This topic:  print  email  download as pdf      

What is this topic about?

You have privacy rights under a federal law that protects your health information. These rights are important for you to know. You can exercise these rights, ask questions about them, and file a complaint if you think your rights are being denied or your health information isn't being protected.

This section is about that federal law, called the Health Insurance Portability and Accountability Act, or HIPAA. It includes what kind of information is protected by HIPAA and under what conditions your private health information can be shared.

Most of the information in this section was created by the Department of Health and Human Services. It is available in the pamphlet "Your Health Information Privacy Rights".

Back to Top

What is HIPAA?

The Health Insurance Portability and Accountability Act is a federal law that gives national standards for keeping health information private. It is commonly referred to by its acronym, HIPAA.

HIPAA prevents healthcare providers, most health insurance plans, and other healthcare agencies from to disclosing your personal health information without your written permission. Health information protected by HIPPA is:

  • Anything in your medical record
  • Conversations your medical providers have about your care or treatment (for example, conversations your doctor may have with his nurse about your care)
  • Information about you in your health insurer's computer system
  • Your medical billing information
  • Most other health information about you held by anyone involved in the healthcare system
Back to Top

Who must follow HIPAA?

  • Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers
  • Health insurance companies, HMOs, most employer group health plans
  • Certain government programs that pay for health care, such as Medicare and Medicaid
Back to Top

How can I receive a notice about my privacy under HIPAA?

You can learn how your health information is used and shared by your provider or health insurer. They must give you a notice that tells you how they may use and share your health information and how you can exercise your rights. In most cases, you should get this notice on your first visit to a provider or in the mail from your health insurer, and you can ask for a copy at any time.

You may have other health information rights under your state's laws. When these laws affect how your health information can be used or shared, that should be made clear in the notice you receive.

Back to Top

Can I see my health records?

You can ask to see and get a copy of your medical record and other health information. You may not be able to get all of your information in a few special cases. For example, if your doctor decides something in your file might endanger you or someone else, the doctor may not have to give this information to you.

In most cases, your copies must be given to you within 30 days, but this can be extended for another 30 days if you are given a reason.

You may have to pay for the cost of copying and mailing if you request copies and mailing.

Back to Top

Can I have corrections made to my health records?

You can ask to change any wrong information in your file or add information to your file if it is incomplete. For example, if you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file.

In most cases the file should be changed within 60 days, but the hospital can take an extra 30 days if you are given a reason.

Your healthcare providers and their staff can share your health information with each other, as well as with insurance companies and others involved in healthcare billing.

In general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for.

Back to Top

Who gets to know about my health information?

Your healthcare providers and their staff can share your health information with each other, as well as with insurance companies and others involved in healthcare billing.

In general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for.

Back to Top

What if I want to share my health information with someone?

HIPAA only prevents unauthorized sharing of your health information. You can give your permission in writing that some or all of your health information can be shared with someone else, usually called a third party. Ask your healthcare provider to give you a form to do this. This document authorizes your medical provider to share your medical information with a third party of your choosing.

It is important that your medical information only be shared with the people you intend to share it with. Before you sign a form to release your medical records it is important to make sure the form does the following:

  • Says how much will be shared - You can share your complete record, just one section or information related to a specific medical problem.
  • How often can the information be shared - Will the information be shared once or will information be shared on an ongoing basis? If the information is going to be provided on an ongoing basis then there should be a date when the authorization expires and must be renewed.
  • Who will receive the information - This is the person or provider you are sharing the information with (the third party). This should include the person or provider's name, address and telephone number.
  • How will it be shared - There should be a place where you indicate how your records will be sent to the third party. In most cases it should be provided by mail or hand delivery rather than faxed to avoid the information being seen by anyone else.
Back to Top

Is there a way to know how my health information has been shared?

Under the law, your health information may be used and shared for particular reasons, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or making required reports to the police, such as reporting gunshot wounds. In many cases, you can ask for and get a list of who your health information has been shared with for these reasons.

You can get this report for free once a year.

In most cases you should get the report within 60 days, but it can take an extra 30 days if you are given a reason.

Back to Top

How else can my private health information be protected?

Ask to be reached somewhere other than home

You can make reasonable requests to be contacted at different places or in a different way. For example, you can have the nurse call you at your office instead of your home, or send mail to you in an envelope instead of on a postcard. If sending information to you at home might put you in danger, your health insurer must talk, call, or write to you where you ask and in the way you ask, if the request is reasonable.

Ask that your information not be shared

You can ask your provider or health insurer not to share your health information with certain people, groups, or companies. For example, if you go to a clinic, you could ask the doctor not to share your medical record with other doctors or nurses in the clinic. However, they do not have to agree to do what you ask.

Back to Top

How do I file a complaint if I think my privacy has been violated?

If you believe your information was used or shared in a way that is not allowed under the privacy law, or if you were not able to exercise your rights, you can file a complaint with your provider or health insurer. The privacy notice you receive from them will tell you who to talk to and how to file a complaint. You can also file a complaint with U.S. Government. More information on filing a complaint can be found on the Department of Health and Human Services (DHHS) web site, emailing DHHS at OCRMail@hhs.gov or by contacting the regional office closest to you.

Region 1 (CT, ME, MA, NH, RI, VT)
Voice phone (800) 368-1019
FAX (617) 565-3809
TDD (800) 537-7697

Region 2 (NY, NJ, PR, VI)
Voice Phone (800) 368-1019
FAX (212) 264-3039
TDD (800) 537-7697

Region 3 (DE, Washington DC, MD, PA, VA, WV)
Voice Phone (800) 368-1019
FAX (215) 861-4431
TDD (800) 537-7697

Region 4 (AL, FL, GA, KY, MS, NC, SC, TN)
Voice Phone (800) 368-1019
FAX (404) 562-7881
TDD (800) 537-7697

Region 5 (IL, IN, MI, MN, OH, WI)
Voice Phone (800) 368-1019
FAX (312) 886-1807
TDD (800) 537-7697

Region 6 (AR, LA, NM, OK, TX)
Voice Phone (800) 368-1019
FAX (214) 767-0432
TDD (800) 537-7697

Region 7 (IW, KA, MO, NB)
Voice Phone (800) 368-1019
FAX (816) 426-3686
TDD (800) 537-7697

Region 8 (CO, MT, ND, SD, UT, WY)
Voice Phone (800) 368-1019
FAX (303) 844-2025
TDD (800) 537-7697

Region 9 (AS, AZ, CA, GU, HI, NV)
Voice Phone (800) 368-1019
FAX (415) 437-8329
TDD (800) 537-7697

Region 10 (AK, ID, OR, WA)
Voice Phone (800) 368-1019
FAX (206) 615-2297
TDD (800) 537-76

Back to Top

How do I get more information about HIPAA?

This is a brief summary of your rights and protections under the federal health information privacy law. You can ask your provider or health insurer questions about how your health information is used or shared and about your rights. You also can learn more, including how to file a complaint with the U.S. Government, at the website at www.hhs.gov/ocr/hipaa/.

Back to Top

If I disclose ASD to my healthcare providers, is it covered by HIPAA?

Yes. Your healthcare provider can only share your medical information, including your autism spectrum disorder diagnosis, with other health-related people or agencies for billing, insurance, and treatment purposes. Otherwise, your medical records and information, including your ASD diagnosis, must be kept private.

Back to Top

Summary

  • The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides national standards for the privacy of health information.
  • Because of HIPAA, healthcare providers, their staff, most insurance companies, and healthcare-related government programs can not share your health information without your written permission. They are allowed to share it with other healthcare providers involved in your care; for example a doctor can tell her nurse.
  • You have a right to request your own medical records and ask for corrections to them. You also have a right to receive a notice explaining how HIPAA affects you. You can request this information from your healthcare provider.
  • If you want to share your healthcare information with someone other than your provider (a third party) you can do so by giving written permission. Ask your provider for a release form.
  • If you think a healthcare provider has violated your privacy under HIPAA, you can file a formal complaint. The HIPAA web site gives information about how to do this.
  • Your ASD diagnosis is protected by HIPAA, just like all your other protected health information.
Back to Top

Links and Resources

To see the flyer most of this information was taken from download HIPAA's consumer rights PDF.

For more information on HIPAA see:

Back to Top