HIPAA Privacy Rule

In addition to the basic HIPAA provisions established in 1996, the Department of Health and Human Services issued the Standards for Privacy of Individually Identifiable Health Information (more commonly referred to as the “Privacy Rule”).

The Privacy Rule established regulations that govern the use and disclosure of a patient’s medical records and personal health information. It requires that certain medical providers “take reasonable steps to limit the use or disclosure of, and requests for personal health information to the minimum necessary to accomplish the intended purpose.” Most elements of the privacy rule went into effect on April 14, 2003. However, smaller health organizations may have until April 14, 2004, and several changes and/or clarifications to these regulations are expected in the future.

As with all of the information provided by DignityResources.com, the following material is written in plain English in order to make it easy to understand. This material is intended as a summary and overview. It is not intended to be a legal representation of this material. For specific, legal guidelines or to file a complaint against a medical provider regarding a suspected HIPAA violation, we recommend contacting an attorney or the Secretary of the Department of Health and Human Services.

Who does the Privacy Rule apply to?

There are three types of “covered entities” described by the privacy rule:

The official definition of a “covered entity” refers to “1) a health plan; 2) a health care clearinghouse; and 3) a healthcare provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.”

Please Note: If a doctor is authorized by you to release information to a third party (like a family member, friend, or clergy member), these third parties are not regulated by the Privacy Rule. If you want to keep your medical information private, you should be careful who you authorize to receive it.

When are medical providers allowed to release information without the patient’s consent under the Privacy Rule?

HIPAA allows health care providers to use and disclose medical information without your consent:

Under the privacy rule, most other uses of your medical information would require your written consent. Medical providers have an obligation to make a “good faith” attempt to obtain their patients written acknowledgement of their privacy practices and obtain signatures for any releases the patient would like to authorize.

The Privacy Rule and Your Medical Records:

The recent additions to HIPAA provide patients with certain rights regarding their personal information. These include:

Under the Privacy Rule, you have the right to ask medical providers to limit, add to, and change your medical records as long as your requests are reasonable and can be verified. You can also ask for a list of people or organizations that received a copy of your medical information (after April 14, 2003) assuming the information was not distributed in order to provide for your care, support the payment of your medical bills, or part of standard hospital business.

The Privacy Rule and Hospital Directories:

Most hospitals maintain a directory of patients currently admitted to their facility. These directories typically include only the patient’s name, location within the hospital or room number, the patient’s general condition (for example “good”, “fair”, “critical”, “treated and released”, or “deceased”), and religious affiliation. If you are included in the hospital directory, any of this information is generally available to anyone who asks for you by name. Under the Privacy Rule, every patient has the right not to be included in this directory. This is the best way to insure your privacy.

However, if you are not listed in the hospital directory your information is not available to anyone other than your treating physicians and hospital staff. This means that the information may not be available to your spouse, family, or friends. It also means that flower deliveries or visitation by clergy may be difficult or impossible. You should take these factors into account before you decline being listed in the hospital directory.

How does the Privacy Rule Apply to My Financial Options?

While the amount and eligibility for most financial options are not affected, under the current HIPAA Privacy Rule patients will need to sign releases for any product or service that requires medical underwriting and/or review of personal medical records. In particular, authorizations to release medical records will be required for the following transactions:

Because reverse mortgages are based solely on the homeowner’s age and the value of the property, no HIPAA releases should be required. However, reverse mortgages are only available to people who are 62-years or older.