HIPAA Privacy Notices

With all the privacy notices flooding my email recently I thought it might be a good time to review the HIPAA Privacy Notice you sign for all your physician visits, hospital visits, and care with other providers.

What are you signing- and why?

More to the point- is the privacy of the information you give to any of your health care providers critical to you? Would you like to know more about what measures are in place to keep that data away from people who have no business accessing it?

A Bit on HIPAA: What & Why?

HIPAA [The Health Insurance Portability and Accountability Act] passed in 1996 during the Bill Clinton Administration but began to evolve under George H. W. Bush.

The law addresses many things (including fraud & abuse in medicine and the portability of insurance when a person leaves an employer) but is best known as the law that established federal privacy protections for patient information throughout the health care system. This is not to suggest that medical-related information wasn’t protected before 1996- far from it. Every state already had laws in place regarding medical records, sharing patient information, and personal privacy.

However, with the establishment of a “Paperless Health Care System” through the utilization of electronic health records* (a key focus of HIPAA) there was a decision that all state laws must meet a new federal minimum standard of protection, which any state could surpass through its legislative process. [For that reason, this Fontenotes will only address the federal law- to understand all your patient privacy rights you need to research what your state may have added to the HIPAA threshold.]

Requirements for Health Care Providers Under HIPAA

HIPAA applies to any health care provider in this country (physicians, dentists, hospitals, labs, physical therapists, pharmacies, etc.) as well as entities that provide health insurance, such as private insurance companies, employer health plans, military and VA plans, and government programs such as Medicare or Medicaid. (But for this Fontenotes we will only address the Provider requirements.)

All these entities must assure the privacy of your “Protected Health Information” [PHI], which includes:

  • your past, present or future physical or mental health or condition,
  • what care you have received or are receiving,
  • and any identifying information related to the payment for that treatment (your name, address, social security number, birth date and seven other identifiers).

Privacy protections are mandatory not only for your data in digital format in an electronic health record- but also extend to any paper record about you. Orally transmitted information (such as consultations between physicians, phone calls you make to a doctor’s office, inquiries from that office to your insurance company, talking to your doctor in an exam room, etc.) also falls under the law.

In summary- any information any provider has about you- electronic, on paper or oral- is HIPAA protected.

To achieve that level of protection, HIPAA requires that all providers have thorough, written policies and procedures detailing exactly how they will meet the law’s mandate. Training, supervision, accountability, and reporting are also necessary for HIPAA compliance. [The requirements of HIPAA significantly increase the overhead of running a health care office or entity- especially when the office is for a solo physician or other health professional. For more on the impact of that escalation see Fontenotes No 6- “Where is my Doctor?”]

The HIPAA “Notice of Privacy Practices”

When your health care provider has done everything necessary to be compliant with HIPAA (and any relevant state law), they need to tell you what they have done to protect your PHI. (The “Notice” must also tell you about rights you have under HIPAA-  but those four new rights will have to wait for another Fontenotes.).

To notify you of your protections (and rights) every provider must have a document with “clear, user-friendly” explanations to put you on notice of all the protections for your benefit- which is why it is called a “Notice of Privacy Practices.”

The “Notice” tells you how that office, hospital, lab, etc. is going to protect your information.

To be sure that you- the patient-  gets that Notice the law requires that it be “posted” in any reception area or waiting room, should be available in print if you request a copy, and should be included on any website run by that provider.

What You Are Signing When You Get Medical Care

All of this is the background to that signature line every receptionist at every health care provider points to when you arrive to get any medical care. Sometimes your signature will still be on paper; but more frequently it is obtained digitally.

The final step in closing the compliance loop for the provider is proving they have done everything I just described. Your signature is that proof.

Which is why if you ever read the text before the signature line, it will say something along the lines of “I have been provided with a copy of the Notice of Privacy Practices.”

Which tempts me to leave you with a question you can consider the next time you are bored in a waiting room. Were you really provided with that Notice? Do you see it on the wall? Were you handed a copy?

More importantly, if the privacy of your most intimate information (let’s face it- that is what PHI is) is essential to you- if you want to know what means are in place to protect it- ask for a copy of that provider’s Notice. Their Notice of Privacy Practices exists for precisely that reason.

* electronic health records are “EHRs.” Back when HIPAA became law, they were called Electronic Medical Records [EMRs], but for our purposes, they are the same thing.

Want to Know More:

This was a very short summary of a very detailed and complex law. Here are useful resources if you want to know more:

For Patients & Families:

For Physicians and Other Providers: