Your Rights Under the HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and New York laws give you rights to your medical records. The HIPAA Privacy Rule establishes standards that apply to records held by health care providers across the nation, and New York law sets standards for records maintained by health care providers within the state. Health care providders in New York must follow both the HIPAA Privacy Rule and New York law.

HIPAA is intended not only to protect your medical information from unwarranted disclosure, but also to protect your rights as a patient. Here's how you can exercise those rights:

Conditions: If you are a patient in a hospital, people who call to obtain a condition report will be given a one or two word summary, such as "serious" or "critical". If you don't want that summary given, you have the right to request non-disclosure.

Observers: If you are being examined by a physician and your treatment is being observed by others who aren't participating in your care, such as sales representatives, consultants, or office administrators, you can ask them to leave the room.

Forms: Read carefully any privacy forms you are asked to sign. Some forms that at first appear only to be an acknowledgment of your rights also provide authorization for sharing of information for marketing purposes, which is allowed under HIPAA. You should not be required to sign any disclosure-consent forms as a condition of treatment.

Surveys: Customer-satisfaction survey are given to patient by many clinics and hospital. You are not required to complete them, but they can help providers improve patient care. Be wary of questions about your age, income level, buying habits, and ZIP code. They're more likely to be used for marketing purposes.

Policies: You should obtain copies of your care provider's "notice of privacy practices" and the name and phone number of the provider's privacy officer.

Database: You can access some of your medical information at no charge each year from the Medical Information Bureau.

Your medical records  may be disclosed without asking or even notifying you. Hospitals will hand over information regarding your treatment to other doctors, and they will readily share those details with insurance companies for payment purposes. Roughly millions of entities that are loosely involved in the health care system have access to your health care information.

The Medical Information Bureau (MIB) is a cental database of medical information shared by insurance companies. Approximately 15 million Americans and Canadians are on file in the MIB's computers. Insurance companies report information to the MIB, such as codes for specific medical conditions and lifestyle choices, i.e. hypertension, asthma, diabetes, or depression.

The MIB does not have a file on everyone. But if you have a MIB file, you will want to be sure it's correct. You can obtain a copy for free once a year by calling (866)692-6901 or by visiting the MIB's website, www.mib.com.  You can also contact the MIB at the Medical Information Bureau, P.O. Box 105, Essex Station, Boston, Massachusetts 02112, or by sending an email to infoline@mib.com.

Disclosures: If you suspect your medical records have been improperly shared, you can ask providers for an accounting of all disclosures. Under HIPAA, you have the right to receive an accounting of disclosures that a "covered entity", i.e., physician or hospital, make of your medical records is the six-year period preceding the date on which the accounting is requested.

Enforcing HIPAA: Civil enforcement of HIPAA, which can lead to fines, is left to the Office of Civil Rights within the U.S. Department of Health and Human Services. Criminal enforcement, which can include fines and prison terms, is handled by the U.S. Department of Justice.

Case: Of 38,000 HIPAA complaints made across the nation in the past five years, the Office for Civil Rights has referred 437 cases to the Department of Justice for criminal prosecution.

Outcome: Nationally, fewer than a half-dozen cases have been prosecuted. No civil fines have been imposed, but one case recently led to a $100,000 settlement. So far, prosecutors have focused almost exclusively on the few people who have gained access to patient information with the intent of selling it or using it as part of some other crime, such as identity theft. Health care workers who have obtained medical information improperly and then shared it, free of charge with friends and neighbors, have not been prosecuted.