hipaa logo

Part 2: The Seven Basic Patient Rights ( FAQs 13 - 54)

This section covers the seven basic rights that HIPAA grants to patients. The rule defines seven patient rights, but not all of those rights are meaningful. We will consider them in the order of importance as we view the rights. Your mileage may vary.

 

A. Questions About the Right to a Notice of Privacy Practices

13. What is a HIPAA Notice of Privacy Practices?

The rule requires each covered entity, like a hospital, to publish a notice of privacy practices. The notice describes how each entity implements the rule. Notices from different health care institutions may look similar because the rule is the same for everyone. However, each notice will have some details (procedures, addresses, etc.) that are specific to the institution.

 

14. Why Are the Notices Long and Boring?

One answer is that the rule is long and complicated. Another answer is that lawyers write many of the notices. Often, lawyers write like…lawyers, and the results are sometimes complete, precise, and in the end, incomprehensible. Some privacy notices – and not just notices for health – are deliberately written to be obscure. Even other lawyers can't understand them. Not every organization really wants you to understand or exercise your privacy rights.

In the end, health privacy is a complex subject, and health records have quite a few uses and disclosures that you probably never thought about. All of these factors contribute to the length and complexity of the notices.

 

15. Should I Read the Notice?

Only if you want to. Every expert says that people should know their rights and understand privacy. We agree, but we recognize that people often don't have the time or interest. Don't feel guilty if you just don't have the interest today to read the notice from your doctor, hospital, laboratory, pharmacy, etc. What is important is that the notice exists and that the record keeper who produced the notice has a privacy policy and – we hope – actually implements the policy appropriately.

The requirement that each covered entity prepare a notice was a big advance in privacy protection. That remains true even if most patients never read the notice. The notice also tells a covered entity's employees what the privacy rules are. That is just as important as telling the patients what the rules are. In the past, employees often didn't know whether there were privacy rules or what those rules stated.

To put it another way, you have privacy rights whether or not you know the details. Your rights do not depend on your level of understanding. You can do a better job of protecting your rights if you know more, of course.

HERE'S WHAT'S REALLY IMPORTANT:

  • Read the notice when it matters to you. When you decide that you want a copy of your health records, that's a time to read the notice and find out how to obtain the records.
  • If you think that there is an error in your record, read the notice and learn how to ask for a correction.
  • If you think that your records were improperly used or disclosed, read the notice to see if you are right.
  • When you have a privacy complaint, you can read about the (somewhat ineffective) complaint procedure that the rule provides.

When it makes a difference to you, get a copy of the notice and read it. That could be today or two years from now. You can always ask for a copy, even if you are no longer someone's patient. If a provider or insurer maintains a website, it should make a copy of their privacy policy available on the website. That may make it easier for you to find the notices that you need.

 

16. What Are the Forms that My Doctor's Office Asks Me to Sign?

The rule generally requires a health care provider to make a good faith effort to obtain an acknowledgement that each patient received the notice. Some people think that it is a dumb requirement and a paperwork burden, but that's what the rule says. Signing a standard acknowledgement does not waive your rights.

You do not have to sign the acknowledgement. Your rights do not change if you sign or don't sign. However, the requirement for a signature is poorly understood. Some receptionists think that a signature is mandatory, and they will hassle you if you don't sign. Some will tell you that you must sign or you can't see the doctor. That is wrong.

You can fight about signing the acknowledgement if you want. We suggest, however, that this isn't a fight worth having. Save your energy for another battle. The acknowledgement – if that is all that the form contains – is meaningless. If you see something on the form that you don't like, you can just cross it out. Odds are that no one will even look at what you did.

We hear that some doctors are asking patients to sign broader forms that limit the ability of patients to file malpractice suits, that prevent patients from talking about the doctor to other people or on the Internet, or do accomplish other things that benefit the doctor and not the patient. We suggest being very careful about signing these types of documents.

SIDEBAR:

In the pre-HIPAA days, most patients were given actual consent forms to sign when they came to see the doctor. The forms often gave your health care provider permission to disclose your records to just about anyone. It was the privacy equivalent of a blank check. Most people signed the forms without reading or understanding them. HIPAA eliminated consent forms, something that some people find objectionable. However, the old consent forms mostly waived any rights that you had and did more to protect your provider than anyone else. HIPAA eliminated the need for routine consent forms, but at a price. The discussion later about uses and disclosures will make that price clearer. (See FAQs 55-65.)

WHAT YOU REALLY NEED TO KNOW:

When you visit your doctor's office for the first time, someone should offer you a copy of the doctor's notice. You may be offered the same notice on each visit because many offices find it easier to give every patient a notice on every visit rather than keeping track of first visits. Sometimes, the notice will be sitting on a counter or table. You have the right to take a copy home. Remember that you can always ask for a copy later or in many cases you will be able to find it on the website of your doctor or insurer. If you don't care about it today, it should be available to you later, even if you are no longer a patient of that doctor or covered by that insurer.

Your health plan also will provide you a notice, but the rules for getting you the notice are somewhat different for health plans. Patients really don't need to know those rules. You probably received a health plan notice in the mail, but you may have ignored it. If you want a notice from your health plan, ask for it or look on the health plan's website.

 

17. What Are the Most Important Parts of the Notice?

Almost any health privacy notice will probably tell you something that you didn't know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make. These examples will likely be both enlightening and disturbing. The basic list of uses and disclosures is long to begin with, and that may be upsetting if you've never read about them before.

Most notices are quite similar because you have the same rights everywhere the rule applies. If you read one notice, you have generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states.

When you want to exercise your rights at a particular covered entity, the local procedures are likely to vary. This is when reading the notice may matter a lot. Each notice should describe the covered entity's procedures for exercising patient rights. Make sure you follow any specified procedures. Otherwise, here are some notable features to look for:

  • If the notice is for a hospital or other institution, read the description of which institutions and providers are covered. We have a notice for a hospital that lists more than a dozen different institutions in three states as part of the same institution. That means that patient information can be readily shared among all the affiliated organizations without your consent. That ability to share records widely may not be unusual or should not always be troubling. Further, being able to obtain care at related institutions may be a good thing. Consider, however, if your cousin works in a health care facility in another state. You may not have realized that facility was connected to the health care provider that you see regularly. You might not be happy knowing that your cousin may be able to see your record. It's something to consider.
  • A hospital can use your records in a limited way for fundraising. You have the right to tell the hospital not to use your records for fundraising. If you say nothing, then use of your records for fundraising is permissible. Exercising this opt-out right may not be of critical importance, but it helps everyone if some people exercise opt-out rights when they exist.
  • Find the national security disclosure provision. A covered entity can disclose your records for just about any national security purpose. The rule does not require a warrant, court order, subpoena, or any procedure prior to the disclosure. We point this out because it is perhaps the most privacy invasive of the HIPAA disclosure provisions. You are also invited to look for other broad and objectionable disclosure provisions in the notice. Don't blame the hospital or doctor. The rule allows these disclosures to be made, and privacy notices usually reserve the right for a covered entity to make allowable disclosures. However, the disclosures are not necessarily mandatory. In other words, a doctor can disclose your record to the CIA, but the doctor can usually say no.
  • Look for the provision that says a covered entity can change the notice at any time and with retroactive effect. This isn't quite as bad as it looks because HIPAA limits the ability of a covered entity to change the policy. The covered entity must comply with HIPAA, and it cannot change the notice and take away your rights. However, if HHS changes HIPAA or if Congress passes new laws, then your rights can expand, diminish, or disappear. Most privacy policies, especially those not based on formal legal requirements, are changeable at the discretion of the record keeper. Changes are not always bad, but it is okay to be a bit suspicious..
  • Find the right to request alternate methods of communications. This right may be important to you, and the notice tells you how to exercise this right. We explain this right in full later. [See FAQs 25-28.]
  • Contact information for the covered entity's privacy officer is probably at the end of the notice. If you have any questions or want to exercise your rights, the privacy officer for the covered entity is probably the first person to contact.
SIDEBAR:

If you read the notice, you will likely come away with the feeling that your health records aren't really private. It's not an unreasonable conclusion. The notice describes many uses and disclosures that do not need your consent and that are permissible even over your express objection. We don't like it either. Still, we recognize that we have a complicated health care system, and there are many demands on health records for socially beneficial purposes. There is a legitimate policy justification for most of the disclosures permitted under HIPAA. Nevertheless, we think that some of the HIPAA standards for use and disclosure should be higher and that some of the procedures should create more barriers.

Sadly, we don't know any way to return to a health care system where only you and your doctor knew about your health and where no disclosures of your records were ever made without your approval. That system disappeared decades ago. We repeat again that we don't like it either. We do like it, however, when an insurance company pays for our treatment or Medicare pays our doctor bills. We like it when researchers find new treatments for diseases. We also like it that public health authorities can alert people about contagious diseases. Patients do benefit at times when their records are shared for appropriate purposes and with appropriate protections. We wish some of those protections were better.

In 1999, Maine implemented a health privacy law that required patient consent for many routine disclosures (e.g., to doctors, family members, hospital visitors). People hated the law so much that the legislature suspended the law within weeks after it took effect, and the consent requirements that upset people later disappeared. Some discretion is needed to make the world operate smoothly and in accordance with patient expectations. If you want to know more about the Maine experience, go to www.worldprivacyforum.org/pdf/MaineHealthPrivacy1998_Gellman.pdf.

 

B. Questions About the Right to Inspect and Copy Your Record

 

18. Why Both Inspect and Copy?

HIPAA provides each patient with the right to inspect his or her record and to have a copy of the record. These are two different rights. You cannot be charged a fee if you want to inspect your records. This means that you can always see your record, even if you don't want to pay.

If you want a copy of the record to take with you, then you can be charged a fee. You can also be charged an additional fee if you ask for a summary or explanation of your record. You do not have to ask for a summary or explanation.

 

19. Do I Want to See or Copy My Record?

There are many reasons you might want to review your records. Decide if any of these appeals to you:

  • You plan to move to another city and want to bring your records to a new doctor so that the doctor has your current information on your first visit. You may not know who the new doctor is in advance so you cannot arrange a doctor-to-doctor transfer.
  • You want a second opinion from another doctor and want to avoid having duplicate tests. If you have the records, you don't have to let your first doctor know about the second opinion.
  • You want to make sure that your new doctor knows about earlier treatments and previous tests.
  • You want to keep a permanent copy of all your health records in one place and in your possession.
  • You are curious.
  • You want to make sure that your children have your records because you think that something in your record (e.g., genetic information or family history that they may not know) may eventually be relevant to their treatment.
  • You have given your medical power of attorney to your grandson, and you want him to have all of your records (not just those for your current treatment) so that he can make informed decisions or so he can obtain assistance in making choices. By the way, the records that you give to your grandson are not covered by HIPAA in his hands (except, perhaps, if he is a physician or other health care provider).
  • You want to talk to a lawyer about medical malpractice and don't want your provider to know about it.
  • You think that there might be incorrect or irrelevant information in your record.
  • You think that you are a victim of medical identity theft.
  • You think that your insurance company improperly denied your claim, and you want to see the record about you that the company maintains.
  • You think that your doctor or insurance company is lying to you.
  • Any other reason or no reason. It is your right to see or have a copy of your record. You don't need to have a reason. You do not have to tell anyone what your reason is.

 

20. Which Records Can I Get?

You can generally ask for your all of your records maintained by any covered entity, but the covered entity can withhold some records. We will cover that subject shortly. Depending on your purpose, you may be interested in records of your hospitalization, records from your family physician, records from your insurance company, records from your pharmacy or pharmacy benefit manager, or your records any other covered entity. You can ask every covered entity for all of your records, but the next few questions suggest reasons for narrowing your request.

 

21. How Much Will It Cost?

A covered entity can charge a reasonable, cost-based fee for copying and postage. Any other copying charges – administrative fees, overhead, labor costs – are improper. Charges for inspecting a record are improper, even if the covered entity says that it had to make a copy for you to inspect. Charges for a summary or for an explanation are permissible if you ask for a summary or explanation.

Don't let anyone charge you more than is allowed by the HIPAA rule. If you don't think that the fees are proper, complain about it. You have a right to complain to the Secretary of HHS (via the Office of Civil Rights), and that right will be covered later. (See FAQs 46-51.) Remember that state law may establish lower fees than HIPAA allows or may not allow any fees at all. If you need records and can't afford to pay, ask for a waiver of fees. Some covered entities may provide some or all records without charge or at a discount.

Standard copying costs can be as much as $1.00 a page or perhaps more. If you want a hard copy of an x-ray, the fee could be considerably more. Many health care institutions hire outside firms to handle copies. Copying hospital records is a business. Insurance companies and lawyers tend to be frequent requesters of records, and copying charges can be expensive because these requesters don't much care and because there is no competition. The result is that the standard charge per page can be high. Your best strategy may be to narrow your request (see the discussion in FAQ 23 about what records to request) or to obtain an electronic copy of records that are already electronic. Copies of electronic records may be less expensive.

 

22. How Do I Make a Request for Access?

Start by reviewing the covered entity's copy of the notice of privacy practices. Remember that every covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your right to inspect and to obtain a copy of your record. It should also tell you the local procedure for making a request. You will likely be asked to write a letter or fill out a form in order to make your request for access. A covered entity can insist on a written request and may ask you for identification.

When you make a request, the covered entity must act on your request within 30 days. Don't count on an instant response. The entity can take an additional 30 days to respond if it provides you with a written explanation of the delay. If you need the records more urgently, say so. It might help, but the rule allows the covered entity to wait 30 days or more no matter what. Your doctor might be responsive to your need for fast access, but bigger institutions have procedures and may not be inclined to do anything but the minimum required of them.

SIDEBAR:

This is a real life example. A patient needed a copy of x-rays and CAT scans in order to get a second opinion on a critical injury that required immediate surgery. The hospital told the patient to make a written request and wait 30 days for a response. The patient's medical needs were urgent, but the hospital didn't care to help. The patient found another way. He explained the problem to a nurse who was sympathetic. The nurse quietly made an electronic copy of the needed records on a disk and gave it to the patient. The nurse may not have followed the hospital's internal procedures, but the disclosure to the patient did not violate the law. The lesson is that if the official methods don't meet your needs, see if you can find another way. Just don't break the law doing it. Remember to thank (and protect!) your sources.

 

23. What Records Should I Ask For?

A covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld. (See FAQ 24.) Just figuring out who to ask and what to ask for can be complex. Don't assume that you need a copy of all records from all health care providers and insurers. Obtaining your health records can be surprisingly complicated, may present some hard choices, may be expensive, will require some planning, and can take time.

First, copying costs may be considerable. You may want to think about the costs involved before you ask. A hospital record can have hundreds or even thousands of pages. Think about whether inspecting your records will meet your needs. If you can inspect first, you might be able to narrow your request and cut the cost.

SIDEBAR:

You might be able to inspect your records and make a copy with your digital camera or a portable scanner. If you try using your own equipment, don't be surprised if the covered entity doesn't like it and tries to stop you. However, if you can see the record, you should be able to make your own copy. Nothing in the HIPAA rule says that you can't. However, if you want to wheel in a 500-pound copying machine, you'd better ask permission first.

Second, if you have been using the same hospital or doctor for 20 years and the reason for your request relates only to your treatment from the last month, you might limit your request to recent records, or records dating back just one year. The same idea may work if you want records from your insurer.

You may not know which records you need at first. The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA covered entity. Most people have had dozens of health care providers and insurers in the course of their lives. Many records will not be important or worth the time and effort to find for most people. Old records from individual practitioners may be hard to locate and obtain. However, hospitals and other long-standing institutions are more likely to have older records, although they may be in storage offsite.

 

SIDEBAR:

If you want your records because you think you might have been a victim of an identity thief, you will find some more specific advice at the World Privacy Forum's FAQ for medical identity theft victims. www.worldprivacyforum.org/FAQ_medicalrecordprivacy.html.

It is possible that a thief used your name to obtain services from a health care provider, clinic, pharmacy, or laboratory that you never used yourself. Don't be surprised if the trail leads you to unexpected places.

RULE OF THUMB:

One part of the health care world that few people recognize is the Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, government programs, and other insurers to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail. A PBM may have relevant records. Your health plan hires the PBM, and you may have to seek access to PBM records through the plan.

The notice of privacy practices should tell you what you need to know on this front, or it should tell you how to find out. PBM records may duplicate records that exist elsewhere, but they can be important sources of information at times. If you are seeing more than one doctor, clinic, or hospital, PBM records tend to include information from different providers.

SIDEBAR:

It can be especially important to correct errors in PBM records. If you apply for individually underwritten life insurance or certain other types of insurance, the insurance company will insist that you sign a consent for disclosure of your health records. The company wants to know if you have a health condition that affects your insurability. The easiest place for the insurer to obtain your records may be from a PBM rather than from your doctor. PBM records are electronic and can be shared quickly. Your doctor may not respond to the insurer's request so quickly.

Third, asking for a copy of your complete health record may provide more information than you need. It may also be especially expensive. Your health records may include results of x-rays and other diagnostic tests that may be costly to duplicate.

Consider how you might limit your request for access so that you limit your costs. See if you can talk to someone in the record keeper's office when you make a request so that you can negotiate what you really need. One idea is to not ask for a hard copy of an x-ray unless you know that x-rays are essential. If other records are especially expensive to duplicate, you may want to defer asking for those records too. Ask for a price list before requesting all records. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied.

On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form. You can ask for hard copy of electronic records, but the cost might be higher. Not all electronic records can be printed on paper.

Fourth, once when you receive some records, you may be able to focus your later requests. You may find that the provider used a lab or other independent provider that will have some of your records that you may want to have or that you may want to inspect.

 

24. Can Covered Entities Withhold some Medical Records?

Yes. In some situations, a covered entity can withhold records.

First, the right of access under HIPAA does not extend to psychotherapy notes, materials compiled for litigation, and some laboratory records (non-CLIA labs). A non-CLIA lab is typically a lab that does research work. By the way, CLIA stands for the Clinical Laboratory Improvement Amendments, and you can find more information at www.cms.hhs.gov/clia. It is a complicated law, and most patients don't have to worry about CLIA issues.

Second, a covered entity can deny you access to some records, including records maintained by a prison, some records of research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one. Read the notice of privacy practices to learn if there is an appeal option. We recommend that you appeal to the head of the institution even if you don't have the right to do so. An appeal may result in a review of the initial decision. If it doesn't, then you only invested the energy of writing a letter.

Third, a covered entity can deny you access to some records if a licensed health professional determines that access is reasonably likely to endanger the life or physical safety of you or another individual. Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual's personal representative can also be denied if disclosure would cause substantial harm. If an institution withholds records for any of these reasons, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have.

RULE OF THUMB:

Remember that state law may grant you greater access rights than HIPAA. If state law has an access provision – and many states do – then you may be able to obtain records exempt under HIPAA. If a federal agency has your records, rights of access under the Privacy Act of 1974 may be greater than the rights under HIPAA.

SIDEBAR:

To be complete, we will tell you that HIPAA has a complex definition for something called a designated record set. You can get access to records that meet this definition and that aren't otherwise exempt. There may be some records about you that are not part of the designated record set, but they are likely to duplicate the records that you can see. This limitation in the rule solves some administrative problems, and it isn't a sinister plot to deny you access. We suggest that you not worry about it. For example, if you had surgery, some of the records about your operation may be kept in the operating room records in addition to being in your personal medical record. A patient doesn't need to see the same information twice.

 

C. Questions About the Right to Request Confidential Communications

 

25. What is the Right to Receive a Confidential Communication?

You have the right to ask a health care provider to communicate with you by alternative means or at alternative locations. This means, for example, that you can ask your fertility clinic not to call you at work or to send you an email notification of an appointment. You could also ask your psychiatrist not to leave a message about an appointment at your home telephone answering machine. You might also ask your provider not to send you a post card reminder of your appointment but to use a closed envelope. A provider must accommodate reasonable requests. We think that all of the examples in this paragraph are generally reasonable. We also think that that asking for written communications – including bills – to be in plain envelopes with no identification of the provider in the return address is also reasonable.

The right to receive a confidential communication is a real right that may be important to you. Not everyone will care or will care all the time. You may not object to a postcard from your dentist reminding you to make an appointment to have your teeth cleaned. Many people would object to receiving a postcard informing them about a follow-up visit to a sexually-transmitted disease clinic.

The right to receive a confidential communication is important because a provider doesn't need express permission to contact a patient at home or to leave a message on an answering machine. For a patient who doesn't want others in his or her family or household to know about a form of treatment, then exercising the right to receive a confidential communication will be crucial. For some, this right may provide a vital privacy protection that will make the greatest difference to your life or wellbeing.

 

26. How Do I Exercise the Right to Receive a Confidential Communication?

A provider may require you to make a written request to receive a confidential communication in writing. Read the notice of privacy practices to find out the local procedure. In a small office, an oral request may be sufficient. Still, if you orally tell the receptionist not to call you at your office, the doctor may not know about your request. A written request may be safer because it creates a formal record of the request. You should keep a copy of your written request.

The rule says that a provider must permit a patient to make a request, but it does not expressly say that the provider must respond at all or in writing. However, a provider must agree to a reasonable request. You would be well advised to ask for a written acknowledgement and to save the acknowledgement. If you only receive an oral response, you might want to send a written confirmation to the provider, and keep a copy of your confirmation. The written confirmation should summarize the request and identify the person who agreed to comply. Ask the provider to respond if the summary is incorrect.

You do not have to tell the provider why you made the request. Indeed, the rule expressly prohibits a provider from requiring an explanation as a condition of fulfilling the request. However, the rule does not prohibit the provider from asking for you reason. You don't have to disclose your reason if you don't want to.

SIDEBAR:

We think that the right to receive a confidential communication is a real right that will be meaningful for some patients. If you don't want your psychiatrist leaving an appointment reminder with your secretary, make a request for a confidential communication. Remember that a covered entity must agree to a reasonable request so don't take a denial of your request from a lazy staff member without a fight. Remember as well that a written document about your request in your health record is a better protection than reliance on an oral agreement. The current receptionist may know of your request, but a new or temporary receptionist may not.

 

27. Does the Right to Receive a Confidential Communication Apply to Health Plans?

Yes, but the rule is a bit different. To make a request to a health plan, the individual must clearly state that the disclosure of all or part of the information could endanger the patient. The plan may require that a request contain a statement that disclosure could endanger the patient. The plan can demand a written request.

It is not apparent, however, that the patient must identify what the harm is. The statement that disclosure could endanger the patient seems to be enough. This is one place where the rule seems to have been made deliberately obscure for no good reason.

We can't be sure what constitute endangerment. We suggest taking the position that it is up to the patient to decide what it means. If you say that disclosure could be potentially endangering or merely embarrassing, that's enough to convince us. If a disclosure might persuade you to stop seeking treatment, we would argue that also constitutes endangerment. We can't predict how plans will respond, but we emphasize that plans must accommodate reasonable requests. Asking to send mail to an alternate address (physical or email) strikes us as reasonable. Asking for phone calls only to your cell phone and not to your home phone also strikes us as reasonable. Asking for messages only by carrier pigeon will not be viewed as reasonable by anyone.

 

28. Are There Any Other Requirements?

A plan or provider can condition the accommodation on the patient providing an alternative address or means of contact for information about how payment will be handled. This means that you can't ask someone to send all bills to the White House unless you are the President.

There's an exception for emergencies. No matter what restriction a covered entity agreed to, it can ignore it in case the information is needed to provide emergency treatment. Fair enough.

 

D. Questions About the Right to Request Amendment

On our list, the right to request an amendment of your health record is only the fourth right out of seven. Normally, access and amendment go hand in hand. We list amendment lower because the limits on the amendment right seriously undermine its utility. Nevertheless, if you can use it, the right to request an amendment may be important to you.

We want to underscore that the law does not give you a right to amend your record. You only have a right to request an amendment. We see this as a reasonable implementation of a patient's interest in amending a record. The record keeper has rights and interests as well as the patient, and these rights and interests deserve respect too. You cannot, for example, reasonably expect your doctor to change the record so that it no longer shows that you were treated. A doctor has a legal and professional obligation to maintain treatment records.

 

29. How Do I Make a Request for Amendment?

One way to start is by obtaining a copy of the notice of privacy practices. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website). The notice of privacy practices describes your rights, including your right to ask for an amendment. The covered entity's notice will tell you where to submit your request for amendment.

You might be asked to write a letter or fill out a form to make your request for amendment. You might be asked to tell the record keeper what information is wrong or is not about you. You may have to explain why you want the amendment.

When you make a request, the covered entity must act on your request within 60 days. The entity can take an additional 30 days to act if it provides you with a written explanation of the delay.

SIDEBAR:

It is hard to object to the formality of the amendment process allowed by the rule. We hope, however, that covered entities don't use it inappropriately. If you want to report a change of address or corrected telephone number to your family doctor, you should be able to tell the provider or the provider's receptionist without any formality. A covered entity can ask for a written request, but it doesn't have to do so. If someone in a doctor's office who knew us said that we had to write a letter to change an incorrect telephone number, we would complain to a supervisor or physician. But if you are not known to the provider, it might not be unreasonable if the provider first asked you to show identification. Changing an address is one way that medical identity thieves try to hide the trail of their activities.

 

30. Can I Ask that Incorrect Information be Removed From My File?

Yes, but it may not be that easy. A HIPAA covered entity does not necessarily have to remove incorrect information. It can mark the information as incorrect and add additional notes that show the correct information.

There is a reason for this policy. Suppose that your doctor suspects that you have an infection. Before the test results come back, the doctor prescribes an antibiotic. When the test later shows that you didn't have the infection, the doctor tells you to stop taking the antibiotic.

Now suppose that you ask the doctor to remove the initial diagnosis of an infection. If the information is totally removed, it will be impossible for the doctor to explain or justify the prescription for an antibiotic. It may not be appropriate to remove the entire incident from the record because the doctor will be unable to explain the treatment provided or the bill for the services. The doctor also needs to keep the record in the event that there are complications from the drug. The doctor rightly needs a history of the treatment for his/her protection for both legal and medical reasons. Your health record isn't just about you. It's about your provider too.

SIDEBAR:

Some requests for amendment present real conflicts between the interest in having an accurate record on the one hand, and having a record reflecting what treatment was provided to a patient and why, on the other. These objectives will conflict at times. Information that seemed to be correct one day may be incorrect on another day. A health record may need to reflect both conclusions, even though they are different. If you disagree with your physician's diagnosis, but the physician insists that the diagnosis is correct, you are not likely to prevail with an amendment request. You have to right to put your views in the record, as we explain later. (See FAQs 34, 35.)

Health care providers are typically nervous about removing information from health records. For the most part, they have a reasonable concern for the reasons explained above. However, when the information in your health record is not about you, the provider's concern is weaker. When the information in your record is not about you and the presence of the information did not affect your subsequent care, the argument for removal is stronger. For example, if your record includes a lab slip belonging to another patient, it may be appropriate for the record keeper to remove the slip entirely and put it in the right record.

However, if the incorrect information did affect your treatment – even if that treatment was inappropriate – then retaining some or all of the incorrect information (suitably marked as incorrect and including a full explanation) may be legally and medically justifiable. You may be able to negotiate with the provider about how the information should be marked or otherwise segregated from your medical record.

The problems faced by medical identity theft victims seeking amendment of their record can be particularly difficult. See the World Privacy Forum's Medical Identity Theft Page or go directly to our FAQ for identity theft victims at www.worldprivacyforum.org/FAQ_medicalrecordprivacy.html.

SIDEBAR:

If there is information in your file that is not about you at all – whether because of a filing error, medical identity theft, or other reason – you should ask for total removal. The record keeper may still be unwilling to comply. Another possible remedy is to ask the record keeper to put the information about another individual in a wholly separate record that is not directly associated with your medical record or in a sealed part of your record. The two records might contain references to each other, but the substantive medical information about the other person will not be in the normal file that a doctor would review when treating you. This may not work, but it is worth a try.

 

31. What Other Limits Are There on the Right to Seek Amendment?

A covered entity does not have to amend a record that it considers accurate and complete. It does not have to amend a record that is not available for inspection by you under the access provision.

More importantly, a covered entity is not required to amend a record not created by the covered entity. That means if the information in your record came from any third party – including another provider, an insurer, a relative, or anyone else – the covered entity has no obligation to amend your record or even to consider your request. We find this limitation on the right to seek an amendment to be unfair, inappropriate, and dangerous. Be aware that state law may not have the same limitation on amendment rights.

SIDEBAR:

A provider can treat you using information in the file that you contend is incorrect, but that provider has no obligation under HIPAA to determine whether the information is wrong when you contend that it is wrong. This is why we think that this exception is unfair, inappropriate, and dangerous.

The covered entity must consider your request for amendment of third party information if you provide a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment. Thus, if the record contains information from a previous physician who is no longer in practice, you may be able to force your current provider to consider amending information supplied by that physician. We note that it can be difficult to prove that the originator of information is unavailable, and an uncooperative record keeper can string a requester along if it doesn't want to deal with a request for amendment honestly.

If the covered entity that is the originator of the incorrect information is available but does not act on a request for amendment, the information in the subsequent covered entity's record may be just as wrong and could have a continuing detrimental effect on the patient. This can present a real Catch-22 for patients.

In most circumstances, a health care provider will act reasonably to verify information that may affect patient care. For example, if you tell your surgeon that you think that your blood type is A, the surgeon is not likely to cavalierly accept contrary information just because it came from a third party. Any health care provider is likely to be suitably concerned about the possibility of a medical error based on wrong information.

However, there may be real problems with third party information in some circumstances. Health insurers may not be as worried about an error, especially if the error provides an excuse to deny a claim.

SIDEBAR:

Consider an identity thief who has an appendectomy while masquerading as John Doe. The real John Doe has an appendectomy a year later and submits the bill to his insurance company. The insurance company rejects the bill because no one has two appendectomies. If John Doe asks the insurer to amend or delete the record of the first payment, the insurer can refuse the request under the HIPAA rule because the information came from a third party, namely the surgeon who operated on the identity thief. If John Doe then asks the surgeon to correct the record, the surgeon will likely reject the request saying that the request came from a John Doe who has the same name as his patient but who is not the actual patient. The HIPAA health privacy rule provides no real assistance or remedy under these circumstances. Unless someone goes beyond the minimum requirements of the HIPAA rule and addresses the real problem, it is possible that a patient will have no remedy at all under HIPAA. It may be necessary to find another way to force attention to your problem, such as filing a complaint, hiring a lawyer, writing your congressman, or some other activity. We think that HIPAA should provide you a real remedy here, but it does not.

If the rule doesn't provide a remedy when one should be available, the patient may only be able to ask for the good will, understanding, and cooperation of all concerned. Providers and insurers who proceed in good faith may solve a patient's legitimate concerns notwithstanding the deficiencies of formal legal remedies. Otherwise, the next step may be litigation, and that is often an expensive and unattractive alternative for everyone concerned, even when litigation is possible.

 

32. Do I Have Greater Amendment Rights under State Laws, other Federal Laws, or Hospital Policies?

Maybe. Some states have health privacy laws that provide greater rights of amendment. If your records are held by the federal government (e.g., Medicare, VA, or Indian Health Service), your rights to ask for amendment of records under the Privacy Act of 1974 may be greater than under HIPAA. These two sets of privacy rules overlap, and you are entitled to the best parts of both laws.

 

33. What Happens When a Covered Entity Agrees to Make an Amendment?

The covered entity that agrees to make an amendment must:

  • Make the amendment;
  • Tell the requester what it did; and
  • Make reasonable efforts to inform others about the amendment within a reasonable time.

The third requirement is most noteworthy. If you convince a covered entity to amend your record, the covered entity must tell any persons that you identify who received the original incorrect information and who need the amendment. In addition, the covered entity must notify any persons who have the information that was the subject of the amendment and who may have relied or could foreseeably rely on the information.

To make sure that amendments have been appropriately distributed, you may want to ask for an accounting of disclosures. The right to receive an accounting is explained elsewhere in this guide. (See FAQs 37-44.) What is important is that amendments be provided to those who may rely on the original incorrect information. Each patient has the right to tell a covered entity to send the amendment to anyone who received the original information and needs the information.

Be sure that any amended information that bears on your future medical treatment is shared with other providers. Information that bears on insurance and payment matters may need to be shared with insurers and, possibly, with employers. The goal is to find and eliminate any incorrect information that others have and that may affect you adversely.

It may take considerable effort to make sure that every appropriate person has the information and that those with the information correct their own records. Every covered entity must act when it receives a notice of amendment, but that doesn't mean that it will be done quickly or properly. It may be appropriate to ask each appropriate covered entity to confirm that it actually made the amendment. You may have to request a copy of your record from that covered entity to be certain.

Be aware of any Health Information Exchanges that may impact where your records are located. For example, some emergency rooms in some states exchange electronic health records through a third party called a Health Information Exchange. In Long Beach, California, the Health Information Exchange is Long Beach Network for Health. In New York, it is the New York e-Health Collaborative. Other states and regions have similar exchanges. Ask about the presence of an exchange or network so you can locate all of the copies of your records.

SIDEBAR:

There may be some strategy involved in asking for the sending of notices of correction. When you look at the accounting of disclosures, you may be surprised at the number of people that received notice of the original, incorrect information. You may not want all of them to receive the correct information. Suppose that (with your consent), your doctor reported to your employer that you were justifiably absent from work because you had the stomach flu. A later test reveals that you had a more serious illness or were pregnant. You might not want this additional information shared with your employer, but you might want another physician to know. If the correct information would affect how a covered entity might treat you, the sending the correction is the right thing to do. But you might not care about sending a correction to a physician who treated you in an emergency when you have no expectation of ever being treated there again.

 

34. Can I Appeal if a Covered Entity Refuses to Make an Amendment?

Maybe. An institution must accept complaints about its health privacy policies and practices. Filing a complaint with an institution may not be the equivalent of filing an appeal of a denial of a request for amendment, but it may help if it forces someone new at the covered entity to review your request. However, some institutions may accept formal appeals. Consult the institution's notice of privacy practices to see if there is an appeal method for a denial of a request for amendment.

You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. The Department's Office of Civil Rights processes complaints. You can find information about the process at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. Whether the Department will actually investigate your problem is uncertain.

You have another alternative. When a covered entity denies your request for amendment, it must tell you that you can request the covered entity to provide a copy of your request for amendment with any subsequent disclosure of the disputed information. In some instances, it may be important to make the request. Remember that the covered entity is not required to tell others about the dispute unless you ask.

 

35. Are There Other Remedies if My Request for Amendment Is Denied?

Yes. You have the right to file a written statement of disagreement, and that is an important right. When a covered entity denies your request for amendment, it must tell you about this right.

The statement of disagreement gives you the opportunity to explain your side of the story. The covered entity can reasonably limit the length of the statement of disagreement, so don't plan on writing a novel-length document. We also suggest that your statement should be factual and should refrain from making personal attacks on anyone involved in the process.

The covered entity can write and circulate a rebuttal to your statement of disagreement. If it does so, it must provide you with a copy of its rebuttal.

HIPAA offers another protection even if you don't file a statement of disagreement. The rule requires a covered entity that received and denied an amendment request to append or link the record in question to the request for amendment. The purpose here is to make sure that whoever sees the disputed record will also see the request for amendment. One reason to ask to inspect or have a copy of your record is to see if the covered entity properly handled this requirement.

 

36. Can a Covered Entity Still Disclose The Information that I Disputed?

Yes, but HIPAA offers additional rights. First, if you submitted a statement of disagreement, the covered entity must disclose it when it discloses the disputed information.

Second, if you choose not to submit a statement of disagreement, the covered entity must include your request for amendment (and its denial) along with any subsequent disclosure only if you requested that the covered entity do so. In most cases, this will be an advisable step to take.

 

E. Questions About the Right to Receive an Accounting of Disclosures

 

37. What's an Accounting of Disclosures?

For a disclosure of medical information about an individual, an accounting is a record of:

  • The date of the disclosure
  • The name of the person or entity who received the information
  • A brief description of the information disclosed
  • A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure).
RULE OF THUMB:

The non-intuitive term accounting comes from an older privacy law. It's clearer to think of an accounting as a disclosure history. We will stick with the rule's accounting terminology here because it is used commonly in HIPAA circles.

 

38. Why Should I Care about Accounting of Disclosures?

Many patients won't care, and that is okay. However, the accounting of disclosures can be crucial in some instances. If you think that your records were improperly disclosed, if you think that you may be a victim of medical identity theft, or if you are just curious to learn about the circulation of your medical records, then you may want to ask for an accounting. Be warned, however, that if you ask for an accounting, the response is likely to undermine whatever faith you had that your medical information is confidential. Records may be disclosed to other institutions that have nothing to do with your treatment or the payment for your treatment.

The accounting of disclosures will be invaluable if you need to follow the trail of your information and learn who has information about you. If you corrected your record through the amendment process, the accounting will allow you to find out who received the original information and who received the corrected information. It provides a way for you to tell whether the covered entity properly distributed the amendment.

The accounting may reveal some disclosures that are normal (e.g., to your health plan). You may also learn that the covered entity disclosed your records to a researcher, public health agency, or government auditor. These disclosures may not have any immediate consequences for you, but you may be either interested to know about the disclosures or unhappy that they occurred.

However, if you learn that your records were disclosed to law enforcement or health oversight agencies, you might have reason to worry that the information disclosed will be used against you in some manner. By learning the purpose of each disclosure, you will be better able to make judgments.

 

39. How Do I Make a Request for an Accounting of Disclosures?

Start by obtaining a copy of the notice of privacy practices that your provider or insurer publishes. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

Follow the directions for a request in the notice. You might be asked to write a letter or fill out a form in order to make your request for amendment. The covered entity must act on a request for accounting within 60 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.

 

40. Who Has to Provide Me with an Accounting of Disclosures?

Any HIPAA covered entity must provide a copy of an accounting of disclosures. For most individuals, your health care providers (doctors, hospitals, laboratories, pharmacies, etc.) and health insurers (HMOs, health plans, Medicare, etc.) will have accounting records that you may want. You may also want to ask your Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail.

 

41. What does it Cost to Obtain an Accounting of Disclosures?

You are entitled to receive at no charge one copy of the accounting of your medical record in any 12-month period. If you make more than one request, the institution may impose a reasonable, cost-based fee. The institution must tell you the cost in advance so you have a chance to modify or withdraw your request.

SIDEBAR:

If you have a good reason why you need to request an accounting more than once a year, ask the covered entity to waive any fees. For example, if you are a victim of medical identity theft and need repeated accountings to check on current activities of the identity thief and responses to corrective actions, ask for a fee waiver. Argue that both you and the covered entity are victims of the identity thief. You need to work cooperatively to correct the problem. Ask the institution's fraud investigator or compliance officer to help you if the usual HIPAA channels aren't responsive.

 

42. What are the Limitations of an Accounting of Disclosures?

Limitations in the HIPAA rule make the accounting of disclosures much less valuable than it should be. First, covered entities do not have to account for all disclosures. They don't have to keep an accounting of disclosures for treatment, payment, or health care operations. Most disclosures are likely to be for one of these purposes so this loophole is large.

Second, covered entities also don't have to keep an accounting of disclosures if you authorized the disclosure. That means that you may not be able to track if the covered entity actually disclosed records as you directed. If you casually signed an authorization that allowed the disclosure of any or all information about you (e.g., for a background check), a covered entity can disclose your entire medical record and not even keep a record that it did so. This is another large loophole.

Third, health care institutions do not have to account for uses. A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a covered entity shares a record with someone outside the covered entity. The accounting requirement only covers some disclosures and no uses.

If you are hospitalized, hundreds of different individuals in the hospital may see your record. The use exemption to accounting can seriously undermine your ability to hold an institution accountable for leaks or other inappropriate activities. Still, in hospitals with modern computers, there is a greater likelihood that a complete audit trail, including uses, will be maintained routinely. Unfortunately, HIPAA does not expressly require that a covered entity share that audit trail for uses, although there may be an argument that disclosure of an entire audit trail is required otherwise by HIPAA or by state law. Ask for a copy of the entire accounting because a reasonable institution will share it with you. For institutions with computerized systems that track all activity, it should be easier to provide a requester with the entire history everything rather than part of it.

Fourth, sometimes a covered entity must withhold a particular accounting record from an individual who requests a copy of the accounting. Some disclosures to law enforcement, for example, can be made without telling the record subject for a limited time.

Fifth, the HIPAA requirement for an accounting started on April 14, 2003. A health care institution covered by HIPAA did not have to maintain accounting records before that date.

Finally, perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment. This means that a lot of information that you would want to find in an accounting will not be available.

For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures. Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations.

 

43. Why Bother Asking for an Accounting if It Has so Many Loopholes?

Why seek an accounting of disclosures? First, obtaining a copy of the accounting is free. All you have to do is fill out a form or write a simple letter.

Second, an accounting may help even if it isn't complete. You should be able to learn something about how your records were disclosed from the accounting. It may point you to some record keepers you didn't realize had records about you.

Third, the accounting is part of the process for learning about and recovering from medical identity theft. Similarly, if there has been a data breach of the confidentiality of your medical information, the accounting of disclosures may help you find it.

Finally, even though there are many exceptions to accounting, some institutions will nevertheless have a record about disclosures (and even uses) even though the records are not required by HIPAA. If you ask for more, you might just get what you want. Certainly nothing in HIPAA prevents a covered entity from providing a more complete accounting than the minimum required by the rule.

 

44. Do I have Greater Rights under State Laws, Other Federal Laws, or Hospital Policies?

Maybe. A few states may have health privacy laws that require health care institutions to maintain better accounting records or to disclose more accounting records to you. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of an accounting under the Privacy Act of 1974 will be greater than under HIPAA. These two sets of privacy rules overlap.

The website of the Georgetown University Center on Medical Record Rights and Privacy at hpi.georgetown.edu/privacy/records.html has information on state laws about access and correction of medical information. Beware that the information at this website may not be current.

 

45. What's the Best Strategy for Making a Request?

You only are entitled to one free request in any 12-month period. Think about the best timing to make that request. If you learn that you were a medical identity theft victim two years ago, you probably should make the request right now. However, if the reason you are asking relates to a current activity (perhaps a hospitalization that just ended), it can take time for your records to be updated. Actions that follow a hospitalization, such as submitting a bill to an insurer or to the government, may not occur immediately. You might want to wait a week or two before asking for the accounting. If the institution's privacy officer is helpful, the officer may be able to offer useful advice about timing.

SIDEBAR:

Many institutions with fully computerized record systems will have accounting records that exceed the HIPAA requirement. Modern computer systems routinely track every use and disclosure of a medical record. HIPAA does not require a covered entity to give you all the accounting records that the entity has. That's unfortunate. It doesn't mean that you can't ask for non-HIPAA required accounting records if they exist. We suggest that you make a broad request. If you are dealing with a federal or state institution, you might be able to use other privacy or freedom of information laws to seek records about you that may not be available under HIPAA. If the records are important to you, ask first for all the records. Even if there is no right, an institution may still be willing to share the accounting records, if only because it is cheaper and easier to do so than to separate the required from the non-required parts of the accounting. If you ask for more, you might just get what you want. If asking doesn't get you what you need, use other laws and procedures if they are available.

 

F. Questions About the Right to Complain to the Secretary of HHS

 

46. Can I File a Federal Complaint about a HIPAA Problem?

Yes. Any person who believes that a covered entity is not complying with the HIPAA privacy rule may file a complaint with the Office of Civil Rights at the Department of Health and Human Services. You do not have to be a patient of a health care provider or a beneficiary of a health insurance plan to file a complaint. For example, if you visit a relative in the hospital and see a violation, you can file a complaint.

You can find a fact sheet on the complaint process at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. The fact sheet lists addresses of then regional offices of the Office of Civil Rights that will accept your complaint. The toll free number for help with complaints is 1-800-368-1019.

You can use the complaint form at www.hhs.gov/ocr/privacy/hipaa/complaints/howtofileahealthinformationprivacycomplaintpkg.pdf or at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. You can submit a complaint online to OCRComplaint@hhs.gov.

 

47. What Information Belongs in a Complaint?

HHS wants a complaint to include:

  • Your name, full address, home and work telephone numbers, email address.
  • If you are filing a complaint on someone's behalf, provide the name of the person on whose behalf you are filing.
  • Name, full address and phone of the person, agency or organization you believe violated your (or someone else's) health information privacy rights or committed another violation of the Privacy Rule.
  • Briefly describe what happened. How, why, and when do believe your (or someone else's) health information privacy rights were violated, or the Privacy Rule otherwise was violated?
  • Any other relevant information.
  • Your name and the date of the complaint.

 

Optional information that HHS requests includes:

  • Do you need special accommodations for us to communicate with you about this complaint?
  • If HHS cannot reach you directly, is there someone else to contact?
  • Have you filed your complaint somewhere else?

 

48. Will Filing a Complaint Really Help?

We would love to tell you that the complaint process works, but we have our doubts. The problem is that HHS doesn't seem to take any action against covered entities that may be violating the rule. Up to a point, it is okay for HHS to work with violators to remedy problems. In the first year or two when everyone was getting used to HIPAA, leniency in enforcement was a reasonable policy.

At this stage, however, the HIPAA privacy rule has been in place for years. Sanctions for violations have been few or nonexistent. It is far from clear how much HHS cares about health privacy or HIPAA privacy enforcement. Covered entities may be ignoring some of the requirements because they know that there are no consequences.

Nevertheless, the complaint process is free and there is always a chance that intervention by HHS will occur and will help. We wouldn't hesitate to file a complaint if we thought that a covered entity did the wrong thing or treated us badly.

We remind you that filing a complaint may have the effect of spreading your health information around more widely. Not all complaint investigations will involve disclosure of the intimate details of your medical history, but some may. It is for you to judge whether a complaint will invade your privacy more than you can tolerate. But if you are just trying to get the hospital to respond to your request for a copy of your record, the additional threat to privacy may be small.

 

49. What Should I do if I See a Privacy Violation?

We think that you should at least consider filing a complaint. You never know when the Department of HHS will decide that privacy deserves a greater priority. A new Secretary or a new staff at the Office of Civil Rights may give privacy more attention.

It is important for the public to show interest in privacy laws. It is bad enough when the government and covered entities do not act to protect patients. People must speak for themselves when they see a privacy violation. Not every violation may be worthy of a federal complaint, but if something happened that affected your privacy and you are upset about it, you should file a complaint.

 

50. Should I Worry that a Covered Entity will Retaliate if I File a Complaint?

Each covered entity's notice of privacy practices must say that there will be no retaliation against a person who files a complaint. We would like to believe that.

But in the real world, there are no guarantees. We have seen, for example, a notice from a hospital that says – as required by the rule – that there will be no retaliation. The next sentence in the notice says more ominously that the hospital reserves the right “to take necessary and appropriate action to maintain an environment that serves the best interests of out patients and staff.” We have no idea what that means or why the hospital chose to add that statement directly after the required language about not taking retaliation. But it sure sounds like a threat to us.

We would be happier to see a privacy notice that included a statement to the effect that the hospital reserves the right to take additional actions to protect the privacy of its patients. However, hospital lawyers don't like statements like that, lest they be interpreted to oblige the hospital to do more than the bare minimum.

 

51. Is There Another Way to Protest a Privacy Violation?

We think that the first step should always be to complain directly to the covered entity that did something you think was wrong. Each covered entity has a privacy officer, and the name, address, and telephone number of the privacy officer should be included in the notice of privacy practices. Everyone makes mistakes, and everyone deserves the chance to make things right. It is also important for covered entities to know that people pay attention to privacy and that people care when privacy violations occur.

If the covered entity does not satisfy you, then you can look elsewhere. We don't think that every minor violation should become a federal case. Consider complaining locally about any violation. You get to make the choice. Remember too that filing a complaint may bring more attention to you and to your health record. You may want to be guarded about how much of your personal medical information you include in the complaint. In other words, the complaint process may further invade your privacy. You can ask that you name be masked or changed as part of the complaint, and some authorities may be willing to do so.

Here are some ideas if you want to pursue your complaint.

  • Complain to the Secretary as described above. We can't tell you that it will help, but it could, it is easy to do, and it costs nothing.
  • If you do complain to the Secretary, consider sending a copy of your complaint to your congressman or Senators. Ask them to write to the Secretary and report back about what happens to the complaint. When an elected official writes to an agency on behalf of a constituent, the constituent's file gets a pink slip and faster attention. The downside may be sharing your personal information more widely.
  • You might be able to complain to a state official. Every state has a health department and an insurance department. If your complaint is about a health care provider, complain to the health department. If the complaint is about an insurer, complain to the insurance department.
  • Health care providers hold licenses from state boards. If the violation is serious, see if the state licensing board accepts public complaints.
  • If your problem is newsworthy and you are willing to make it public, you might look for a local reporter who covers health issues and who may be interested in your story. Remember that going public may just make the privacy violation worse, but it may get better results.
  • Use the Web. You may find websites where you can post your story and the basics of your complaint.
  • Tell your friends and neighbors. A national insurance company may not care what you say. However, local providers and local hospitals care a lot. A bad reputation can result in the loss of clients and revenues.
  • HIPAA does not provide patients with the right to sue covered entities. However, other law may allow you to sue. If the courts recognize that HIPAA establishes a standard of care, then it may be possible to sue for breach of contract, malpractice, violation of standards of professional conduct, or on other grounds. Lawsuits are not fun, and they can be expensive. Finding a lawyer willing to take a privacy case can be hard. Obtaining damages can be highly uncertain. Lawsuits are remedies to be pursued only for major problems.

 

G. Questions About the Right to Request Restrictions on Uses and Disclosures

 

52. What is the Right to Request Restrictions on Uses and Disclosures?

The right to request restrictions is the least meaningful of the seven HIPAA patient rights. A covered entity must allow a patient to request a restriction on the uses or disclosures of the patient's information to carry out treatment, payment, or health care operations. A patient can also ask for a restriction on disclosures to a family member, relative, or close personal friend.

You can read later in this document about the scope of permissible uses and disclosures for treatment, payment, and health care operations. (See FAQs 56 & 57.) No covered entity needs your consent to make disclosures for those purposes. Health care operations is a particularly broad term that includes many activities that are in the interest of the covered entity and not necessarily in the interest of the patient.

 

53. Why is the Right to Request Restrictions Almost Meaningless?

The rule does not require a covered entity to agree to a restriction requested by a patient. The covered entity does not have to agree even if the patient's request is reasonable. Contrast this provision with the right to request confidential communication. A covered entity must agree to a reasonable request for confidential communication. However, if you ask for a restriction on use or disclosure, the covered entity does not have to agree, does not have to state a reason for denying a request, and does not have to even respond to your request. Because it is a patient right without a corresponding obligation on the part of a covered entity, we conclude that the right is almost meaningless.

It gets worse. The rule expressly provides that some restrictions that an institution might agree to are not effective. These are uses or disclosures that are permitted for facility directories (separate rules govern facility directories), to the Department for oversight of the rule, or for any of the scores of other permissible disclosures allowed under the law. Thus, if an institution agrees to your request not to make a discretionary disclosure to the CIA, that agreement is not effective under the rule. Luckily for patients, the lack of effectiveness of the limit on disclosure may also be meaningless. It just means that the Department won't take enforcement action for a violation. That's not a big deal right now since the Department has shown no appetite for enforcing the rule. The patient may still be able to enforce an agreement through a complaint about professional misconduct or through a legal action for breach of contract. This is all rather hypothetical because it will be hard to convince any covered entity to agree to your request in the first place.

RULE OF THUMB:

It is highly unlikely that any large institution will agree to any restriction on use or disclosure. It is conceivable that you might get a small provider – e.g., a psychiatrist in a solo practice – to agree with your request. A bigger institution – especially one with a staff of lawyers – will probably never agree. Don't waste your time.

 

54. Is the Right to Limit Disclosures to Relatives and Friends Meaningless Too?

There is a bit of hope if you want a provider to agree to limit disclosures to relatives and friends. If you tell your doctor or nurse not to talk to a relative, that provider is likely to comply regardless of the rule. The rule doesn't make those disclosures mandatory. It does, however, make it harder for a patient to obtain or enforce an agreement.

If, for example, you ask your provider not to disclose your diagnosis to your children, the rule requires the provider to document the request. Since formal documentation is not likely to be done for casual requests, any agreement will be unenforceable under the rule. Further, the required formality of the rule allows providers to insist that patients make requests in writing, and most will demand a letter. If you are a patient in a hospital about to receive a visit from a relative, how can you possibly make a written request and get a timely agreement from the hospital?

Even if you do make a written request, the rule doesn't require any response to your request or any response in a reasonable period. If you are prepared enough to present a formal request at the start of your hospitalization, the hospital could take 30 days or more before it agreed. Your hospitalization will likely have ended well before any response, if you even get a response.

Luckily, while the rule makes these requests to limit disclosure mostly meaningless, the human element that still exists in the health care system may supply what the rule does not. If you make a personal request to your provider, that provider will likely abide by your wishes regardless of the rule and its required formality. Your request may not be legally enforceable under the HIPAA rule, but enforcement may not be important.

We don't see much of a reason to bother with formal requests for use and disclosure restrictions. If you read many notices of privacy practices, you will find that covered entities say that they won't agree to most requests. That is a polite way of saying that they won't agree to any requests.

If you want to control disclosures to family members or friends, the formal process under the rule isn't likely to help you at all. Make your requests orally and informally to your providers, just the same way that patients have always done. Hope for the best. The HIPAA rule does nothing for you.

SIDEBAR:

If you are a movie star, politician, other celebrity, or hospital executive, most hospitals will usually fall all over themselves to protect your privacy. They may admit you under a fake name, take other special actions to limit access to and disclosure of your data, and may even agree to your special requests for confidentiality that far exceed legal requirements. Ordinary people are likely to get only basic HIPAA rights. If you seek to exercise the right to request restrictions on uses and disclosures, you will almost certainly get little to no help in most cases.

Jump to list of FAQs 1-65 | See all of Part 1