Skip to main content
facebookAbout | Contact
Search Options

Patient Privacy Frequently Asked Questions

Frequently Asked Questions

Question: What is HIPAA?

Answer: HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Under this rule, health insurers, certain health-care providers, and health-care clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity, and availability of electronic protected health information. Patients will have access to their medical records and more control over how their personal health information is used and disclosed.

The HIPAA Privacy Rule is a federal regulation which creates national standards consisting of administrative steps, policies, and procedures to protect individuals’ medical records and other personal and private health information. The Privacy Rule guarantees patients access to their medical records, giving them more control over how their information is used and disclosed. The rule provides procedures to take if a patient’s medical privacy is compromised.

The Privacy Rule requires health plans, pharmacies, doctors and other covered entities to establish policies and procedures to protect this information about their patients. These requirements are flexible and scalable to allow different covered entities to implement them as appropriate for their practices or businesses.

Question: What information is protected?

Answer: The rule refers to Protected Health Information (PHI), which is health information that identifies an individual and is maintained or exchanged electronically or in hard copy. PHI relates to a person's physical or mental health or provision or payment for healthcare. If the information has any components that might be used to identify a person, it would be protected. The protections apply to PHI in any form, electronic and hard copy, as well as oral communications. Identifiable Health Information (IHI) is PHI as defined by HIPAA only when it is created or received by a Covered Entity.

Question: What are the key provisions of these standards/patient protections?

Answer: Patient protections include:

  • Patients have the right to examine and obtain copies of their own health records and request corrections. Records should be supplied to patients within 30 days of request. The patient may be charged for the cost of copying and sending the records.
  • Patients are empowered to control certain uses and disclosures of their health information such as whether or not they want it included in facility directories, released to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care. The rule does not restrict the ability of doctors, nurses, and other providers to share information needed to treat their patients.
  • Patients can find out how their health information may be used, including certain disclosures of that health information. Patients must be provided a notice stating how their covered health plan, doctor and other health care provider may use their personal medical information and what their rights are. Doctors, hospitals and other direct-care providers will provide the notice on the patient’s first visit following the April 14, 2003 compliance date and upon request. Patients will be asked to sign that they received this notice as well as be given a copy of the notice.
  • Confidential communications - Patients can request that their doctors, health plans and other covered entities protect communications. For example, a patient could ask a doctor to call his or her office rather than home.

Question: What are the parts of HIPAA and what does each part consist of?

Answer: HIPAA consists of two parts. Title I and Title II.

Title I is HIPAA Health Insurance Reform
This protects health insurance coverage for workers and their families when changing or losing their jobs, pregnancy, moving, or divorce. The Centers for Medicare & Medicaid Services (CMS) has HIPAA information on its website to help answer your questions about health coverage and your rights and protections under HIPAA, including:

For further information about HIPAA or to ask how it relates to your specific circumstances, e-mail CMS at phig@cms.hhs.gov,or call CMS at 1.877.267.2323, ext. 61565.


Title II is HIPAA Administrative Simplification.

The Administrative Simplification is comprised of: Electronic Transaction and Code Set Standards, Security, and Identifiers. The Centers for Medicare and Medicaid Services provides information on the Administrative Simplification. The Final Rule of the HIPAA Administrative Simplification Regulation was published on February 16, 2006. Please note that each provision has its own final ruling.

Electronic Transactions and Code Sets
The Centers for Medicare and Medicaid Services (CMS) has specific information on Electronic Transactions and Code Sets, including information on proposed rules, final rules, technical corrections, modifications, and attachments.

The final Electronic Transaction modifications rule was published in the Federal Register on February 20, 2003. This final rule modifies a number of the Electronic Transactions and Code Sets adopted as national standards under HIPAA. The key features of this provision are:

  • For Non-Retail Pharmacy Transactions - Eliminates the NDC (National Drug Code) code set as the standard medical data code set for reporting drugs and biologics. No standards have been adopted for these transactions at this time.
  • For Retail Pharmacy Transactions.
    • Adopting the NCPDP (National Council for Prescription Drug Program) Batch Version 1.1 to support the Telecommunications Version 5.1.
    • Adopting the ASC (Accredited Standards Committee) X12N 835 as the standard for payment and remittance advice and the NCPDP Telecommunications Version 5.1 and NCPDP Batch Version 1.1 Implementation Guides as the standard for the referral certification and authorization transaction.
  • Modifications to the Transactions Standards - These changes have been adopted and are detailed in the "addenda" to the implementation guides, which provide the technical details for each standard. These changes reflect industry requests to modify the standards.
  • Modified Standards - The rule adopted modified standards for two transactions that were not included in the proposed rules - premium payments and coordination of benefits. These have been approved and provide explanatory guidance.

Security
CMS has specific information on the Security Standards, including seven papers in the HIPAA Security Educational Paper Series. The seven papers currently available are: 

The Final Rule Adopting HIPAA Standards for the Security of Electronic Health Information was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities including health insurers, certain health-care providers, and health-care clearinghouses to be used to assure the confidentiality, integrity and availability of electronic protected health information. The key features of the Final Security Rule are:

  • Scalable - All covered entities must implement these standards. Covered entities should take into account their size, complexity, capabilities, costs of complying with the standards, and potential risks to their electronic protected health information when determining how to apply the standards.
  • Technology Neutral - The standards do not specify any particular technology. They outline what must be done but not how to do it.
  • To protect electronic data at rest and in transit by:
    • Administering safeguards through management of the selection and execution of security measures.
    • Physical safeguards through protections for electronic systems and buildings and equipment from environmental hazards and unauthorized intrusion.
    • Technical safeguards through automated processes to protect data and control access to it.

Unique Identifiers
National Provider Identifiers (NPIs) are numeric identifiers required for use by all health care providers under HIPAA's Administrative Simplification regulations. Once enumerated, a provider's NPI will not change. The NPI remains with the provider regardless of job or location changes. Two final rules have been issued:

  • National Employer Identifier (EIN) - The EIN is an identifier that is already assigned to each employer for tax identification purposes and its adoption would not result in additional data collections or paperwork thereby furthering the administrative simplification objectives. The EIN is defined as the taxpayer identifying number of an individual or other person (whether or not an employer). The EIN is nine digits separated by a hyphen and appears as 00-0000000. The final rule for the National Employer Identification Standard was published in the Federal Register on May 31, 2002.
  • National Provider Identifier - Improves accuracy and assists in overcoming communication and coordination difficulties. On January 23, 2004, the National Provider Identifiers (NPIs) Final Rule was published. The compliance date was May 23, 2007 for most covered entities. For further information, see the NPI Tip Sheet.

The Centers for Medicare and Medicaid Services has information on NPIs, including how to apply, educational resources, enumeration reports, and implementation.

The National Health Plan (Payer) Identifier and the National Health Identifier for Individuals have not yet been proposed. HHS has indicated that it will develop an identifier for health plans to aid in administration of benefits and to improve the transmission of healthcare transactions.

Question: Who must comply with the HIPAA Privacy Rule?

Answer: Health plans, health care clearinghouses, pharmacies, doctors, Covered Entities, and any health care provider who transmits health information in electronic form in connection with transactions.

Question: What is a covered entity and how do I qualify to be one?

Answer: An entity that is one or more of these types of entities is referred to as a "covered entity" in the Administrative Simplification regulations.

  • A health care provider that conducts certain transactions in electronic form (called here a "covered health care provider")
  • A health care clearinghouse
  • A health plan

The Centers for Medicare & Medicaid provides Covered Entity Charts which help determine if a natural person, business, or government agency is a covered entity.

CMS also has a paper titled Am I A Covered Entity ...And Does the Transactions and Code Sets Rule Apply to Me?

Covered entities must:

  • Have written privacy procedures, including a description of staff that has access to protected information, how this information will be used, and when it may be disclosed. Steps must be taken to ensure that any business associates who have access to protected information agree to the same limitations on the use and disclosure of that information.
  • Provide training for their employees in their privacy procedures.
  • Must designate an individual to be responsible for ensuring the procedures are followed. If covered entities learn an employee failed to follow procedures, they must take disciplinary action.
  • Must follow criteria if disclosing certain health information is allowable. The final rule allows but does not require for covered entities to continue to disclose certain health information for specific public responsibilities, such as:
    • Emergency circumstances
    • Identification of the body of the deceased person
    • Cause of death
    • Public health needs
    • Research that has been approved by IRB
    • Judicial proceedings
    • Law enforcement activities
    • National defense and security activities.

Question: What is meant by Limited Data Set and what identifiers are excluded?

Answer: Limited Data Set (LDS) is an exception to the Privacy Rule requirement for an authorization from the subject for research use of protected health information. A LDS lacks 16 of the 18 identifiers itemized by the Privacy Rule. Specifically, a LDS does NOT include the following identifiers:

  • Names
  • Addresses, other than town, city, state, and ZIP code
  • Telephone numbers
  • Fax numbers
  • E-mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • URLs
  • IP address numbers
  • Biometric identifiers, including finger and voice prints
  • Full-face photographic images and any comparable images

The difference between a LDS and de-identified information is that a LDS may contain dates and certain geographic information associated with an individual that are absent from de-identified information. An LDS may contain, for example:

  • Dates of birth
  • Dates of death
  • Dates of service
  • Town or city
  • State
  • ZIP code

Question: How does HIPAA apply to minor children who are under the age of 18?

Answer:

  • HIPAA guidelines are meant to preserve current state laws regarding minors
  • Minors may have information released with the consent of a parent or legal guardian
  • Minors who are authorized to consent to specific medical procedures under state law have control over the use and disclosures of their health information

Question: Is it true that Electronic Claims to Medicare will not be processed if they are in a format other than in the HIPAA format?

Answer: Yes, unless you are a small provider. Providers who are not small providers (institutional organizations with 25 or fewer full-time employees or physicians with 10 or fewer full-time employees) must send all claims electronically in the HIPAA format.

The Centers for Medicare and Medicaid Services has additional information on Electronic Billing and Electronic Data Interchange (EDI) Transactions.

Question: Are there other specific deadlines for complying with HIPAA?

Answer: Yes. NPIs were mandatory on all Electronic Transactions on May 23, 2007, except small health plans. Small health plans must use the NPI by May 23, 2008.

Question: Will the Privacy Rule preempt state law?

Answer: It might. HIPAA allows for certain areas of state authority that are not limited or invalidated by the provisions of HIPAA. These areas relate to public health and state regulation of health plans. Section 160.203(c) of the regulation discusses this.

Pursuant to the new HIPAA law, this rule will preempt state laws that are in conflict with the regulatory requirements with exceptions for certain public health functions and related activities. Stronger state laws such as those covering mental health, HIV infection, and AIDS information will continue to apply. These confidentiality protections are cumulative, meaning that the final rule will set a national baseline of privacy standards that protect all Americans. For instance, when a state law requires a certain disclosure such as reporting an infectious disease outbreak, the federal privacy regulations would not preempt the state law. Still, certain states have more restrictive privacy provisions and these provisions will continue to apply providing their citizens with additional protections.

The HIPAA privacy regulations provide that state laws are not preempted if they relate to:

  • Reporting of disease or injury, child abuse, birth, or death
  • The conduct of public health surveillance, investigation or intervention
  • Health plan management audits, financial audits, program monitoring and evaluation
  • Licensure or certification of facilities or individuals
  • (with the approval of HHS) prevention of fraud and abuse
  • Regulation of insurance and health plans
  • State reporting on health care delivery or costs
  • Compelling need relating to public health, safety or welfare
  • Regulation of controlled substances

Any federal law preempts state law if the laws cover the same subject matter, unless the federal law has exceptions to preemption. The statute provides that the HIPAA privacy statute shall "supersede" any "contrary" provision of state law. The HIPAA privacy statute also provides that the HIPAA privacy regulations "shall not supercede a contrary provision of state law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.

Question: Can I file a complaint regarding the privacy practices of a covered health plan or provider?

Answer: Yes. You should send your complaint to the appropriate OCR Regional Office, based on the region where the alleged violation took place. OCR has 10 regional offices, and each regional office covers certain states.  You can find out more information about filing a complaint by calling 1.800.368.1019.

Question: Are there penalties if I don’t want to comply with HIPAA?

Answer: Yes. Civil violations will be fined up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated.

The Final HIPAA Enforcement Rule was published in the February 16, 2006 Federal Register.

Criminal violations involve actions such as knowingly obtaining protected health information. These violations will be fined up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses;" and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.

The Office for Civil Rights provides additional information on Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings.

Question: May health care providers leave phone messages at a patient's home or mail reminders to their home?

Answer: Yes. Communicating with patients at their homes, through the mail or by phone is acceptable. Also, messages may be left for patients on their answering machines, however care should be taken if doing this. A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home.

Question: May physician's offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?

Answer: Yes, as long as the information disclosed is appropriately limited and a sign-in sheet does not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician).

Question: May a physician’s office fax a patient’s medical information to another physician’s office?

Answer: Yes, if it’s for treatment purposes. Safety measures must be taken such as placing the fax machine in a secure place.

Question: Can health care professionals place medical charts on exam room doors?

Answer: Yes, as long as the clinic takes reasonable and appropriate measures to protect the patient’s privacy.

Question: Does a physician need a patient's written authorization to send a copy of the patient's medical record to a specialist or other health care provider who will treat the patient?

Answer: No.

Question: What types of insurance are not covered under HIPAA?

Answer: Long/short term disability; workers' compensation; automobile liability that includes coverage for medical payments, as these are not health plans.

Question: Do I need to post my entire notice or can I post a brief description of it?

Answer: Covered health care providers that maintain an office or other physical site where they provide health care directly to individuals are required to post their entire notice at the facility in a clear and prominent location. Covered health care providers have discretion to design the posted notice in a manner that works best for their facility, which may be to simply post a copy of the pages of the notice that is provided directly to individuals.

Question: Can a patient have a friend or family member pick up a prescription?

Answer: Yes. The HIPAA Privacy Rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.

Question: Can a patient’s name be posted next to their hospital room door?

Answer: Yes, if the use or disclosure is for treatment or for health care operations purposes. The disclosure of such information to other persons (such as other visitors) that will likely also occur due to the posting is an incidental disclosure.

Question: Are hospitals able to inform the clergy about parishioners in the hospital?

Answer: Yes, as long as the patient has been informed of this use and disclosure, and does not object.

Last reviewed 08/02/2011
footer bar

Learn About Us

Find Resources

Keep in Touch

Share Your Ideas

Spread the Word

Tell your colleagues how RAC can help them. Join us in spreading the word!

Phone: 1-800-270-1898
Email: info@raconline.org

Copyright@ 2002–2012 Rural Assistance Center. All rights reserved.
Accessibility | Disclaimer | Privacy Policy | Sitemap

Funding for this project was supported by Grant Number U56RH05539 from the Office of Rural Health Policy, Health Resources and Services Administration, U.S. Department of Health and Human Services. The contents of this website are solely the responsibility of the authors and do not necessarily represent the official views of the funder.