What You Can Do FAQ’s

Q: How can I protect the privacy of my health records?
A: Check out Patient Privacy Rights Toolkit. You can also read additional suggestions from Privacy Rights Clearinghouse.

Q: What can I do if I think my medical privacy has been violated?
A: You have the right to complain to the U.S. Dept. of Health and Human Services (HHS). You can also contact Congress.

Unless you can cite a law in your state that gives you the right to sue whoever violated your privacy, your only option is complaining to HHS. HHS investigates all complaints and reports any potentially illegal violations to the Dept of Justice (DOJ) for further investigation. DOJ may file charges on your behalf.

To date, more than 30,000 medical privacy complaints have been made to HHS. Only a handful of complaints were sent on to DOJ, because the vast majority of violations were found to be legal uses and disclosures of medical records as defined by HIPAA. (i.e., “routine” uses).

The DOJ has charged, prosecuted, and obtained a conviction of only one privacy violator to date. The case was one of identity theft based on identifiable information found in someone’s medical records.

We also encourage you to contact your elected officials. If you’d like, Patient Privacy Rights will send a joint letter to your Congressman with a copy of your complaint.

Q: How can I prove that my medical privacy was violated?
A: Under the Amended Rule, it will be virtually impossible for an individual to know when his privacy is violated, as no “audit trails” are required of the unlimited disclosures the Privacy Rule allows to covered entities.

Since identifiable health information can be used and disclosed for all “routine” purposes without the individual’s knowledge or consent, the individual will not know when or to whom most disclosures are made. Further, since the Amended Rule provides “regulatory permission” for most uses and disclosures, very few such uses and disclosures will be “unauthorized”.

Example: Consider the burden that a depressed patient would have to bear in order to show that a violation of his/her rights under the Amended Rule has occurred.

  1. He/she would first have to find out, without any notice, that a use or disclosure of his attempted suicide and hospitalization has occurred.
  2. He/she would have to find out, without any accounting or audit trail, which entity improperly disclosed this information.
  3. He/she would have to overcome any contention by the disclosing entity that the information was needed for treatment, payment or health care operations.
  4. If the disclosure was for one of those “routine” purposes, he would have to show that the information disclosed was more than the “minimum necessary” amount of information for that purpose (the Amended Rule states that covered entities are to make this determination for themselves “based on their own assessments of what protected health information is reasonably necessary for a particular purpose”).
  5. He/she would have to convince the Office of Civil Rights within the Department of Health and Human Services to launch an investigation.

Q: Should I have a copy of my medical records?
A: You might want them if you’re switching doctors, seeking a second opinion or have complicated health problems, applying for a job, credit, or insurance.

Some patients may want to check for errors, much like they would a credit report.
Also, the information in your medical records can directly affect your ability to get life insurance, employment, promotions, credit, loans, and health insurance.

The Medical Information Bureau (MIB) is a central database of medical information shared by insurance companies. The information contained in a typical MIB record is limited to codes for specific medical conditions and lifestyle choices. If you have ever had health insurance, the MIB has a file on you and you can request a free copy of your record once/year. They will report to you:

  • The nature and substance of information, if any, that MIB may have in its consumer files pertaining to you;
  • The name(s) of the MIB member companies, if any, that reported information to MIB; and,
  • The name(s) of the MIB member companies, if any, that received a copy of your MIB consumer file during the twelve (12) month period preceding your request for disclosure.
  • Go to: http://www.mib.com/html/request_your_record.html or call MIB’s toll-free number for disclosure is 866-692-6901 (TTY 866-346-3642 for hearing impaired)