What does HIPAA mean for your privacy?

Just like your financial and personal information, keeping your medical information private is vital. And in today's online world, that can be a challenge.

Get peace of mind with a comprehensive estate plan

Trustpilot stars
Edward A. Haman, J.D.

by Edward A. Haman, J.D.

Edward A. Haman is a freelance writer, who is the author of numerous self-help legal books. He has practiced law in H...

Read more...

Contents

Updated on: October 25, 2021 · 4 min read

Protecting your sensitive medical information is important. While it can be beneficial for your various medical care providers to quickly share your records over the internet, your medical information can also be used for marketing purposes and—just like information you might carelessly post on social media—it might even be accessed by hackers.

To provide some privacy protection for medical information, Congress passed HIPAA, which stands for the Health Insurance Portability and Accountability Act. But while HIPAA provides some privacy protection, it also has its limits.

mom taking son to the doctor

What Is HIPAA and What Is Its Purpose?

HIPAA is a federal law designed to protect a patient's sensitive information from being released without their consent.

So, what does HIPPA mean for your privacy? The short answer is that HIPAA helps protect your privacy, but it probably does not provide as much protection as you might think or as much as you would like.

To understand what HIPAA actually does, it's important to know what its two primary purposes are:

  1. To make it easier for people to obtain and maintain medical insurance, which includes being able to change health insurance plans as your employment situation changes. This is the "portability" part of the Act.
  2. To protect the privacy of patient information. This is the "accountability" part of the Act.

HIPAA Privacy Rules

HIPAA actually consists of two parts: the Act as enacted by Congress and numerous rules created by the U.S. Department of Health and Human Services (HHS) to implement the Act. Two of these rules that set forth privacy requirements are:

  • Standards for Privacy of Individually Identifiable Health Information. Known as the "Privacy Rule," it covers what is called "protected health information" (or PHI).
  • Security Standards for the Protection of Electronic Protected Health Information. Known as the "Security Rule," it has additional requirements for safeguarding PHI that is created, received, stored, or transmitted electronically.

Information that is considered PHI includes:

  • Hospital and physician records regarding your medical conditions and treatments.
  • Prescriptions.
  • Lab test results.
  • Billings and insurance claims.
  • Appointment histories.
  • Financial and personal information, such as your name, date of birth, age, address, phone number, email address, Social Security number, and insurance information.

HIPAA Covered Entities

HIPAA does not apply to everyone. It only applies to what the Act calls a "covered entity," which basically includes:

  • Health care providers.
  • Health plans. This includes Medicare and Medicaid.
  • Business associates of health care providers and plans. These provide billing, claims processing, or other services.

This leaves out many others who may obtain medical information about you and your family. Some examples of organizations that are not covered by HIPAA are life insurance companies, employers, school districts, law enforcement agencies, and many state and municipal agencies. Therefore, the medical information you disclose in your life insurance application, or medical information you give to your child's school, is not protected under HIPAA.

If you let your friend know that you have a particular medical condition, and that friend passes that information to someone else, there is no HIPAA violation because HIPAA does not apply to your friend.

Personal Health Information Disclosures

HIPAA rules set forth circumstances under which PHI can be disclosed by a covered entity. This can be broken down into two categories: disclosures that require your written permission and disclosures that can be made without your permission.

Disclosures Requiring Permission

Generally, patient permission for disclosure of PHI is required, unless the HIPAA Privacy Rule specifically permits disclosure without permission. This includes information:

  • To be used for marketing purposes.
  • Being disclosed in return for financial compensation.
  • Regarding psychotherapy and substance abuse treatment.
  • To be included in a hospital patient directory.
  • Disclosed to a friend or family member with authorization granted by a health care power of attorney or a HIPAA authorization form. This is often done as part of a comprehensive estate plan.

Disclosures Without Permission

Information may be disclosed without your permission if it's necessary for medical treatment, billing, and payment processing.

There are also some rather broad and generally-worded exceptions to the Privacy Rule, which allow government access, such as:

  • When required by law.
  • Public health activities, such as reporting disease outbreaks.
  • Judicial and administrative proceedings, such as court orders and subpoenas.
  • Law enforcement.
  • To prevent or lessen a serious threat to health or safety.
  • Essential government functions.

HIPAA Violations

If a covered entity violates HIPAA rules, it can incur civil fines and criminal penalties. Complaints regarding HIPAA violations are handled by the HHS Office for Civil Rights (OCR).

However, there has been criticism of OCR and the U.S. Department of Justice for failing to aggressively pursue violators.

How You Can Help Protect Your Privacy

Health care providers, medical insurers, and other covered entities typically make efforts to assure they are in compliance with HIPAA privacy rules. This includes training their employees on the rules. However, there are a few things you can do to enhance the privacy, and accuracy, of your medical information:

  • You have the right under HIPAA to see and obtain copies of your medical records. If you find inaccurate information, you have the right to have corrections added to your records.
  • Read privacy notices. These tell you how the covered entity will use and share your information. They will state when information may be disclosed without your permission and what your rights are to limit this sharing of information. Often, they also give you choices to limit or eliminate some of this sharing.
  • Opt out of fundraising and marketing communications.

It's important to understand the basic purpose of HIPAA, its privacy rules, and the limitations of those privacy rules. The HHS website can provide more information about your rights under HIPAA, as can the CDC website.

Find out more about Estate Planning Basics
Learn more
Twitter logoFacebook logoLinkedIn logoReddit logo
This article is for informational purposes. This content is not legal advice, it is the expression of the author and has not been evaluated by LegalZoom for accuracy or changes in the law.

You may also like

Last Wills

How to Write a Will: A Comprehensive Guide to Will Writing

Writing a will is one of the most important things you can do for yourself and for your loved ones, and it can be done in just minutes. Are you ready to get started?

July 21, 2024 · 11min read

Power of Attorney

What Is a Power of Attorney (POA)? A Comprehensive Guide

A power of attorney can give trusted individuals the power to make decisions on your behalf—but only in certain situations.

August 29, 2024 · 20min read

Starting Your LLC

How to Start an LLC in 7 Easy Steps (2025 Guide)

This is one of the best years ever to start an LLC, and you can create yours in only a few steps.

November 13, 2024 · 22min read