Know Your Privacy Rights: Get Hip with HIPAA

ABOUT HIPAA HIPAA, the Health Insurance Portability & Accountability Act, was passed by Congress in 1996.

The main purpose of HIPAA The purpose of the HIPAA is to establish national standards to protect electronically processed health information. Under the rule, covered entities must have safeguards to protect your personal health information from unauthorized access. The HIPAA Privacy Rule also sets limits and conditions on how your health information can be used without your specific authorization; for example, to prevent the spread of an infectious disease.

Who is covered by HIPAA

HIPAA regulates so-called covered entities. A covered entity is an organization that provides a direct health care to patients and transmits any personal health information electronically. Also, your health insurance company is covered by HIPAA. Also, any agency that serves as a clearinghouse for processing electronic information for a health service provider is considered a covered entity.

Violations can be costly

Health information flows to and from health plans, doctors, hospitals and health care providers. HIPAA regulates that flow with strict disclosure rules. Penalties for violating HIPAA rules are draconian, even if the violator is not directly responsible. In fact, the Federal Government has levied huge “settlement agreements” (millions of dollars in fines, really) on medical organizations for incidents ranging from lost laptop computers to hacked servers.


Under HIPAA patients have the right to:

  • examine a copy of their health record and request corrections
  • ask for a copy of their electronic health record
  • demand that their health care provider refrain from sharing treatment information with a health insurance provider if the treatment was paid for in cash
  • refuse to grant permission to have their medical information sold for research and marketing projects

She HIPAA Privacy Rule gives the patient the right to inspect, review, and obtain their medical and billing records with the following stipulations:

read review 1. Access

Only the patient or a designated representative has the right to see the record. A person who can make health care decisions through a health care power of attorney is you’re an authorized representative. In the case of a deceased person, the personal representative is the executor or administrator of the deceased person’s estate.

2. Provider cannot use nonpayment as an excuse

A provider may not withhold a copy of a patients health records because the patient has not paid the medical bill. The provider may, however, charge research, retrieval, and document duplication fees.

3. Psychotherapy notes exempt

Access rules do not apply to a provider’s psychotherapy notes. Those are the notes that mental health specialists take during conversations with a patient. These notes are always kept separate from the patient’s billing and medical records. HIPAA does not, however, allow the provider to disclose psychotherapy notes without the patient’s or the patient’s representative’s authorization.

4. Record Corrections

You can request a correction to your medical or billing record if you think it is incorrect. The provider is required to respond, and, if the request is warranted, must make the amendment or change. In cases of disagreement, you have a right to insist that your statement be made a part of your medical record.


If the senior does not object, the HIPAA privacy rule permits medical personnel to share medical information with a person’s adult children, friends, or caregivers. Also, the senior can authorize family or caregivers to access to medical records and to be present during a medical visit.

If senior patients cannot make their wishes clear, the HIPAA privacy rule allows the physician to determine what disclosures are in the best interests of the patient. Nevertheless, it is best that the senior puts medical record access directives and authorization in writing.


An assisted living facility is considered a covered entity if is transmits electronic billing and personal health information electronically. As such, its employees cannot share medical information with other tenants without permission. Tenants, on the other hand, are not precluded from sharing information about their medical status, on a community public bulletin board, for example.


A patient who believes a covered entity has violated or is not currently complying with a requirement of HIPAA, can file a complaint with the Office for Civil Rights. The complaint can be filed online or in writing. The complaint must be filed within 180 days of when the patient knew of the violation.


HIPAA protects patient privacy and allows access to their billing and medical records. The law places the onus on covered entities to provide safeguards to prevent unauthorized disclosure of personal health information. Penalties for violation are severe. You can report HIPAA violations either online or in writing.