Protecting Your Privacy and Security
Protecting Your Privacy and Security

The privacy and security of patient health information is a top priority for patients and their families, health care providers and professionals, and the government. Federal laws require many of the key persons and organizations that handle health information to have policies and security safeguards in place to protect your health information — whether it is stored on paper or electronically.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules are the main Federal laws that protect your health information. The Privacy Rule gives you rights with respect to your health information. The Privacy Rule also sets limits on how your health information can be used and shared with others. The Security Rule sets rules for how your health information must be kept secure with administrative, technical, and physical safeguards.

You may have additional protections and health information rights under New Jersey's laws. There are also Federal laws that protect specific types of health information, such as information related to Federally funded alcohol and substance abuse treatment.

Your Health Information Privacy

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule establishes Federal protections for your health information by placing some limits on how it may be used and shared. You play an important role in controlling who has access to your health information in many situations.

What information is protected by the HIPAA Privacy Rule?

Privacy protections apply to your "individually identifiable health information," which means:

  • Information that relates to the individual's past, present, or future physical or mental health or condition; to the provision of health care to an individual; or to past, present, or future payment for the provision of health care to the individual
  • Information that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual

Who has to follow the HIPAA Privacy Rule regarding the use and sharing of my health information?

  • Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers.
  • Health insurance companies, Health Maintenance Organizations (HMOs), most employer group health plans.
  • Certain government programs that pay for health care, such as Medicare and Medicaid.

If a provider, insurer, or government program has arrangements with business associates (third parties) that involve sharing health information, these third parties must also follow most of the restrictions in the HIPAA Privacy Rule. The HIPAA Rules require the business associate to agree in writing to appropriately safeguard your health information.

What are some of the ways that my health care information may be used and shared?

To make sure that your health information privacy is protected without interfering with your health care, the HIPAA Privacy Rule allows your information to be used and shared in the following ways:

  • For your treatment and care coordination (For example, your doctors can see what tests you have had and their results, so tests do not have to be repeated.)
  • With doctors and hospitals that provide you care, to provide payment for their services
  • To make sure doctors and other health care professionals give good care
  • For protection of the public's health, such as to report when the flu is in your area

Your health care provider or health plan does not have to ask you whether they can use or share your health information for these purposes.

Can I control who sees or uses my health information?

In many circumstances other than those discussed above, you have the right to control who sees or uses your health information. Some examples are:

  • In general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for. This is a different form than the document that your provider may ask you to sign on your first visit that tells you how they may use and share your health information and how you can exercise your rights.
  • Providers generally may not share private notes about mental health counseling sessions unless you give them permission to do so.
  • You can ask your provider or health insurer not to share your health information with certain people, groups, or companies. For example, if you go to a clinic, you could ask the doctor not to share your medical record with other doctors or nurses in the clinic. However, the clinic does not always have to agree to do what you ask. In some cases, for instance, your doctor may need to share your information to ensure proper treatment and coordination of care between doctors in the clinic.

Learn more about the collection, use, and disclosure limitation on your health information [PDF – 173.4 KB].

Do I have the ability to control how information related to behavioral health treatment is used and shared?

There are Federal laws other than HIPAA that protect information related to alcohol and substance abuse treatment that is received at Federally-supported treatment centers. For information and guidance about the confidentiality of behavioral health information and the HIPAA Privacy Rule, please see 42 CFR Part 2 and the Substance Abuse and Mental Health Services Administration (SAMHSA).

What do I need to understand about the HIPAA Notice I get from my doctor and health insurance company?

Most of your health care providers and your health insurance company must give you a Notice that tells you how they may legally use and share your health information and how you can exercise your health information privacy rights. The provider or health insurance company cannot use or disclose information in a way that is not consistent with its notice.
For more information about the Notice, see the HHS Office for Civil Rights information about the Notice.

To learn more about your rights [PDF – 1.4 MB] and how your health information may be used and shared, please visit the U.S. Department of Health and Humans Services, Guidance on the collection, use, and disclosure limitation on your health information [PDF – 173.4 KB].

For recent updates on Privacy and Security surrounding Health IT, see the following links:
http://www.healthit.gov/providers-professionals/ehr-privacy-security
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
http://www.youtube.com/user/USGovHHSOCR?feature=mhee