hipaa logo

Part 2: Basic Patient Rights (FAQ 17 of 65)

 

Right to a Notice of Privacy Practices

17. What Are the Most Important Parts of the Notice?

Almost any health privacy notice will probably tell you something that you didn't know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make. These examples will likely be both enlightening and disturbing. The basic list of uses and disclosures is long to begin with, and that may be upsetting if you've never read about them before.

Most notices are quite similar because you have the same rights everywhere the rule applies. If you read one notice, you have generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states.

When you want to exercise your rights at a particular covered entity, the local procedures are likely to vary. This is when reading the notice may matter a lot. Each notice should describe the covered entity's procedures for exercising patient rights. Make sure you follow any specified procedures. Otherwise, here are some notable features to look for:

  • If the notice is for a hospital or other institution, read the description of which institutions and providers are covered. We have a notice for a hospital that lists more than a dozen different institutions in three states as part of the same institution. That means that patient information can be readily shared among all the affiliated organizations without your consent. That ability to share records widely may not be unusual or should not always be troubling. Further, being able to obtain care at related institutions may be a good thing. Consider, however, if your cousin works in a health care facility in another state. You may not have realized that facility was connected to the health care provider that you see regularly. You might not be happy knowing that your cousin may be able to see your record. It's something to consider.
  • A hospital can use your records in a limited way for fundraising. You have the right to tell the hospital not to use your records for fundraising. If you say nothing, then use of your records for fundraising is permissible. Exercising this opt-out right may not be of critical importance, but it helps everyone if some people exercise opt-out rights when they exist.
  • Find the national security disclosure provision. A covered entity can disclose your records for just about any national security purpose. The rule does not require a warrant, court order, subpoena, or any procedure prior to the disclosure. We point this out because it is perhaps the most privacy invasive of the HIPAA disclosure provisions. You are also invited to look for other broad and objectionable disclosure provisions in the notice. Don't blame the hospital or doctor. The rule allows these disclosures to be made, and privacy notices usually reserve the right for a covered entity to make allowable disclosures. However, the disclosures are not necessarily mandatory. In other words, a doctor can disclose your record to the CIA, but the doctor can usually say no.
  • Look for the provision that says a covered entity can change the notice at any time and with retroactive effect. This isn't quite as bad as it looks because HIPAA limits the ability of a covered entity to change the policy. The covered entity must comply with HIPAA, and it cannot change the notice and take away your rights. However, if HHS changes HIPAA or if Congress passes new laws, then your rights can expand, diminish, or disappear. Most privacy policies, especially those not based on formal legal requirements, are changeable at the discretion of the record keeper. Changes are not always bad, but it is okay to be a bit suspicious.
  • Find the right to request alternate methods of communications. This right may be important to you, and the notice tells you how to exercise this right. We explain this right in full later. (See FAQs 25-28.)
  • Contact information for the covered entity's privacy officer is probably at the end of the notice. If you have any questions or want to exercise your rights, the privacy officer for the covered entity is probably the first person to contact.
SIDEBAR:

If you read the notice, you will likely come away with the feeling that your health records aren't really private. It's not an unreasonable conclusion. The notice describes many uses and disclosures that do not need your consent and that are permissible even over your express objection. We don't like it either. Still, we recognize that we have a complicated health care system, and there are many demands on health records for socially beneficial purposes. There is a legitimate policy justification for most of the disclosures permitted under HIPAA. Nevertheless, we think that some of the HIPAA standards for use and disclosure should be higher and that some of the procedures should create more barriers.

Sadly, we don't know any way to return to a health care system where only you and your doctor knew about your health and where no disclosures of your records were ever made without your approval. That system disappeared decades ago. We repeat again that we don't like it either. We do like it, however, when an insurance company pays for our treatment or Medicare pays our doctor bills. We like it when researchers find new treatments for diseases. We also like it that public health authorities can alert people about contagious diseases. Patients do benefit at times when their records are shared for appropriate purposes and with appropriate protections. We wish some of those protections were better.

In 1999, Maine implemented a health privacy law that required patient consent for many routine disclosures (e.g., to doctors, family members, hospital visitors). People hated the law so much that the legislature suspended the law within weeks after it took effect, and the consent requirements that upset people later disappeared. Some discretion is needed to make the world operate smoothly and in accordance with patient expectations. If you want to know more about the Maine experience, go to www.worldprivacyforum.org/pdf/MaineHealthPrivacy1998_Gellman.pdf.

 

Jump to list of FAQs 1-65 | See all of Part 2