Making Sense of New Healthcare Privacy Rules

by Mary E. Alexander

If you’ve seen a doctor or pharmacist lately, you probably were given something in addition to medical advice or a prescription – a detailed brochure about health information privacy. A similar notice should have come in the mail from your health plan or insurance company.

These notices – which outline your privacy rights and explain how your health information will be used – are required under a federal law that took effect on April 14, 2003. The law is the Health Insurance Portability and Accountability Act, also known as HIPAA

Consumer advocates say that although they hoped HIPAA would be stronger than it turned out to be, it does give Americans significant new privacy protections. But consumers need to understand the law to use it, they say.

“In order to protect your personal medical records, you need to know what protections and right you have and what you can do if you believe they have been violated,” says the Health Privacy Project, a non-profit group in Washington, D.C.

Here are some of the key rules in HIPAA:

Health care providers and health plans must notify you in writing of your privacy rights and how they intend to use and disclose your health information.

You have a right to see, copy and supplement your own medical records. Once you make a request, copies of your records must be supplied within 30 days. You can be charged a reasonable copying fee.

Health care providers and others that collect, share and store your health information must have safeguards in place to protect your information.

Health care providers are barred from disclosing your health information to your employer in a way that you can be identified.

You can prevent a hospital from releasing your name and health status to the public when you are an in-patient, and you can limit what information is shared with your family during your stay.

There also are several myths about HIPAA that have been circulating. One is that the law prohibits doctors from communicating with patients by e-mail. That’s just not true, according to the Health Privacy Project.

Another myth is that HIPAA prevents family members and friends from picking up prescriptions for someone else at a pharmacy. In fact, the law specifically allows that practice to continue, says the Federal Citizen Information Center (FCIC) of the U.S. General Services Administration.

If you believe your privacy rights have been violated, you have several options, the Health Privacy Project says. HIPAA requires all health-care providers and plans to appoint a “privacy officer.” You can contact that person to try to resolve the problem.

HIPAA also allows you to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (, which can impose criminal or civil penalties. You must file within 180 days of the incident.

State officials also may be able to help, including your state’s attorney general, your state insurance commissioner, or a state medical board. Some states have health privacy laws that are stronger than HIPAA, and those will remain in effect.