The U.S. Department of Health and Human Services (HHS) released the long anticipated Omnibus HIPAA final rule which contains regulations for the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the Genetic Information Non-Discrimination Act of 2008 (GINA), and the Health Information Portability and Accountability Act (HIPAA). This HIPAA page contain summary information and link to the specific federal laws, rules, and regulations.
Providers should consult their legal counsel for direction. You can find the full text at the Federal Register.
New Frequently Asked Questions (FAQs)
- My employer has contracted with an insurance company to provide us our insurance coverage. How much of my health information is being shared with my employer?
Not much information can be shared and what is shared must be used only for purposes related to administering the benefit or to advocate on your behalf and cannot be used by the employer for any other purpose.
More specifically, the employer is entitled to learn whether an employee is participating in the group health plan or is enrolled or dis-enrolled. Typically this is necessary to capture the employer’s share of the cost and deduct the employees share. Also, a health insurer is allowed to share summary health information with an employer for the purpose of obtaining other bids for insurance or modifying amending or terminating the insurance provided this information does not identify individuals.With group health plans, your personal health information cannot be shared between the health insurer that is providing administrative services and your employer unless you have signed an authorization allowing this. Even if you allow the group health plan and employer to share some health information, it can only be used for purposes described in the group health plan and your employer must safeguard the information by restricting access to it for these purposes. Furthermore, the employer is required to return or destroy the information when it is no longer needed. Lastly, any health information disclosed to the employer by the group health plan cannot be used or disclosed for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the employer
2. I am being evaluated to determine if I have any physical or medical limitations on my ability to perform my job. Can my doctor share my medical information with my employer?
If the doctor who evaluated your injury or fitness to perform your job duties was paid by your employer to perform the evaluation, the answer is yes. But the doctor can only disclose information concerning your functional limitations and no more information than your employer needs to know to makes its determination. The doctor must keep confidential the unrelated medical information she obtains.
If your employer is seeking information from your regular doctor, and has not paid for an evaluation, your doctor can release your medical information to your employer only with a written authorization from you. The authorization would need to describe the information to be provided.
3. Do I have the right to see the medical records of my child who is under 18 years old?
Generally speaking, yes. A parent is recognized as a personal representative for their child and therefore has access to the medical records of his or her minor child, except in a few limited circumstances.
For emancipated minors, parental access is generally prohibited or permitted only if under state law the parent has been given specific authority to make healthcare decisions for the emancipated minor for example via a guardianship or court order.
All minors, including those living at home, are, at a certain age, authorized by law to consent to confidential medical care for certain very personal conditions without any notice to or consent from their parent or guardian. Examples include medical care related to pregnancy, birth control, mental health and venereal disease including AIDS. For those limited types of services, state law does not permit a parent to access the child’s records. The minimum age requirement of a minor to consent to these services is typically 12 years or older but varies.
A provider can also deny a parent access to their child’s medical information if they have a reasonable belief that the child has been or may be subjected to domestic violence, abuse, or neglect by the parent; if allowing the parent to act as the personal representative could endanger the child; or if the provider, in using their professional judgment, determines that it is not in the best interests of the child to treat the parent as the personal representative.
4. Can a hospital share my medical information with law enforcement officials?
Yes, but under very restrictive circumstances. Under state law, there are restrictions on a hospital sharing medical records with law enforcement officials. Generally, a law enforcement official must obtain your consent, a search warrant or court order after a showing of good cause to obtain copies of your medical records.
Additionally, hospitals can share information about you when the law requires a hospital to report injuries or suspected abuse. A hospital will provide law enforcement with the information that is required, but no more than is required. Additionally, hospitals can orally release very general information, if asked, similar to any visitor at a hospital who can request where a patient is in the hospital and their general condition, so long as it does not disclose specific medical information.
5. My doctor sent my medical information to the insurance company. Can they do that?
Yes, both HIPAA and state law permit health care providers to share medical information with your health insurance company. However, there are limitations on the amount of information that can be shared and for what purposes, unless the insurance company has your authorization to obtain more information. Some of the permitted reasons for sharing are to enable the provider to receive payment for service rendered, to coordinate your care among entities that are covered under your insurance policy and for quality control purposes. In all of these circumstances, the provider can provide only the information necessary to accomplish the purpose identified in the request for information.
Exceptions to this general rule are if you paid in full for the services or if the provider had previously agreed to a restriction on sharing your information.
6. Where can I get HIPAA training and/or certification?
There is no “official” HIPAA training or certification from any government agency. There are numerous private vendors that have developed their own training and certification programs, but none are officially endorsed by government agencies. Some covered entities have created internal HIPAA certification requirements which are met by completing their internal educational program.
To help assist covered entities with understanding HIPAA regulations, the Office of Civil Rights (OCR) has developed information on its website, including summaries of the provisions, FAQs, and training materials. See: http://www.hhs.gov/ocr/privacy/ Additionally, the Office of the National Coordinator for Health Information Technology has developed policy briefs and recommendations, the Nationwide Privacy and Security Framework for Health Information, and toolkits for health information technology privacy and security. See: http://www.healthit.gov/
The California Office of Health Information Integrity has statutory authority and responsibility to provide leadership, policy formulation, coordination, and direction for HIPAA implementation relative to state entities. On the CalOHII website are policy memorandums, HIPAA assessment and compliance tools, and other information and resources on HIPAA provisions.
7. Can I get a copy of the medical records of a deceased family member from a provider?
It depends on your relationship with your deceased family member. A family member or a relative who was involved in the patient’s care or payment for health care prior to the patient’s death can request and receive those medical records relevant to the family member’s or relative’s involvement from a health care provider, unless doing so is inconsistent with wishes of the deceased family member.
Otherwise, the general rule is that these records can only be released to the person who has been authorized under state law as a legal representative of the deceased person. The legal representative can be a person such as the executor, administrator of the estate, or successor personal representative. The legal representative must be treated the same as the patient would have been for purposes of accessing their health information or providing the appropriate authorization for its disclosure. You may have to provide documentation verifying you are the legal representative and that you are legally authorized to obtain the medical records.
8. How can I file a HIPAA complaint?
If you suspect your rights under the HIPAA Privacy Rule have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. They are primarily responsible for enforcing HIPAA. You may file a complaint using the OCR Health Information Privacy Complaint Package or by submitting a complaint via mail or fax to the California regional office.
Office for Civil Rights
U.S. Department of Health and Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Phone: (415) 437-8310
Fax: (415) 437-8329
Please refer to the OCR website for more information and specific instructions for submitting a complaint. http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
9. How can I get a copy of my medical records from my healthcare provider?
To obtain a copy of your medical records from a health care provider, you generally need to submit a written request. Both the HIPAA Privacy Rule and state law provide that you have the right to ask to see and get a copy of your records. Usually, you can get access to your records held by a health care provider within 5 days and a copy provided to you within 15 days. Under both state law and HIPAA, providers can withhold some of your medical information from you, under very limited circumstances.
Your provider may charge a reasonable fee to cover the cost of copying and mailing. State law permits an individual to obtain a copy, at no charge, of the relevant portion of their patient records if the information is needed to support an appeal regarding eligibility for the Medi-Cal program, social security disability insurance benefits, and Supplemental Security Income/State Supplementary Program for the Aged, Blind and Disabled (SSI/SSP) benefits.
10. My employer wants my medical records from my doctor. Can they get my records?
Yes, in certain limited circumstances. Generally, both state law and the HIPAA Privacy Rule would require a written authorization signed by you to permit your doctor to release your information to your employer.
Examples of the special circumstances when your authorization is not required are when the doctor is required by law to submit a report or documentation to your employer or when your employer paid for the medical evaluation and the information is required to meet the employers’ obligations under federal or state Occupational Health and Safety Boards, investigations of work-related deaths and injuries, or to carry out their responsibilities for workplace medical surveillance. Even though your employer arranged for and paid for the medical examination, the doctor must keep confidential the unrelated medical information she obtains.
In addition, employers may lawfully request you to provide certain health information for a work related reason or may ask you for a doctor’s note to document sick leave or an extended leave of absence. If your employer were to ask your doctor to release this information, the doctor would not do so without an authorization.