Patient’s Guide to HIPAA – Basic Rights: What Are the Most Important Parts of the Notice?
You are reading the Patient’s Guide to HIPAA, FAQ 17 .
HIPAA Guide Quick Links:
FAQ 17: What Are the Most Important Parts of the Notice?
Almost any health privacy notice will tell you something that you probably didn’t know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make. These examples will likely be both enlightening and disturbing. The basic list of uses and disclosures is long to begin with, and that may be upsetting if you’ve never read about them before.
Most notices are quite similar because you have the same rights everywhere the rule applies. If you read one notice, you’ve generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states.
When you want to exercise your rights at a particular covered entity, the local procedures described in the notice are likely to be different in each notice. That’s when reading the notice may matter a lot. Each notice should describe the covered entity’s procedures for exercising patient rights. Make sure you follow any specified procedures. Otherwise, here are some notable features to look for:
• If the notice is for a hospital or other large institution, read the description of which institutions and providers are covered. We have a notice for a hospital that says that more than a dozen different institutions in three states are part of the same institution. That means that patient information can be readily shared among all the affiliated organizations without your consent. That ability to share records widely may not be unusual or should not always be troubling. Further, being able to obtain care at related institutions may be a good thing. Consider, however, if your cousin works in a health care facility in a nearby state. You may not realize that facility is connected to the health care provider that you see regularly. You might not be happy knowing that your cousin may have access to your record. It may or may not be lawful for your cousin to do so, but the possibility may be unnerving.
• A hospital can use your records in a limited way for fundraising. You have the right to tell the hospital not to use your records for fundraising. If you say nothing, then use of your records for fundraising is permissible. A 2013 change requires a covered entity to include in each fundraising communication a clear and conspicuous opportunity to opt-out of future fundraising communications. Exercising this opt-out right may not be of critical importance, but it helps everyone if some people exercise opt-out rights when they exist.
• Find the national security disclosure provision. A covered entity can disclose your records for just about any national security purpose. The rule does not require a warrant, court order, subpoena, or any procedure prior to the disclosure. We point this out because it is perhaps the most privacy-invasive of the HIPAA disclosure provisions. You are also invited to look for other broad and objectionable disclosure provisions in the notice. Don’t blame the hospital or doctor. The rule allows these disclosures to be made, and privacy notices usually reserve the right for a covered entity to make allowable disclosures. However, the disclosures are not necessarily mandatory. In other words, a doctor can disclose your record to the CIA, but the doctor can usually say no.
• Look for the provision that says a covered entity can change the notice at any time and with retroactive effect. This isn’t quite as bad as it looks because HIPAA limits the ability of a covered entity to change the policy. The covered entity must comply with HIPAA, and it cannot change the notice and take away your rights. However, if HHS changes HIPAA or if Congress passes new laws, then your rights can expand, diminish, or disappear. Most privacy policies elsewhere (such as on commercial websites like search engines or clothing retailers) are not based on formal legal requirements and are changeable at the discretion of the record keeper. Changes are not always bad, but it is okay to be a bit suspicious.
• Find the right to request alternate methods of communications. This right may be important to you, and the notice tells you how to exercise this right. We explain this right in full later. (See FAQs 25-28.)
• At the end of the notice is where your will probably find contact information for the covered entity’s privacy officer. If you have any questions or want to exercise your rights, the privacy officer for the covered entity is probably the first person to contact.