When you visit a doctor, you may wonder how your personal information will be used. Can your employer find out you're being treated for depression? Will your health insurer be told that diabetes runs in your family?
In this age of electronic health records, it's natural to be concerned about privacy. But laws have been put in place to protect you. The most important of these is Title II of the federal Health Insurance Portability and Accountability Act (HIPAA).
HIPAA is a federal law that governs how your health information is stored and handled. The law was passed in 1996. Today, there are tight controls on medical recordkeeping. HIPAA sets rules on who can view your records and what steps must be taken to protect them.
How does HIPAA work?
One of the purposes of the law is to protect your privacy. HIPAA requires that health care professionals and health insurers keep your records confidential. HIPAA governs how health care professionals and health insurers can view and use your health information for purposes related to your care and benefits. It must be directly related to your care. For example, health care professionals might view or use your health information if necessary to:
• Provide treatment or continuity of care
• Bill an insurance company
• Communicate with relatives (with your consent)
• Track and record public health concerns, such as a flu outbreak
• Report incidents to law enforcement, such as a gunshot wound or child abuse
Only health care professionals or their employees who have a valid reason may view your health information.
Additionally, health care professionals and health insurers can only share your health information for specific purposes related to your care and benefits. However, by law, health care professionals and health insurers cannot:
• Disclose your health history to an employer
• Share your information with a creditor or lender
• Sell your information to marketers or advertisers
• Allow family or friends to view your information without your consent
The law protects your privacy in other ways. Active security measures are required when handling your health records. Clinics that use electronic recordkeeping must also use locking software. And all patient files are required to be locked up when they are not in use. Finally, employees who work with medical records must be trained in proper handling and storage methods.
What information is protected?
The law protects almost all aspects of your health history kept by your health care professional or health insurer. This includes:
• Anything entered into your medical records
• Any conversation with a professional caregiver
• Any records kept by your health insurer
• Any billing records kept at your clinic
• Personal identifiers, such as your name or address
Except for specific purposes related to providing you with health care and benefits, caregivers and insurers must first get your written consent before they can share your information.
Are there any circumstances in which my personal health information is not protected by HIPAA?
HIPAA only applies to certain health care professionals, health insurers and their employees and administrators. HIPAA does not protect the health information you decide to share with:
• Law enforcement officials
• School teachers or staff
• Municipal employees
• A life insurance representative
• A bank official
• A creditor
• An employer
You should be very careful when you share medical information. You may want to keep conversations about your health limited to the doctor's office.
Created on 02/09/2010
Updated on 07/02/2013
- United States Department of Health and Human Services. Summary of the HIPAA privacy rule.
- United States Department of Health and Human Services. Health information privacy. Understanding HIPAA privacy. Guidance materials for consumers.