The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of medical records. In general, the HIPAA Privacy Rule, found in Title II of the Act, requires written authorization from a patient (or the patient’s parent or legal guardian) before information may be released to an outside party. It also gives patients the right to look at or request a copy of their medical records, request a correction or change to information believed to be inaccurate or incomplete, and file a complaint with the United States Department of Health and Human Services Office for Civil Rights when privacy rules have been violated. If you request a copy of your medical records, the healthcare provider may charge for reasonable costs for copying and mailing the records, but it may not charge you a search or retrieval fee.
HIPAA applies to almost all healthcare providers, as well as health insurance companies, and many other organizations which may come in contact with medical records in the regular course of business. However, it does not apply to employers, life insurance companies, workers compensation carriers, most schools and school districts, many state agencies (like child protective services), most law enforcement agencies, and many other municipal offices, who may have access to certain health information.
The Privacy Rule applies to all forms of an individual’s Protected Health Information (PHI), regardless of whether it is electronic, written, or oral. This includes information your healthcare providers put in your medical record, conversations your doctor has about your care or treatment with nurses and others, information about you in your health insurer’s computer system, and billing information. However, you do not have the right to access a provider’s psychotherapy notes, although the therapist, in most cases, may not disclose psychotherapy notes about you without your authorization. Psychotherapy notes are notes taken by a mental health professional during a conversation with the patient; they are kept separate from the patient’s medical and billing records.
When you sign up for a new health plan and when you first see a medical provider, you should be provided with a copy of the organization’s Notice of Privacy Practices. The document is usually handed to you, or it may be made available to you online. You should read the Notice to learn how your healthcare provider or insurer is allowed to use or share your health information, your privacy rights, how your health information will be protected, and whom to contact for more information about the privacy policies. You may be asked to sign an “acknowledgement of receipt” to show that you have been given a copy of the Notice.
There are some exceptions to the Privacy Rule, which allow a healthcare entity to:
- Use and share information with doctors, nurses, and others who are needed to treat you;
- Share information with health insurance companies for billing purposes;
- Use information to review quality of services;
- Share information with local health departments to report certain contagious diseases; and
- Share information with local authorities to prevent abuse or neglect or if the patient was a victim of a crime.
Additionally, your healthcare provider may share information with others (1) if you give permission for them to do so; (2) if you are present and do not object to sharing the information (for example, you bring a friend with you to the appointment); or (3) if you are not present, and the provider determines that it is in your best interest to do so (for example, you send a friend to pick up a prescription for you or you are unconscious and your family member needs information).
Even if you request that your medical information be shared with someone else, however, your healthcare provider is not required to share your information with anyone other than you or your personal representative. Who is a “personal representative” is usually controlled by state law, and may include someone with a healthcare power of attorney, a parent of a child under 18, or a legal guardian.
HIPAA and Minor Children
There are four primary exceptions to the general rule that a parent is the personal representative of a minor:
- The minor is emancipated (has a court order declaring him or her competent to make decisions for him or herself and no longer in need of a guardian).
- State law allows the minor to consent to the healthcare service without the consent of a parent or guardian and the minor consents on his or her own (for example, with respect to treatment for substance abuse, sexually transmitted diseases, or pregnancy).
- A court authorized the medical treatment through a judicial by-pass (for example, when a minor seeks an abortion without parental consent).
- The parent or guardian agreed to confidentiality between the healthcare provider and the minor.
In these instances, the minor child controls the release of the records related to the particular service, and the parent or guardian may not obtain the records without the child’s agreement.
HIPAA and Adult Children with Disabilities
Once a child turns 18 years of age, the parent is no longer the personal representative. If a parent believes that the adult child needs assistance with healthcare, the parent should ask the child to sign a healthcare power of attorney. This will usually ensure that the parent can stay involved in medical decisions for the adult child with a disability.
- Health Information Privacy: Guidance Materials for Consumers
- Explaining the Notice of Privacy Practices, video from US Dept. of Health and Human Services
- Health Information Privacy: How to File a Complaint
- New Rule Protects Patient Privacy, Secures Health Information
- Personal Representatives and Minors FAQ
- HIPAA Basics