Health and Human Services have health privacy or security responsibilities. For example, the Office of Civil Rights handles the HIPAA health privacy rule. The Centers for Medicare and Medicaid handles the HIPAA security rule. The Substance Abuse and Mental Health Services Administration handles the alcohol and drug abuse rules. Does that makes you wonder about the diversity of responsibilities for health privacy within a single federal department? We wonder too.

 

5. Who is a Patient?

Interestingly, HIPAA does not use the term patient. Not everyone who is the subject of a health record is a patient. For example, you may be the beneficiary of a health insurance policy. The insurer has information about you, but you are not the insurer's patient. Even if that information is only your name, address, and plan number, it is protected health information (PHI) under HIPAA. The HIPAA rule addresses this problem by using the term individual, but we find that term a bit jarring. We use the more familiar term patient here because just about everyone is a patient eventually. HIPAA's individual and our patient are identical. (For more about what we mean by the term protected health information, see FAQ 8.)

SIDEBAR:

The individual who is the subject of a health file is who we mean by patient. Information about one individual may appear in someone else's file. For example, information about your health condition may be part of your sibling's family history. Generally, you only have rights under HIPAA with respect to information in your health file held by a covered entity.

 

6. Do Children Have Privacy Rights?

The basic answer is that if a child has a right to make a health care decision about himself or herself, then the child has the right to control information associated with that decision. Otherwise, a parent or guardian or person acting in loco parentis can exercise privacy rights on behalf of a child.

To state the rule more specifically, a child can exclusively exercise his or her own privacy rights with respect to a health care service if:

  • the child is emancipated;
  • the child consents to the health care service and no other consent is needed;
  • the child may lawfully obtain the service without a parent's consent; or
  • the parent or guardian has consented to an agreement of confidentiality between the child and the health care provider. The legal technicalities can make a big difference here.

In addition, a special rule covers cases where a covered entity has a reasonable belief that the child is a victim of domestic violence, abuse, or neglect. (A covered entity can be a hospital or health care provider required to comply with HIPAA. For more on what is a “covered entity,” see FAQ 9.) The covered entity may decide that it is not in the best interest of the abused child to allow the parent to act on behalf of the child.

It gets more complicated because the HIPAA rule recognizes that States may have other policies governing privacy, health, and children. When state law specifically addresses disclosure of health information about a minor to a parent or guardian, that law preempts (supersedes) HIPAA whether it prohibits, mandates, or allows discretion about a disclosure.

Rule of thumb:

Normally, HIPAA defers to a stronger state law. However, for minors, HIPAA defers to all state law, whether stronger or weaker.

When does a child become an adult? That depends entirely on state law.

 

7. Do Privacy Rights Survive Death?

Yes. Under HIPAA, a patient's privacy rights survive death and last forever. We are not sure how much sense that makes, but that is what the rule provides. A deceased patient's legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased patient or patient's estate, can exercise the privacy rights of a patient.

It is important to know that disclosures for treatment do not require consent or authorization of the patient or the patient's representative. That means, for example, if information about the deceased patient is relevant to the care of the surviving spouse, the information can be disclosed to the health care provider for the surviving spouse.

Privacy for the dead can be especially messy when questions arise in the period after death and before anyone is formally authorized to act for the patient or the patient's estate. For many individuals, there may be no formal legal process following death. These questions are often best resolved with more attention to common sense and less attention to legal formalities. A doctor is more likely to know the best thing to do, and a lawyer is more likely to get in the way. The authority in the HIPAA rule that permits disclosure of information to a patient's caregiver may also help resolve problems during that period.

 

8. What's a Health Record?

HIPAA introduces the term protected health information or PHI. The actual definition is a conglomeration of nested and complex terms with even longer exceptions. It is too messy to bother with here. Instead, we offer a rule of thumb that will work just fine most of the time.

 

Rule of thumb:

Any information that a covered entity (e.g., health care provider or insurer) has about you is PHI. It doesn't matter if the information is medical, financial, or otherwise. We tend to use the more traditional term – health record or medical record – here, but we mean PHI.

 

SIDEBAR:

A common myth about the HIPAA privacy rule is that it only covers electronic information. That is false. The health privacy rule applies to PHI in any form or medium. If a covered entity records your information on paper, computer disk, or tree bark, it is subject to HIPAA. However, the HIPAA security rule only applies to electronic Protected Health Information. For more on covered entities, see FAQ 9.

 

9. Which Health Care Entities Must Comply With HIPAA?

HIPAA doesn't apply to every health record keeper or to every health record. Only covered entities must comply with HIPAA. Get used to the term covered entity because it comes up a lot. HIPAA recognizes and regulates three types of covered entities.

If your medical information is maintained by or for a covered entity, it is usually protected by HIPAA. If your medical information is not maintained by or for a covered entity, it is usually not protected by HIPAA. The covered entity concept is complicated, and we will explain business associates and hybrid entities later in this FAQ.

Covered entities under HIPAA are:

HEALTH CARE CLEARINGHOUSES

Health care clearinghouses transmit information (typically claim and billing information) between other players in the health care system. For example, a hospital may send the bill for your treatment to a health care clearinghouse that will reformat and submit the information to your insurance company. Clearinghouses are of no interest to the average patient because their function is usually invisible. Patients rarely, if ever, come into contact with them. But clearinghouses have the same obligations as other covered entities, and that is important if you do have an issue with a clearinghouse. Otherwise, don't worry about clearinghouses. We won't mention them again.

HEALTH PLANS

Health plans are covered entities. Health insurers, health maintenance organizations (HMOs), and Medicare are examples of health plans subject to HIPAA.

HEALTH CARE PROVIDERS

Health care providers are covered entities, at least most are. Generally, a health care provider is a doctor, hospital, dentist, podiatrist, pharmacist, laboratory, optometrist, and just about anyone else licensed to provide health care. The formal legal definition of health care provider is so complex that it makes lawyers wince.

It is important to understand that not all providers are subject to HIPAA. It generally depends on whether a provider bills (directly or indirectly) for services electronically. The reason for this odd, even silly, standard has to do with the structure of the health care system and the Department of Health and Human Service's authority to regulate. Unless you are a policy wonk, you probably don't want to know more.

Rule of thumb

A simple rule of thumb is that any provider who bills an insurance company or health plan is a covered entity under HIPAA. If your doctor accepts Medicare, for example, the doctor is a covered entity. A free health clinic may not be subject to HIPAA because it doesn't bill anyone. A doctor who charges every patient $25 cash and does not submit a bill to any insurance company may not be covered by HIPAA. A first aid room at your workplace may or may not be covered by HIPAA. If you want to know if the organization you are dealing with is a HIPAA covered entity, ask. If you don't get a straight answer, ask for a copy of its privacy policy. If has a privacy policy, the policy will explain about HIPAA's application. If it doesn't have a written privacy policy, then it is either not covered by HIPAA or it is violating the rule.

SIDEBAR:

Hybrid Entities (Supermarket pharmacies, etc. )

Do you use a pharmacy at a supermarket? If so, the pharmacy's records are subject to HIPAA because the pharmacy is a health care provider that submits electronic bills. What about the records that the supermarket maintains as part of its frequent shopper program? The answer is the supermarket's other customer records are almost certainly not protected by HIPAA. An organization with both health care functions and other functions can define itself as something called a hybrid entity. HIPAA will then apply only to the part of the organization that does health care and not to the rest. This should all be explained in the covered entity's notice of privacy practices.

SCHOOL HEALTH RECORDS

Most school health records are not subject to HIPAA. Instead, schools records (private schools are a major exception) are usually covered by another federal privacy law, the Family Educational Rights and Privacy Act (FERPA). The federal Department of Education administers FERPA. A school nurse is likely to be subject only to FERPA. A university hospital that runs a student clinic on behalf of the university is also subject to FERPA. However, other university hospital records about students could be subject to HIPAA, depending on the circumstances. The relationship between HIPAA and FERPA is very complicated. For more, see www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

Which law is better for privacy? Privacy rights under FERPA can be better in some ways than under HIPAA and worse in other ways.

OTHER RECORD HOLDERS

Who else has health records but isn't subject to HIPAA? Many organizations have health information about you are not subject to HIPAA. The list of unregulated health record keepers is shockingly long. These include gyms, health websites not offered by covered entities, Internet search engines, life and casualty insurers, Medical Information Bureau, employers (but this one is complicated), worker's compensation insurers, banks, credit bureaus, credit card companies. many health researchers, National Institutes of Health, cosmetic medicine services, transit companies, hunting and fishing license agencies, occupational health clinics, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alternative medicine practitioners, disease advocacy groups, marketers of non-prescription health products and foods, and some urgent care facilities. Providers of Personal Health Records, such as Google and Microsoft, have health records but are not covered entities. However, PHR maintained by your health care provider or insurer may be covered by HIPAA.

SIDEBAR:

Did you wonder why a hunting and fishing license agency made this list of organizations with health records? Some states give discounted licenses to those who are disabled. How do you prove entitlement to a discount? You have to provide adequate medical information to the agency. This is just one reason why your medical information can end up in the hands of many different types of organizations that have no direct health care or payment responsibilities. This example illustrates how complicated it can be to protect the privacy of health information. The information turns up in places that you might not expect.

SIDEBAR:

Is your PHR protected?

If an organization or a business maintains a Personal Health Record (PHR) for you, that PHR may not always fall under HIPAA's protections. Be cautious with PHRs because they are the subject of much attention and promotion. Many companies are trying to get in the business of storing your health records for you, especially online. But you need to know that unless a health care provider or insurer maintains the PHR, HIPAA does not apply. HIPAA may not even apply if a provider of insurer maintain the PHR. You must read the privacy policy to know.

Here's the most important point: if you give a commercial, advertising-supported PHR service consent to store your records, the records are probably not protected by HIPAA. The PHR service may be able to exploit the records as it pleases, subject only to its own policy. If you read the PHR company's policy carefully, we bet that it says that the company can change the policy at any time. We would not give our health records to an advertising-supported PHR service not covered under HIPAA because it is easy for companies to change their privacy policies at a moment's notice. This means that you can lose control of your sensitive health record information to the whims of a third party of if the company merges with another or goes bankrupt. For more on PHRs, see the World Privacy Forum PHR page or the our report, Personal Health Records: Why Many PHRs Threaten Privacy at www.worldprivacyforum.org/pdf/WPF_PHR_02_20_2008fs.pdf.

A health record covered by HIPAA can lose its privacy protection if transferred to a third person who is not a HIPAA covered entity. This is a very important aspect of HIPAA. Some would call it a loophole. We offer four examples of how you may see it in daily life. However, each of our examples has a weasel word (“probably”) because the rule is complicated. If we stopped to explain this kind of thing further, this document would quadruple in size.

  • You tell your doctor to give part of your health records to your employer to explain your absence from work. The record will probably not be subject to HIPAA in the hands of your employer.
  • A health researcher obtains your health records for use in an authorized research project. The records probably have no HIPAA protection in the hands of the researcher. However, if the researcher is treating you as part of the research (as in a clinical trial), then HIPAA may apply.
  • You apply for life insurance, and the insurance company obtains your health records with your consent. The records are not subject to HIPAA in the hands of the insurance company, but they may be subject to a state insurance privacy law. Some of the information you authorize the insurer to have may also end up at the Medical Information Bureau (MIB), another organization not subject to HIPAA. If you read the fine print in your application/authorization, you will learn that you authorized disclosure to MIB as well. MIB is subject to the Fair Credit Reporting Act, a different privacy law.
  • Your doctor tells you that you have a communicable disease (e.g., tuberculosis). The doctor must report your illness to the state public health department. The part of the health department that received your record is probably not subject to HIPAA.

We could list additional examples, but we offer a rule of thumb instead.

Rule of Thumb:

If a covered entity discloses a health record to anyone who isn't a covered entity, the record is generally outside the scope of HIPAA in the hands of the recipient. This is a major way that health records escape from privacy protections.

If a covered entity hires another company to perform a function that requires access to health information, that other company may be a business associate of the covered entity. A business associate of a covered entity is technically not subject to HIPAA. However, the covered entity must have a contract with each business associate that requires the business associate to comply with all relevant HIPAA provisions. The basic idea is that a covered entity cannot avoid the privacy rule by hiring someone else to process health records. The rules defining business associates are complicated and not that important from a patient perspective. Remember that even if a business associate holds your record, the covered entity that hired the business associate is still responsible to see that the record receives proper protections.

If you share health information with your family, a neighbor, or co-worker, the information that you share is not protected under HIPAA in the hands of the recipient. If you share your health information with a website that isn't a covered entity under HIPAA, then the information you disclosed is not protected under HIPAA in the hands of the website. This is a complex area that has created a lot of confusion among some consumers. Web sites that are medical web sites may very well not be covered under HIPAA, even if they say they are “HIPAA-compliant.”

See Rule of Thumb below, HIPAA Compliant, or HIPAA Covered?

Rule of Thumb:

HIPAA Compliant, or HIPAA Covered?

If a company is not covered by HIPAA, it may still say that it is “HIPAA compliant.” HIPAA compliant does not mean the same thing as being a HIPAA covered entity. If you see the words HIPAA compliant, find out if the company is a HIPAA covered entity. This is a yes or no question; there is no “maybe” answer here. If a company is HIPAA compliant but not a HIPAA covered entity, we urge caution.

 

10. What are Fair Information Practices and How Do They Relate to HIPAA?

If you read the HIPAA privacy rule – and stayed awake while doing it – the rule would appear to be a welter of detailed and uncoordinated provisions. It actually has a structure, but that structure is difficult to appreciate unless you know about Fair Information Practices, or unless you read the Preamble to the rule. The rule implements Fair Information Practices (FIPs), an established set of principles for addressing concerns about information privacy. FIPs are especially significant because they form the basis of many privacy laws in the United States and, to a much greater extent, around the world. Understanding FIPs makes it easier to make sense of the HIPAA privacy rules.

The eight FIPs generally recognized are:

  1. Openness;
  2. Use Limitation;
  3. Purpose Specification;
  4. Collection Limitation;
  5. Data Quality;
  6. Security;
  7. Access and Correction; and
  8. Accountability.

We could discuss FIPs here in more detail, but it would be a distraction. Different versions of FIPs exist, and the actual application of FIPs to any set of personal records can be complex, variable, and controversial. We just want you to know that there are basic principles of information privacy that HIPAA (mostly) implements. You can read a short introduction to FIPS here: http://www.worldprivacyforum.org/fairinformationpractices.html. Understanding FIPs is not essential to understanding HIPAA, but it may help some people. But if you are interested, you can find a short (ten pages or so) history of FIPs at www.bobgellman.com/rg-docs/rg-FIPshistory.pdf.

SIDEBAR:

Fair Information Practices are important for information privacy other than health. Whenever you consider whether any record keeper is properly protecting the privacy of your personal information, you can use FIPs as a checklist for assessing privacy practices. If you see a privacy policy for an Internet site, a bank, or another company, try to determine if the policy addresses all eight FIPs. If it doesn't, then you already know that the policy isn't as good as it could be or should be. When a policy addresses FIPs, see how good a job the policy does in protecting your privacy. For example, a good policy may say that personal information is only disclosed when required by law or for necessary business purposes. A mediocre policy may allow for disclosure to affiliates for marketing or when disclosure is allowed by law. Allowed can be a major weasel word in a privacy policy. A weak policy may not address disclosure at all.

 

11. Does HIPAA Protect Privacy?

This is a tough question to answer. Health care providers generally care about privacy, but health care providers have only some control over the records of their patients. Our complicated health care treatment and payment system places patient health information in the hands of many different providers, insurers, agencies, and others. Overall, we believe that the health care system mostly paid lip service to privacy before HIPAA. How many hospitals offered you a notice or privacy practices before HIPAA? How many trained their staff in privacy? How many told you that you had a right to see and copy your own records? Before HIPAA, active privacy policies were a rarity in health care. By this measure, HIPAA made some definite improvements.

Our health care system – with third-party payors and lots of government involvement (e.g., Medicare) – places many demands on health records. Everyone wants low-cost, high-quality health care for all. Achieving these objectives often affects privacy in negative ways. The trade-offs can be sharp. HIPAA is decidedly a mixed bag for privacy. It does good things and not-so-good things. It protects privacy rights and undermines those rights at the same time.

HIPAA gives each patient some rights. There are seven formal rights, not all of which are new everywhere. (See the heading Basic Patient Rights to learn more about the seven rights HIPAA gives patients). However, some of the new rights are not especially meaningful. HIPAA also permits many uses and disclosures of health records without the patient's consent. Many will find some of these uses and disclosures objectionable. A patient doesn't have the opportunity to control most uses or disclosures of his or her records.

If you just look at the disclosure provisions, then you might conclude that HIPAA allows many disclosures that you may not think are appropriate. For good or bad, many of those disclosures were routine before HIPAA. However, if you consider the overall state of privacy protections before HIPAA, you might see a marked improvement in many aspects of privacy today.

So does HIPAA protect privacy? Everyone is entitled to his or her own answer to this question. We prefer to say that HIPAA offers patients Fair Information Practices. (See FAQ 10.) Whether the implementation of Fair Information Practices in HIPAA meets your own standards for privacy is for you to say. Everyone has different privacy needs, preferences, and desires. The proper health privacy standards are subject to much debate.

 

12. How to Solve Problems Presented by HIPAA

In this guide, we point out some shortcomings with the HIPAA rule. The rule doesn't require covered entities to do everything that you might want. It may not protect privacy sufficiently or define your rights as expansively as you think it should.

In many instances, deficiencies in the rule can be addressed when covered entities (See FAQ 9) and patients work together in good faith to address problems that arise. The rule generally doesn't prevent covered entities from treating patients better than the rule requires.

We suggest that when the rule doesn't give you a formal right that you think is reasonable, ask the covered entity to consider doing what you need anyway. The rule gives a covered entity discretion to take actions that can benefit patients and their privacy. If you ask politely and persistently for help, you may get it. If one person won't bend the rules or procedures, then ask another person a supervisor, or to the Privacy Officer at the covered entity. Try to work cooperatively with the covered entity.

SIDEBAR:

This is a real story. A patient parks his car in a parking lot adjacent to a doctor's office. Another individual leaves the doctor's office, gets in her car, and backs into the car of the patient who just arrived. The damage is minor. The driver is not aware of the accident and drives away. The arriving patient goes into the doctor's office to ask for the name and address of the patient who just left. Under the HIPAA rule, the office could not disclose the name of the patient driving the other car. None of the disclosure exceptions applies. However, the doctor's office does the right thing, something not required by HIPAA. It calls the driver and asks her to speak to the owner of the car that she hit. The driver agrees, and the problem is solved. The office facilitates the exchange of information between the two patients, but it discloses no information in violation of HIPAA. The two individuals disclose information to each other. The creative and cooperative action by everyone avoids much more complicated and expensive responses to the problem (e.g., calling the police to report a hit-and-run accident). Not everything needs to be a federal case.

Jump to list of FAQs 1-65