By: Natalie L. Boehm, MBA, RBLP-T
What is HIPAA?
According to the Centers for Disease Control and Prevention, the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
What rights does one have over their health information?
The U.S. Department of Health and Human Services states that patients have the following rights:
- The right to ask, see, and get a copy of your health records
- Have corrections added to your health information
- Receive a notice that tell you how your health information may be used and shared
- Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
- Request that a covered entity restrict how it uses or discloses your health information
- Get a report on when and why your health information was shared for certain purposes
Who is required to follow HIPAA?
The following individuals and organizations are subject to the Privacy Rule and are considered covered entities:
Healthcare Providers: All healthcare providers, regardless of the size of their practice, who electronically transmits health information in connection with certain transactions. Transactions include:
- Benefit eligibility inquiries
- Referral authorization requests
- Other transactions for which HHS has established standards under the HIPAA Transactions Rule.
Health Plans: Health Plans protected by HIPAA include:
- Health, dental, vision, and prescription drug insurers
- Health maintenance organizations (HMOs)
- Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers
- Long-term care insurers (excluding nursing home fixed-indemnity policies)
- Employer-sponsored group health plans
- Government- and church-sponsored health plans
- Multi-employer health plans
**Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include:
- Claims processing
- Data analysis
- Utilization review
What do I do if I feel my HIPAA rights are being violated?
If you feel your rights are being denied or your health information is not being protected, you can take the following steps:
- File a complaint with your provider or health insurer (Grievance)
- File a complaint with the U.S. Department of Health and Human Services
To file a complaint with the U.S. Department of Health and Human Services, here are the following steps you need to take:
- Complaint must be filed in writing by fax, email, or via the OCR Complaint Portal
- Name the covered entity or business associate involved, and describe the acts or omissions you believe violated the requirements of Privacy, Security, and Breach Notification Rules
- Be filed within 180 days of when you knew the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause”
(U.S. Department of Health & Human Services, 2023)
The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. It is important to know what your HIPAA rights are, what information is protected, and what providers are required to follow to keep your information safe. If you feel any violations have taken place, take the required steps to report that provider and make sure your rights are respected.
Centers for Disease Control and Prevention (2022). Health Insurance Portability and Accountability Act of 1996 (HIPAA). CDC.gov. Retrieved from: https://www.cdc.gov/phlp/publications/topic/hipaa.html
U.S. Department of Health and Human Services (2023). How to File a Health Information Privacy or Security Complaint, Complaint Requirements. HHS.gov. Retrieved from: https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html
U.S. Department of Health and Human Services (2022). Your Rights Under HIPAA. HHS.gov. Retrieved from: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html