It is important to be aware that PHR
s that are not part of a provider’s electronic health record are not considered to be legal records, and therefore, are not HIPAA
The Health Insurance Portability and Accountability Act (HIPAA):
- Covers medical information in any format—written, spoken, or electronic
- Allows patient to view, request changes to, and obtain copies of health information documents
- Provides protections regarding how your information can be used
Under HIPAA, you likely received a Notice of Privacy Practices when you visited a new healthcare provider or pharmacy. You would have been asked to sign a statement saying you’ve been given the notice. This Notice details your privacy rights, how your information is used and disclosed, and explains who will have access to your information.
Your Rights Under HIPAA:
- Right to access, inspect, and copy health information
- Right to request correction or amend health information
- Right to request accounting of disclosures of health information—who has received it
Check out the AHIMA Consumer Health Information Bill of Rights
Who Owns your Health Information?
Your physical health record belongs to your healthcare provider, but the information in it belongs to you! Understanding what is in your health record helps you:
- Make sure it’s correct and complete
- Know what is being released when you authorize disclosure of information to others
- Provide an accurate health history to all healthcare providers who treat you
Who else has access to your health information?
The law says that anyone can see your health record that needs it in order to provide your treatment, to facilitate payment for healthcare services, and to make sure quality care is being received. Most healthcare organizations have quality assurance departments. People in these departments review patient information in order to monitor and improve the quality of care you receive. Your information may also be used for research and as a legal document in cases where evidence of care is needed. For the most part, anyone who wants to use it for any other purpose needs your permission first.
Hospitals can share information with family members without your authorization if you are unable to consent and a family member (such as spouse, parent, or child) is involved in providing your care. For example, your spouse or child may be involved in caring for you following a hospital stay (by helping you in and out of bed, to bathe, changing bandages, and similar activities). You can simplify things at the time you are admitted to the hospital (or nursing home) by specifying which family member you want to receive information about you.
If you believe your privacy rights have been violated, you should contact the Privacy Officer of the provider where you believe the violation occurred to try to resolve your concern. If you are unable to resolve your concern locally, you can file a formal complaint regarding the organization’s privacy practices directly to the organization, health plan, or to the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR is charged with investigating complaints and enforcing the privacy regulation.
Complaints to the OCR must be filed in writing, either on paper or electronically; name the provider that violated your rights according to the privacy rule and what occurred. Complaints must be filed within 180 days of when you knew the act or omission occurred. Violations must have occurred on or after April 14, 2003, for the OCR to have any authority to investigate. For additional information on filing a complaint, visit the OCR Web site at www.hhs.gov/ocr/hipaa/.