Basic Health Privacy FAQ’s

Q: What information can be found in my health record?
A: A health record is created any time you see a health professional such as a doctor, nurse, dentist, chiropractor, or psychiatrist. You could find the following in your health record:

  • Your medical history and your family’s medical history
  • Labs and x-rays
  • Medications prescribed
  • Alcohol use and sexual activity
  • Details about your lifestyle (smoking, exercise, recreational drug use, high-risk sports, stress levels)
  • Doctor/nurse notes
  • Results of operations and proceduresGenetic testing
  • Research participation
  • Any Information you provide on applications for disability, life or accidental insurance with private insurers or government programs
  • Driver’s License
  • Social Security Number
  • Financial information such as credit cards and payment info

Q. Who has access to my health records?
A. Many more people than you would ever want, including people outside the health care industry.

  • Insurance companies
  • Government agencies especially if you receive Medicare, Medicaid, SCHIP, SSI, Workers Comp or any local, state or federal assistance
  • Employers
  • Banks, Financial Institutions
  • Researchers
  • If you are involved in a court case, your health records can be subpoenaed and available to the public
  • Marketers
  • Drug companies
  • Data miners
  • Transcribers in and outside the U.S.
  • Many health websites collect information about you

Q: Can my personal health information be used and disclosed without any notice to me or without my informed consent at the time of treatment?
A: Yes.

The Amended HIPAA Privacy Rule states only that you must receive a Privacy Notice telling you how your personal health information will be used and disclosed. Section 164.520(c) (2) (i) (A).
Privacy Notices are often mistaken for consent forms, but they are simply notices telling you what will happen to your medical records.
Example: information about a depressed person’s attempted suicide and hospitalization can be used and disclosed without any notice to him/her without his/her consent and even if he/she objects.

Q: Can my insurer or employer get my health records without my permission?
A: Yes.

The Amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without consent that is far more extensive than is needed for billing or any other reason related to a specific individual’s health care. Other uses for which health plans and employers are authorized to obtain use and disclose an individual’s health information without consent include:

  1. Due diligence in connection with the sale or transfer of assets;
  2. Certain types of marketing;
  3. Business planning and development;
  4. Business management and general administrative activities; and
  5. Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance. Section 164.501

Example: A depressed person’s health plan or employer would have regulatory permission from the federal government to obtain the information about his/her attempted suicide and hospitalization without his/her knowledge or consent if the information was needed for any of the above business purposes, as well as for treatment or payment.

Even more disturbing, the Amended Rule would authorize the individual’s health plan or employer to use and disclose that information even if the suicide attempt and hospitalization occurred before the Amended Privacy Rule went into effect on April 14, 2003.

Q. What is a “self-insured employer”?
A. A self-insured employer does not contract with an insurance company to insure their employees. Instead they have enough employees to do their own risk pooling like an insurance company would. These employers are called “Self-Insured.” During the past couple of decades, the number of employers who have become self-insured has increased dramatically, starting with large employers and spreading to those with fewer employees. Some examples of self-insured employers are: Walmart, Microsoft and IBM.

Q: I thought I signed a Privacy Notice at my doctor’s office giving consent to use my information. What’s in that Privacy Notice?
A: Those are not “consent forms” but a list of the ways in which your doctor or provider may use or share your information.

“Covered entities” are required to provide notice to individuals of the uses and disclosures of identifiable health information that may be made under the Amended HIPAA Privacy Rule as well as the rights of the individual and legal duties of covered entities. Section 164.520 (a). These notices are called Privacy Notices.

Covered entities must “make a good faith effort” to obtain written acknowledgement of receipt by the individual of the Privacy Notice. Section 164.520(c) (2) (ii). When you sign those notices you are only acknowledging that you’ve received a copy of the many ways your provider may use your information.

Privacy Notices are likely to be lengthy, because HIPAA authorizes so many broad uses and disclosures of identifiable health information. Unfortunately, your rights are quite short. You cannot REQUIRE anything of your provider. You can only make REQUESTS.

These are NOT consent forms. You no longer have the “right of consent” with the Amended Rules, effective April 2003.

Q: What is a “covered entity”?
A: According to the amended HIPAA Privacy Rule “covered entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

Over 4 million businesses, corporations, government agencies, professionals, and individuals handle personal health information (PHI) electronically and therefore must comply with the HIPAA Privacy Rule.

Consultations between direct and indirect treatment providers are expressly permitted under the Original Rule. 65 Fed. Reg. at 82,510. The Amended Rule did not change this permission.

Q: Can I prevent my doctor from reporting a certain procedure to my insurance company?
A: No. The Amended HIPAA Privacy Rule does not provide any method for an individual to prevent any procedure, treatment, medical test, or prescription from being reported to his/her insurance company.

This is because the Amended Rule provides regulatory permission for the individual’s insurance company to obtain virtually any personal health information from an individual’s doctor as long as they can assert that they need it for treatment, payment or health care operations.
Even if the individual asks the doctor to not report the procedure, the doctor need not agree. Any medical treatment can be reported over the individual’s objections.
Even health information about procedures paid for privately can be reported. The original Privacy Rule stated that information about procedures paid for out of pocket would not be disclosed, but that statement was in the context of a discussion of the right of consent which was included in the original Rule but repealed in the Amended Rule. See 65 Fed. Reg. at 82,512.
Since the Amended Rule allows for the use and disclosure without consent of personal health information for the insurance company’s business operations, clearly such information can be used and disclosed regardless of whether the individual paid out-of-pocket.
Example: a depressed patient could not prevent the health information about his/her hospitalization from being reported by his physician to his insurance company.

Q. Are my prescriptions private?
A. No. All 51,000 pharmacies in the U.S. are wired for data mining. You cannot keep your prescriptions private, even if you pay cash. Selling prescription records is a multi-billion dollar a year industry: In 2006 IMS Health reported revenues of $2 Billion for selling prescription records (that’s just one company!).

Not ONE DIME of the billions in annual revenues go to help a single sick person.