Part 2: Basic Patient Rights (FAQ 17 of
Right to a Notice of Privacy Practices
17. What Are the Most Important Parts of the Notice?
Almost any health privacy notice will probably tell you something that
you didn't know. For example, a notice is supposed to include examples
of the uses and disclosures that a covered entity can make. These examples
will likely be both enlightening and disturbing. The basic list of uses
and disclosures is long to begin with, and that may be upsetting if you've
never read about them before.
Most notices are quite similar because you have the same rights everywhere
the rule applies. If you read one notice, you have generally read them
all. However, there may be some variations here and there between notices
from health care providers and notices from insurers. Differences in state
law may result in different notices from covered entities in different
When you want to exercise your rights at a particular covered entity,
the local procedures are likely to vary. This is when reading the notice
may matter a lot. Each notice should describe the covered entity's
procedures for exercising patient rights. Make sure you follow any specified
procedures. Otherwise, here are some notable features to look for:
- If the notice is for a hospital or other institution, read the description
of which institutions and providers are covered. We have a notice for
a hospital that lists more than a dozen different institutions in three
states as part of the same institution. That means that patient information
can be readily shared among all the affiliated organizations without
your consent. That ability to share records widely may not be unusual
or should not always be troubling. Further, being able to obtain care
at related institutions may be a good thing. Consider, however, if your
cousin works in a health care facility in another state. You may not
have realized that facility was connected to the health care provider
that you see regularly. You might not be happy knowing that your cousin
may be able to see your record. It's something to consider.
- A hospital can use your records in a limited way for fundraising.
You have the right to tell the hospital not to use your records for
fundraising. If you say nothing, then use of your records for fundraising
is permissible. Exercising this opt-out right may not be of critical
importance, but it helps everyone if some people exercise opt-out rights
when they exist.
- Find the national security disclosure provision. A covered entity
can disclose your records for just about any national security purpose.
The rule does not require a warrant, court order, subpoena, or any procedure
prior to the disclosure. We point this out because it is perhaps the
most privacy invasive of the HIPAA disclosure provisions. You are also
invited to look for other broad and objectionable disclosure provisions
in the notice. Don't blame the hospital or doctor. The rule allows
these disclosures to be made, and privacy notices usually reserve the
right for a covered entity to make allowable disclosures. However, the
disclosures are not necessarily mandatory. In other words, a doctor
can disclose your record to the CIA, but the doctor can usually say
- Look for the provision that says a covered entity can change the
notice at any time and with retroactive effect. This isn't quite as
bad as it looks because HIPAA limits the ability of a covered entity
to change the policy. The covered entity must comply with HIPAA, and
it cannot change the notice and take away your rights. However, if HHS
changes HIPAA or if Congress passes new laws, then your rights can expand,
diminish, or disappear. Most privacy policies, especially those not
based on formal legal requirements, are changeable at the discretion
of the record keeper. Changes are not always bad, but it is okay to
be a bit suspicious.
- Find the right to request alternate methods of communications. This
right may be important to you, and the notice tells you how to exercise
this right. We explain this right in full later. (See FAQs 25-28.)
- Contact information for the covered entity's privacy officer
is probably at the end of the notice. If you have any questions or want
to exercise your rights, the privacy officer for the covered entity
is probably the first person to contact.