What is HIPAA and what is its purpose?
When you go to see a health care provider, it’s necessary to share important personal health information – and it’s important for that provider to protect that information. This is covered by a federal law called the Health Insurance Portability and Accountability Act, more commonly known as HIPAA.
What are my rights under HIPAA?
Your protected health information, commonly called PHI, is “anything that can be used to identify you as a patient,” said Jessica Gavia, executive director of patient satisfaction at University Health. “You have the right to designate who can receive your information.”
“You have the right to designate that with your signature, and then you always have the right to remove those permissions as well,” Gavia said.
Exceptions include treatment, payment and health care operations and certain public health operations. Health care providers are required to have processes to inform patients of their rights and get their signed consent.
“There's a process for making sure that the right person is getting the information and that it's been authorized by you,” Gavia said.
What happens if my rights are violated?
If you believe your personal health information has been wrongly shared and your privacy rights have been violated, there is also a process for reporting that.
Gavia recommends contacting the organization as a first step.
“The best thing to do is to contact the organization that you believe released your information and talk with their compliance department,” she said. “What happens is that they'll investigate it to see whether or not they can validate that it was shared.”
Other options include reporting it to state officials, or to the U.S. Dept. of Health and Human Services.
Sometimes the organization discovers that there has been an information breach, and there are processes for that, too.
“When that happens, they still go through the process of investigating,” Gavia said. “If they can validate that it was in fact released without your permission … they're required to notify you and make sure that you're aware of exactly what information was shared and with whom.”
What is not considered HIPAA?
Your name – “Your name alone isn't considered HIPAA, because just sharing your name doesn't necessarily mean that you were seen here as a patient.”
Your vaccine status – “They don’t have to release that information, but not because it’s HIPAA.”
If an airline, for instance, requires proof of vaccination, and the passenger refuses to share that information, the airline is within its rights to refuse to let that passenger get on the plane, Gavia said.
“It's not to say that you absolutely have to (share the information), but you might not be able to travel or seek employment in certain places without providing that information.”