Part 2: The Seven Basic Patient Rights ( FAQs 13 - 54)
This section covers the seven basic rights that HIPAA grants to patients. The rule defines seven patient rights, but not all of those rights are meaningful. We will consider them in the order of importance as we view the rights. Your mileage may vary.
A. Questions About the Right to a Notice of Privacy Practices
13. What is a HIPAA Notice of Privacy Practices?
The rule requires each covered entity, like a hospital, to publish a notice of privacy practices. The notice describes how each entity implements the rule. Notices from different health care institutions may look similar because the rule is the same for everyone. However, each notice will have some details (procedures, addresses, etc.) that are specific to the institution.
14. Why Are the Notices Long and Boring?
One answer is that the rule is long and complicated. Another answer is that lawyers write many of the notices. Often, lawyers write like…lawyers, and the results are sometimes complete, precise, and in the end, incomprehensible. Some privacy notices – and not just notices for health – are deliberately written to be obscure. Even other lawyers can't understand them. Not every organization really wants you to understand or exercise your privacy rights.
In the end, health privacy is a complex subject, and health records have quite a few uses and disclosures that you probably never thought about. All of these factors contribute to the length and complexity of the notices.
15. Should I Read the Notice?
The requirement that each covered entity prepare a notice was a big advance in privacy protection. That remains true even if most patients never read the notice. The notice also tells a covered entity's employees what the privacy rules are. That is just as important as telling the patients what the rules are. In the past, employees often didn't know whether there were privacy rules or what those rules stated.
To put it another way, you have privacy rights whether or not you know the details. Your rights do not depend on your level of understanding. You can do a better job of protecting your rights if you know more, of course.
HERE'S WHAT'S REALLY IMPORTANT:
16. What Are the Forms that My Doctor's Office Asks Me to Sign?
The rule generally requires a health care provider to make a good faith effort to obtain an acknowledgement that each patient received the notice. Some people think that it is a dumb requirement and a paperwork burden, but that's what the rule says. Signing a standard acknowledgement does not waive your rights.
You do not have to sign the acknowledgement. Your rights do not change if you sign or don't sign. However, the requirement for a signature is poorly understood. Some receptionists think that a signature is mandatory, and they will hassle you if you don't sign. Some will tell you that you must sign or you can't see the doctor. That is wrong.
You can fight about signing the acknowledgement if you want. We suggest, however, that this isn't a fight worth having. Save your energy for another battle. The acknowledgement – if that is all that the form contains – is meaningless. If you see something on the form that you don't like, you can just cross it out. Odds are that no one will even look at what you did.
We hear that some doctors are asking patients to sign broader forms that limit the ability of patients to file malpractice suits, that prevent patients from talking about the doctor to other people or on the Internet, or do accomplish other things that benefit the doctor and not the patient. We suggest being very careful about signing these types of documents.
WHAT YOU REALLY NEED TO KNOW:
When you visit your doctor's office for the first time, someone should offer you a copy of the doctor's notice. You may be offered the same notice on each visit because many offices find it easier to give every patient a notice on every visit rather than keeping track of first visits. Sometimes, the notice will be sitting on a counter or table. You have the right to take a copy home. Remember that you can always ask for a copy later or in many cases you will be able to find it on the website of your doctor or insurer. If you don't care about it today, it should be available to you later, even if you are no longer a patient of that doctor or covered by that insurer.
Your health plan also will provide you a notice, but the rules for getting you the notice are somewhat different for health plans. Patients really don't need to know those rules. You probably received a health plan notice in the mail, but you may have ignored it. If you want a notice from your health plan, ask for it or look on the health plan's website.
17. What Are the Most Important Parts of the Notice?
Almost any health privacy notice will probably tell you something that you didn't know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make. These examples will likely be both enlightening and disturbing. The basic list of uses and disclosures is long to begin with, and that may be upsetting if you've never read about them before.
Most notices are quite similar because you have the same rights everywhere the rule applies. If you read one notice, you have generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states.
When you want to exercise your rights at a particular covered entity, the local procedures are likely to vary. This is when reading the notice may matter a lot. Each notice should describe the covered entity's procedures for exercising patient rights. Make sure you follow any specified procedures. Otherwise, here are some notable features to look for:
B. Questions About the Right to Inspect and Copy Your Record
18. Why Both Inspect and Copy?
HIPAA provides each patient with the right to inspect his or her record and to have a copy of the record. These are two different rights. You cannot be charged a fee if you want to inspect your records. This means that you can always see your record, even if you don't want to pay.
If you want a copy of the record to take with you, then you can be charged a fee. You can also be charged an additional fee if you ask for a summary or explanation of your record. You do not have to ask for a summary or explanation.
19. Do I Want to See or Copy My Record?
There are many reasons you might want to review your records. Decide if any of these appeals to you:
20. Which Records Can I Get?
You can generally ask for your all of your records maintained by any covered entity, but the covered entity can withhold some records. We will cover that subject shortly. Depending on your purpose, you may be interested in records of your hospitalization, records from your family physician, records from your insurance company, records from your pharmacy or pharmacy benefit manager, or your records any other covered entity. You can ask every covered entity for all of your records, but the next few questions suggest reasons for narrowing your request.
21. How Much Will It Cost?
A covered entity can charge a reasonable, cost-based fee for copying and postage. Any other copying charges – administrative fees, overhead, labor costs – are improper. Charges for inspecting a record are improper, even if the covered entity says that it had to make a copy for you to inspect. Charges for a summary or for an explanation are permissible if you ask for a summary or explanation.
Don't let anyone charge you more than is allowed by the HIPAA rule. If you don't think that the fees are proper, complain about it. You have a right to complain to the Secretary of HHS (via the Office of Civil Rights), and that right will be covered later. (See FAQs 46-51.) Remember that state law may establish lower fees than HIPAA allows or may not allow any fees at all. If you need records and can't afford to pay, ask for a waiver of fees. Some covered entities may provide some or all records without charge or at a discount.
Standard copying costs can be as much as $1.00 a page or perhaps more. If you want a hard copy of an x-ray, the fee could be considerably more. Many health care institutions hire outside firms to handle copies. Copying hospital records is a business. Insurance companies and lawyers tend to be frequent requesters of records, and copying charges can be expensive because these requesters don't much care and because there is no competition. The result is that the standard charge per page can be high. Your best strategy may be to narrow your request (see the discussion in FAQ 23 about what records to request) or to obtain an electronic copy of records that are already electronic. Copies of electronic records may be less expensive.
22. How Do I Make a Request for Access?
Start by reviewing the covered entity's copy of the notice of privacy practices. Remember that every covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).
The notice of privacy practices describes your right to inspect and to obtain a copy of your record. It should also tell you the local procedure for making a request. You will likely be asked to write a letter or fill out a form in order to make your request for access. A covered entity can insist on a written request and may ask you for identification.
When you make a request, the covered entity must act on your request within 30 days. Don't count on an instant response. The entity can take an additional 30 days to respond if it provides you with a written explanation of the delay. If you need the records more urgently, say so. It might help, but the rule allows the covered entity to wait 30 days or more no matter what. Your doctor might be responsive to your need for fast access, but bigger institutions have procedures and may not be inclined to do anything but the minimum required of them.
23. What Records Should I Ask For?
A covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld. (See FAQ 24.) Just figuring out who to ask and what to ask for can be complex. Don't assume that you need a copy of all records from all health care providers and insurers. Obtaining your health records can be surprisingly complicated, may present some hard choices, may be expensive, will require some planning, and can take time.
First, copying costs may be considerable. You may want to think about the costs involved before you ask. A hospital record can have hundreds or even thousands of pages. Think about whether inspecting your records will meet your needs. If you can inspect first, you might be able to narrow your request and cut the cost.
Second, if you have been using the same hospital or doctor for 20 years and the reason for your request relates only to your treatment from the last month, you might limit your request to recent records, or records dating back just one year. The same idea may work if you want records from your insurer.
You may not know which records you need at first. The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA covered entity. Most people have had dozens of health care providers and insurers in the course of their lives. Many records will not be important or worth the time and effort to find for most people. Old records from individual practitioners may be hard to locate and obtain. However, hospitals and other long-standing institutions are more likely to have older records, although they may be in storage offsite.
Third, asking for a copy of your complete health record may provide more information than you need. It may also be especially expensive. Your health records may include results of x-rays and other diagnostic tests that may be costly to duplicate.
Consider how you might limit your request for access so that you limit your costs. See if you can talk to someone in the record keeper's office when you make a request so that you can negotiate what you really need. One idea is to not ask for a hard copy of an x-ray unless you know that x-rays are essential. If other records are especially expensive to duplicate, you may want to defer asking for those records too. Ask for a price list before requesting all records. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied.
On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form. You can ask for hard copy of electronic records, but the cost might be higher. Not all electronic records can be printed on paper.
Fourth, once when you receive some records, you may be able to focus your later requests. You may find that the provider used a lab or other independent provider that will have some of your records that you may want to have or that you may want to inspect.
24. Can Covered Entities Withhold some Medical Records?
Yes. In some situations, a covered entity can withhold records.
First, the right of access under HIPAA does not extend to psychotherapy notes, materials compiled for litigation, and some laboratory records (non-CLIA labs). A non-CLIA lab is typically a lab that does research work. By the way, CLIA stands for the Clinical Laboratory Improvement Amendments, and you can find more information at www.cms.hhs.gov/clia. It is a complicated law, and most patients don't have to worry about CLIA issues.
Second, a covered entity can deny you access to some records, including records maintained by a prison, some records of research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one. Read the notice of privacy practices to learn if there is an appeal option. We recommend that you appeal to the head of the institution even if you don't have the right to do so. An appeal may result in a review of the initial decision. If it doesn't, then you only invested the energy of writing a letter.
Third, a covered entity can deny you access to some records if a licensed health professional determines that access is reasonably likely to endanger the life or physical safety of you or another individual. Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual's personal representative can also be denied if disclosure would cause substantial harm. If an institution withholds records for any of these reasons, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have.
C. Questions About the Right to Request Confidential Communications
25. What is the Right to Receive a Confidential Communication?
You have the right to ask a health care provider to communicate with you by alternative means or at alternative locations. This means, for example, that you can ask your fertility clinic not to call you at work or to send you an email notification of an appointment. You could also ask your psychiatrist not to leave a message about an appointment at your home telephone answering machine. You might also ask your provider not to send you a post card reminder of your appointment but to use a closed envelope. A provider must accommodate reasonable requests. We think that all of the examples in this paragraph are generally reasonable. We also think that that asking for written communications – including bills – to be in plain envelopes with no identification of the provider in the return address is also reasonable.
The right to receive a confidential communication is a real right that may be important to you. Not everyone will care or will care all the time. You may not object to a postcard from your dentist reminding you to make an appointment to have your teeth cleaned. Many people would object to receiving a postcard informing them about a follow-up visit to a sexually-transmitted disease clinic.
The right to receive a confidential communication is important because a provider doesn't need express permission to contact a patient at home or to leave a message on an answering machine. For a patient who doesn't want others in his or her family or household to know about a form of treatment, then exercising the right to receive a confidential communication will be crucial. For some, this right may provide a vital privacy protection that will make the greatest difference to your life or wellbeing.
26. How Do I Exercise the Right to Receive a Confidential Communication?
A provider may require you to make a written request to receive a confidential communication in writing. Read the notice of privacy practices to find out the local procedure. In a small office, an oral request may be sufficient. Still, if you orally tell the receptionist not to call you at your office, the doctor may not know about your request. A written request may be safer because it creates a formal record of the request. You should keep a copy of your written request.
The rule says that a provider must permit a patient to make a request, but it does not expressly say that the provider must respond at all or in writing. However, a provider must agree to a reasonable request. You would be well advised to ask for a written acknowledgement and to save the acknowledgement. If you only receive an oral response, you might want to send a written confirmation to the provider, and keep a copy of your confirmation. The written confirmation should summarize the request and identify the person who agreed to comply. Ask the provider to respond if the summary is incorrect.
You do not have to tell the provider why you made the request. Indeed, the rule expressly prohibits a provider from requiring an explanation as a condition of fulfilling the request. However, the rule does not prohibit the provider from asking for you reason. You don't have to disclose your reason if you don't want to.
27. Does the Right to Receive a Confidential Communication Apply to Health Plans?
Yes, but the rule is a bit different. To make a request to a health plan, the individual must clearly state that the disclosure of all or part of the information could endanger the patient. The plan may require that a request contain a statement that disclosure could endanger the patient. The plan can demand a written request.
It is not apparent, however, that the patient must identify what the harm is. The statement that disclosure could endanger the patient seems to be enough. This is one place where the rule seems to have been made deliberately obscure for no good reason.
We can't be sure what constitute endangerment. We suggest taking the position that it is up to the patient to decide what it means. If you say that disclosure could be potentially endangering or merely embarrassing, that's enough to convince us. If a disclosure might persuade you to stop seeking treatment, we would argue that also constitutes endangerment. We can't predict how plans will respond, but we emphasize that plans must accommodate reasonable requests. Asking to send mail to an alternate address (physical or email) strikes us as reasonable. Asking for phone calls only to your cell phone and not to your home phone also strikes us as reasonable. Asking for messages only by carrier pigeon will not be viewed as reasonable by anyone.
28. Are There Any Other Requirements?
A plan or provider can condition the accommodation on the patient providing an alternative address or means of contact for information about how payment will be handled. This means that you can't ask someone to send all bills to the White House unless you are the President.
There's an exception for emergencies. No matter what restriction a covered entity agreed to, it can ignore it in case the information is needed to provide emergency treatment. Fair enough.
D. Questions About the Right to Request Amendment
On our list, the right to request an amendment of your health record is only the fourth right out of seven. Normally, access and amendment go hand in hand. We list amendment lower because the limits on the amendment right seriously undermine its utility. Nevertheless, if you can use it, the right to request an amendment may be important to you.
We want to underscore that the law does not give you a right to amend your record. You only have a right to request an amendment. We see this as a reasonable implementation of a patient's interest in amending a record. The record keeper has rights and interests as well as the patient, and these rights and interests deserve respect too. You cannot, for example, reasonably expect your doctor to change the record so that it no longer shows that you were treated. A doctor has a legal and professional obligation to maintain treatment records.
29. How Do I Make a Request for Amendment?
One way to start is by obtaining a copy of the notice of privacy practices. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website). The notice of privacy practices describes your rights, including your right to ask for an amendment. The covered entity's notice will tell you where to submit your request for amendment.
You might be asked to write a letter or fill out a form to make your request for amendment. You might be asked to tell the record keeper what information is wrong or is not about you. You may have to explain why you want the amendment.
When you make a request, the covered entity must act on your request within 60 days. The entity can take an additional 30 days to act if it provides you with a written explanation of the delay.
30. Can I Ask that Incorrect Information be Removed From My File?
Yes, but it may not be that easy. A HIPAA covered entity does not necessarily have to remove incorrect information. It can mark the information as incorrect and add additional notes that show the correct information.
There is a reason for this policy. Suppose that your doctor suspects that you have an infection. Before the test results come back, the doctor prescribes an antibiotic. When the test later shows that you didn't have the infection, the doctor tells you to stop taking the antibiotic.
Now suppose that you ask the doctor to remove the initial diagnosis of an infection. If the information is totally removed, it will be impossible for the doctor to explain or justify the prescription for an antibiotic. It may not be appropriate to remove the entire incident from the record because the doctor will be unable to explain the treatment provided or the bill for the services. The doctor also needs to keep the record in the event that there are complications from the drug. The doctor rightly needs a history of the treatment for his/her protection for both legal and medical reasons. Your health record isn't just about you. It's about your provider too.
Health care providers are typically nervous about removing information from health records. For the most part, they have a reasonable concern for the reasons explained above. However, when the information in your health record is not about you, the provider's concern is weaker. When the information in your record is not about you and the presence of the information did not affect your subsequent care, the argument for removal is stronger. For example, if your record includes a lab slip belonging to another patient, it may be appropriate for the record keeper to remove the slip entirely and put it in the right record.
However, if the incorrect information did affect your treatment – even if that treatment was inappropriate – then retaining some or all of the incorrect information (suitably marked as incorrect and including a full explanation) may be legally and medically justifiable. You may be able to negotiate with the provider about how the information should be marked or otherwise segregated from your medical record.
The problems faced by medical identity theft victims seeking amendment of their record can be particularly difficult. See the World Privacy Forum's Medical Identity Theft Page or go directly to our FAQ for identity theft victims at www.worldprivacyforum.org/FAQ_medicalrecordprivacy.html.
31. What Other Limits Are There on the Right to Seek Amendment?
A covered entity does not have to amend a record that it considers accurate and complete. It does not have to amend a record that is not available for inspection by you under the access provision.
More importantly, a covered entity is not required to amend a record not created by the covered entity. That means if the information in your record came from any third party – including another provider, an insurer, a relative, or anyone else – the covered entity has no obligation to amend your record or even to consider your request. We find this limitation on the right to seek an amendment to be unfair, inappropriate, and dangerous. Be aware that state law may not have the same limitation on amendment rights.
The covered entity must consider your request for amendment of third party information if you provide a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment. Thus, if the record contains information from a previous physician who is no longer in practice, you may be able to force your current provider to consider amending information supplied by that physician. We note that it can be difficult to prove that the originator of information is unavailable, and an uncooperative record keeper can string a requester along if it doesn't want to deal with a request for amendment honestly.
If the covered entity that is the originator of the incorrect information is available but does not act on a request for amendment, the information in the subsequent covered entity's record may be just as wrong and could have a continuing detrimental effect on the patient. This can present a real Catch-22 for patients.
In most circumstances, a health care provider will act reasonably to verify information that may affect patient care. For example, if you tell your surgeon that you think that your blood type is A, the surgeon is not likely to cavalierly accept contrary information just because it came from a third party. Any health care provider is likely to be suitably concerned about the possibility of a medical error based on wrong information.
However, there may be real problems with third party information in some circumstances. Health insurers may not be as worried about an error, especially if the error provides an excuse to deny a claim.
32. Do I Have Greater Amendment Rights under State Laws, other Federal Laws, or Hospital Policies?
Maybe. Some states have health privacy laws that provide greater rights of amendment. If your records are held by the federal government (e.g., Medicare, VA, or Indian Health Service), your rights to ask for amendment of records under the Privacy Act of 1974 may be greater than under HIPAA. These two sets of privacy rules overlap, and you are entitled to the best parts of both laws.
33. What Happens When a Covered Entity Agrees to Make an Amendment?
The covered entity that agrees to make an amendment must:
The third requirement is most noteworthy. If you convince a covered entity to amend your record, the covered entity must tell any persons that you identify who received the original incorrect information and who need the amendment. In addition, the covered entity must notify any persons who have the information that was the subject of the amendment and who may have relied or could foreseeably rely on the information.
To make sure that amendments have been appropriately distributed, you may want to ask for an accounting of disclosures. The right to receive an accounting is explained elsewhere in this guide. (See FAQs 37-44.) What is important is that amendments be provided to those who may rely on the original incorrect information. Each patient has the right to tell a covered entity to send the amendment to anyone who received the original information and needs the information.
Be sure that any amended information that bears on your future medical treatment is shared with other providers. Information that bears on insurance and payment matters may need to be shared with insurers and, possibly, with employers. The goal is to find and eliminate any incorrect information that others have and that may affect you adversely.
It may take considerable effort to make sure that every appropriate person has the information and that those with the information correct their own records. Every covered entity must act when it receives a notice of amendment, but that doesn't mean that it will be done quickly or properly. It may be appropriate to ask each appropriate covered entity to confirm that it actually made the amendment. You may have to request a copy of your record from that covered entity to be certain.
Be aware of any Health Information Exchanges that may impact where your records are located. For example, some emergency rooms in some states exchange electronic health records through a third party called a Health Information Exchange. In Long Beach, California, the Health Information Exchange is Long Beach Network for Health. In New York, it is the New York e-Health Collaborative. Other states and regions have similar exchanges. Ask about the presence of an exchange or network so you can locate all of the copies of your records.
34. Can I Appeal if a Covered Entity Refuses to Make an Amendment?
Maybe. An institution must accept complaints about its health privacy policies and practices. Filing a complaint with an institution may not be the equivalent of filing an appeal of a denial of a request for amendment, but it may help if it forces someone new at the covered entity to review your request. However, some institutions may accept formal appeals. Consult the institution's notice of privacy practices to see if there is an appeal method for a denial of a request for amendment.
You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. The Department's Office of Civil Rights processes complaints. You can find information about the process at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. Whether the Department will actually investigate your problem is uncertain.
You have another alternative. When a covered entity denies your request for amendment, it must tell you that you can request the covered entity to provide a copy of your request for amendment with any subsequent disclosure of the disputed information. In some instances, it may be important to make the request. Remember that the covered entity is not required to tell others about the dispute unless you ask.
35. Are There Other Remedies if My Request for Amendment Is Denied?
Yes. You have the right to file a written statement of disagreement, and that is an important right. When a covered entity denies your request for amendment, it must tell you about this right.
The statement of disagreement gives you the opportunity to explain your side of the story. The covered entity can reasonably limit the length of the statement of disagreement, so don't plan on writing a novel-length document. We also suggest that your statement should be factual and should refrain from making personal attacks on anyone involved in the process.
The covered entity can write and circulate a rebuttal to your statement of disagreement. If it does so, it must provide you with a copy of its rebuttal.
HIPAA offers another protection even if you don't file a statement of disagreement. The rule requires a covered entity that received and denied an amendment request to append or link the record in question to the request for amendment. The purpose here is to make sure that whoever sees the disputed record will also see the request for amendment. One reason to ask to inspect or have a copy of your record is to see if the covered entity properly handled this requirement.
36. Can a Covered Entity Still Disclose The Information that I Disputed?
Yes, but HIPAA offers additional rights. First, if you submitted a statement of disagreement, the covered entity must disclose it when it discloses the disputed information.
Second, if you choose not to submit a statement of disagreement, the covered entity must include your request for amendment (and its denial) along with any subsequent disclosure only if you requested that the covered entity do so. In most cases, this will be an advisable step to take.
E. Questions About the Right to Receive an Accounting of Disclosures
37. What's an Accounting of Disclosures?
For a disclosure of medical information about an individual, an accounting is a record of:
38. Why Should I Care about Accounting of Disclosures?
Many patients won't care, and that is okay. However, the accounting of disclosures can be crucial in some instances. If you think that your records were improperly disclosed, if you think that you may be a victim of medical identity theft, or if you are just curious to learn about the circulation of your medical records, then you may want to ask for an accounting. Be warned, however, that if you ask for an accounting, the response is likely to undermine whatever faith you had that your medical information is confidential. Records may be disclosed to other institutions that have nothing to do with your treatment or the payment for your treatment.
The accounting of disclosures will be invaluable if you need to follow the trail of your information and learn who has information about you. If you corrected your record through the amendment process, the accounting will allow you to find out who received the original information and who received the corrected information. It provides a way for you to tell whether the covered entity properly distributed the amendment.
The accounting may reveal some disclosures that are normal (e.g., to your health plan). You may also learn that the covered entity disclosed your records to a researcher, public health agency, or government auditor. These disclosures may not have any immediate consequences for you, but you may be either interested to know about the disclosures or unhappy that they occurred.
However, if you learn that your records were disclosed to law enforcement or health oversight agencies, you might have reason to worry that the information disclosed will be used against you in some manner. By learning the purpose of each disclosure, you will be better able to make judgments.
39. How Do I Make a Request for an Accounting of Disclosures?
Start by obtaining a copy of the notice of privacy practices that your provider or insurer publishes. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).
Follow the directions for a request in the notice. You might be asked to write a letter or fill out a form in order to make your request for amendment. The covered entity must act on a request for accounting within 60 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.
40. Who Has to Provide Me with an Accounting of Disclosures?
Any HIPAA covered entity must provide a copy of an accounting of disclosures. For most individuals, your health care providers (doctors, hospitals, laboratories, pharmacies, etc.) and health insurers (HMOs, health plans, Medicare, etc.) will have accounting records that you may want. You may also want to ask your Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail.
41. What does it Cost to Obtain an Accounting of Disclosures?
You are entitled to receive at no charge one copy of the accounting of your medical record in any 12-month period. If you make more than one request, the institution may impose a reasonable, cost-based fee. The institution must tell you the cost in advance so you have a chance to modify or withdraw your request.
42. What are the Limitations of an Accounting of Disclosures?
Limitations in the HIPAA rule make the accounting of disclosures much less valuable than it should be. First, covered entities do not have to account for all disclosures. They don't have to keep an accounting of disclosures for treatment, payment, or health care operations. Most disclosures are likely to be for one of these purposes so this loophole is large.
Second, covered entities also don't have to keep an accounting of disclosures if you authorized the disclosure. That means that you may not be able to track if the covered entity actually disclosed records as you directed. If you casually signed an authorization that allowed the disclosure of any or all information about you (e.g., for a background check), a covered entity can disclose your entire medical record and not even keep a record that it did so. This is another large loophole.
Third, health care institutions do not have to account for uses. A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a covered entity shares a record with someone outside the covered entity. The accounting requirement only covers some disclosures and no uses.
If you are hospitalized, hundreds of different individuals in the hospital may see your record. The use exemption to accounting can seriously undermine your ability to hold an institution accountable for leaks or other inappropriate activities. Still, in hospitals with modern computers, there is a greater likelihood that a complete audit trail, including uses, will be maintained routinely. Unfortunately, HIPAA does not expressly require that a covered entity share that audit trail for uses, although there may be an argument that disclosure of an entire audit trail is required otherwise by HIPAA or by state law. Ask for a copy of the entire accounting because a reasonable institution will share it with you. For institutions with computerized systems that track all activity, it should be easier to provide a requester with the entire history everything rather than part of it.
Fourth, sometimes a covered entity must withhold a particular accounting record from an individual who requests a copy of the accounting. Some disclosures to law enforcement, for example, can be made without telling the record subject for a limited time.
Fifth, the HIPAA requirement for an accounting started on April 14, 2003. A health care institution covered by HIPAA did not have to maintain accounting records before that date.
Finally, perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment. This means that a lot of information that you would want to find in an accounting will not be available.
For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures. Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations.
43. Why Bother Asking for an Accounting if It Has so Many Loopholes?
Why seek an accounting of disclosures? First, obtaining a copy of the accounting is free. All you have to do is fill out a form or write a simple letter.
Second, an accounting may help even if it isn't complete. You should be able to learn something about how your records were disclosed from the accounting. It may point you to some record keepers you didn't realize had records about you.
Third, the accounting is part of the process for learning about and recovering from medical identity theft. Similarly, if there has been a data breach of the confidentiality of your medical information, the accounting of disclosures may help you find it.
Finally, even though there are many exceptions to accounting, some institutions will nevertheless have a record about disclosures (and even uses) even though the records are not required by HIPAA. If you ask for more, you might just get what you want. Certainly nothing in HIPAA prevents a covered entity from providing a more complete accounting than the minimum required by the rule.
44. Do I have Greater Rights under State Laws, Other Federal Laws, or Hospital Policies?
Maybe. A few states may have health privacy laws that require health care institutions to maintain better accounting records or to disclose more accounting records to you. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of an accounting under the Privacy Act of 1974 will be greater than under HIPAA. These two sets of privacy rules overlap.
The website of the Georgetown University Center on Medical Record Rights and Privacy at hpi.georgetown.edu/privacy/records.html has information on state laws about access and correction of medical information. Beware that the information at this website may not be current.
45. What's the Best Strategy for Making a Request?
You only are entitled to one free request in any 12-month period. Think about the best timing to make that request. If you learn that you were a medical identity theft victim two years ago, you probably should make the request right now. However, if the reason you are asking relates to a current activity (perhaps a hospitalization that just ended), it can take time for your records to be updated. Actions that follow a hospitalization, such as submitting a bill to an insurer or to the government, may not occur immediately. You might want to wait a week or two before asking for the accounting. If the institution's privacy officer is helpful, the officer may be able to offer useful advice about timing.
F. Questions About the Right to Complain to the Secretary of HHS
46. Can I File a Federal Complaint about a HIPAA Problem?
Yes. Any person who believes that a covered entity is not complying with the HIPAA privacy rule may file a complaint with the Office of Civil Rights at the Department of Health and Human Services. You do not have to be a patient of a health care provider or a beneficiary of a health insurance plan to file a complaint. For example, if you visit a relative in the hospital and see a violation, you can file a complaint.
You can find a fact sheet on the complaint process at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. The fact sheet lists addresses of then regional offices of the Office of Civil Rights that will accept your complaint. The toll free number for help with complaints is 1-800-368-1019.
You can use the complaint form at www.hhs.gov/ocr/privacy/hipaa/complaints/howtofileahealthinformationprivacycomplaintpkg.pdf or at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. You can submit a complaint online to OCRComplaint@hhs.gov.
47. What Information Belongs in a Complaint?
HHS wants a complaint to include:
Optional information that HHS requests includes:
48. Will Filing a Complaint Really Help?
We would love to tell you that the complaint process works, but we have our doubts. The problem is that HHS doesn't seem to take any action against covered entities that may be violating the rule. Up to a point, it is okay for HHS to work with violators to remedy problems. In the first year or two when everyone was getting used to HIPAA, leniency in enforcement was a reasonable policy.
At this stage, however, the HIPAA privacy rule has been in place for years. Sanctions for violations have been few or nonexistent. It is far from clear how much HHS cares about health privacy or HIPAA privacy enforcement. Covered entities may be ignoring some of the requirements because they know that there are no consequences.
Nevertheless, the complaint process is free and there is always a chance that intervention by HHS will occur and will help. We wouldn't hesitate to file a complaint if we thought that a covered entity did the wrong thing or treated us badly.
We remind you that filing a complaint may have the effect of spreading your health information around more widely. Not all complaint investigations will involve disclosure of the intimate details of your medical history, but some may. It is for you to judge whether a complaint will invade your privacy more than you can tolerate. But if you are just trying to get the hospital to respond to your request for a copy of your record, the additional threat to privacy may be small.
49. What Should I do if I See a Privacy Violation?
We think that you should at least consider filing a complaint. You never know when the Department of HHS will decide that privacy deserves a greater priority. A new Secretary or a new staff at the Office of Civil Rights may give privacy more attention.
It is important for the public to show interest in privacy laws. It is bad enough when the government and covered entities do not act to protect patients. People must speak for themselves when they see a privacy violation. Not every violation may be worthy of a federal complaint, but if something happened that affected your privacy and you are upset about it, you should file a complaint.
50. Should I Worry that a Covered Entity will Retaliate if I File a Complaint?
Each covered entity's notice of privacy practices must say that there will be no retaliation against a person who files a complaint. We would like to believe that.
But in the real world, there are no guarantees. We have seen, for example, a notice from a hospital that says – as required by the rule – that there will be no retaliation. The next sentence in the notice says more ominously that the hospital reserves the right “to take necessary and appropriate action to maintain an environment that serves the best interests of out patients and staff.” We have no idea what that means or why the hospital chose to add that statement directly after the required language about not taking retaliation. But it sure sounds like a threat to us.
We would be happier to see a privacy notice that included a statement to the effect that the hospital reserves the right to take additional actions to protect the privacy of its patients. However, hospital lawyers don't like statements like that, lest they be interpreted to oblige the hospital to do more than the bare minimum.
51. Is There Another Way to Protest a Privacy Violation?
We think that the first step should always be to complain directly to the covered entity that did something you think was wrong. Each covered entity has a privacy officer, and the name, address, and telephone number of the privacy officer should be included in the notice of privacy practices. Everyone makes mistakes, and everyone deserves the chance to make things right. It is also important for covered entities to know that people pay attention to privacy and that people care when privacy violations occur.
If the covered entity does not satisfy you, then you can look elsewhere. We don't think that every minor violation should become a federal case. Consider complaining locally about any violation. You get to make the choice. Remember too that filing a complaint may bring more attention to you and to your health record. You may want to be guarded about how much of your personal medical information you include in the complaint. In other words, the complaint process may further invade your privacy. You can ask that you name be masked or changed as part of the complaint, and some authorities may be willing to do so.
Here are some ideas if you want to pursue your complaint.
G. Questions About the Right to Request Restrictions on Uses and Disclosures
52. What is the Right to Request Restrictions on Uses and Disclosures?
The right to request restrictions is the least meaningful of the seven HIPAA patient rights. A covered entity must allow a patient to request a restriction on the uses or disclosures of the patient's information to carry out treatment, payment, or health care operations. A patient can also ask for a restriction on disclosures to a family member, relative, or close personal friend.
You can read later in this document about the scope of permissible uses and disclosures for treatment, payment, and health care operations. (See FAQs 56 & 57.) No covered entity needs your consent to make disclosures for those purposes. Health care operations is a particularly broad term that includes many activities that are in the interest of the covered entity and not necessarily in the interest of the patient.
53. Why is the Right to Request Restrictions Almost Meaningless?
The rule does not require a covered entity to agree to a restriction requested by a patient. The covered entity does not have to agree even if the patient's request is reasonable. Contrast this provision with the right to request confidential communication. A covered entity must agree to a reasonable request for confidential communication. However, if you ask for a restriction on use or disclosure, the covered entity does not have to agree, does not have to state a reason for denying a request, and does not have to even respond to your request. Because it is a patient right without a corresponding obligation on the part of a covered entity, we conclude that the right is almost meaningless.
It gets worse. The rule expressly provides that some restrictions that an institution might agree to are not effective. These are uses or disclosures that are permitted for facility directories (separate rules govern facility directories), to the Department for oversight of the rule, or for any of the scores of other permissible disclosures allowed under the law. Thus, if an institution agrees to your request not to make a discretionary disclosure to the CIA, that agreement is not effective under the rule. Luckily for patients, the lack of effectiveness of the limit on disclosure may also be meaningless. It just means that the Department won't take enforcement action for a violation. That's not a big deal right now since the Department has shown no appetite for enforcing the rule. The patient may still be able to enforce an agreement through a complaint about professional misconduct or through a legal action for breach of contract. This is all rather hypothetical because it will be hard to convince any covered entity to agree to your request in the first place.
54. Is the Right to Limit Disclosures to Relatives and Friends Meaningless Too?
There is a bit of hope if you want a provider to agree to limit disclosures to relatives and friends. If you tell your doctor or nurse not to talk to a relative, that provider is likely to comply regardless of the rule. The rule doesn't make those disclosures mandatory. It does, however, make it harder for a patient to obtain or enforce an agreement.
If, for example, you ask your provider not to disclose your diagnosis to your children, the rule requires the provider to document the request. Since formal documentation is not likely to be done for casual requests, any agreement will be unenforceable under the rule. Further, the required formality of the rule allows providers to insist that patients make requests in writing, and most will demand a letter. If you are a patient in a hospital about to receive a visit from a relative, how can you possibly make a written request and get a timely agreement from the hospital?
Even if you do make a written request, the rule doesn't require any response to your request or any response in a reasonable period. If you are prepared enough to present a formal request at the start of your hospitalization, the hospital could take 30 days or more before it agreed. Your hospitalization will likely have ended well before any response, if you even get a response.
Luckily, while the rule makes these requests to limit disclosure mostly meaningless, the human element that still exists in the health care system may supply what the rule does not. If you make a personal request to your provider, that provider will likely abide by your wishes regardless of the rule and its required formality. Your request may not be legally enforceable under the HIPAA rule, but enforcement may not be important.
We don't see much of a reason to bother with formal requests for use and disclosure restrictions. If you read many notices of privacy practices, you will find that covered entities say that they won't agree to most requests. That is a polite way of saying that they won't agree to any requests.
If you want to control disclosures to family members or friends, the formal process under the rule isn't likely to help you at all. Make your requests orally and informally to your providers, just the same way that patients have always done. Hope for the best. The HIPAA rule does nothing for you.