HIPAA FAQs

Many patients and physicians have questions about the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Below are some of the common questions. If you have questions that are not listed below, please visit The United States Department of Health & Human Services website (www.hhs.gov) for additional FAQs or contact DLS.

Q1: Are the Privacy Rule right of access provisions in harmony with CLIA?
A: Yes. Effective April 7, 2014, “CLIA Program and HIPAA Privacy Rule; Patient’s Access to Test Reports; Final Rule” by the U.S. Department of Health and Human services amends both the CLIA regulations (42 CFR Part 493) and HIPAA Privacy Rule (45 CFR Part 164). Amended CLIA regulations now allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. Under the amended HIPAA regulations, HIPAA-covered laboratories will be required to provide an individual (or the individual’s personal representative) with access, upon request, to the individual’s completed test reports (and other information maintained in a designated record set) in accordance with the provisions of § 164.524 of the Privacy Rule. These rules are available on line at https://federalregister.gov/a/2014-02280 and on FDsys.gov.

The “CLIA Program and HIPAA Privacy Rule; Patient’s Access to Test Reports; Final Rule” preempt Hawaii Administrative Rules Chapter 11-110.1, and all HIPAA-covered clinical laboratories are now required to comply with the regulation EFFECTIVE October 6, 2014.

Q2: Is an authorization needed to send a medical record to another provider who is treating the patient?
A: No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment”

Q3:May health care providers use sign-in sheets or call out names in waiting rooms?
A: Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician).

Q4: Does the HIPAA Privacy Rule preempt State laws?
A: The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law (1) relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information, (2) provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or (3) requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule. In addition, the Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, determine that a provision of State law which is “contrary” to the Federal requirements – as defined by the HIPAA Administrative Simplification Rules – and which meets certain additional criteria, will not be preempted by the Federal requirements. Thus, preemption of a contrary State law will not occur if the Secretary or designated HHS official determines, in response to a request, that one of the following criteria apply: the State law (1) is necessary to prevent fraud and abuse related to the provision of or payment for health care, (2) is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation, (3) is necessary for State reporting on health care delivery or costs, (4) is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or (5) has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law. It is important to recognize that only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. An unofficial version of the Privacy Rule and the preemption requirements may be accessed at https://www.hhs.gov/ocr/combinedregtext.pdf.

Q5: Who must comply with these new HIPAA privacy standards?
A: As required by Congress in HIPAA, the Privacy Rule covers: – Health plans – Health care clearinghouses – Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities (collectively called “covered entities”) are bound by the new privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See the fact sheet and frequently asked questions on this web site about the standards on “Business Associates” for a more detailed discussion of the covered entities⬔ responsibilities when they engage others to perform essential functions or services for them.

Q6: What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?
A: The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

Q7: Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?
A: Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are: (1) when the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (2) when the minor obtains care at the direction of a court or a person appointed by the court; and (3) when, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent⬔s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor⬔s medical information. Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child⬔s personal representative could endanger the child.

Q8: What does the HIPAA Privacy Rule do?
A: Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003. The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information. – It gives patients more control over their health information. – It sets boundaries on the use and release of health records. – It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. – It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights. – And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health. For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used. – It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made. – It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure. – It generally gives patients the right to examine and obtain a copy of their own health records and request corrections. – It empowers individuals to control certain uses and disclosures of their health information.

Q9: Will the Privacy Rule make it easier for police and law enforcement to get my medical information?
A: No. The Rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists, since the Rule establishes new procedures and safeguards that restrict the circumstances under which a covered entity may give such information to law enforcement officers. For example, the Rule limits the type of information that covered entities may disclose to law enforcement, absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. It specifically prohibits disclosure of DNA information for this purpose, absent some other legal requirements such as a warrant. Similarly, under most circumstances, the Privacy Rule requires covered entities to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement. In most States, such permission is not required today. Where State law imposes additional restrictions on disclosure of health information to law enforcement, those State laws continue to apply. This Rule sets a national floor of legal protections; it is not a set of “best practices.” Even in those circumstances when disclosure to law enforcement is permitted by the Rule, the Privacy Rule does not require covered entities to disclose any information. Some other Federal or State law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances

Q10: Can health care providers have confidential conversations, even if they might be overheard?
A: Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures. For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby: – Health care staff may orally coordinate services at hospital nursing stations. – Nurses or other health care professionals may discuss a patient⬔s condition over the phone with the patient, a provider, or a family member. – A health care professional may discuss lab test results with a patient or other provider in a joint treatment area. – A physician may discuss a patients’ condition or treatment regimen in the patient’s semi-private room. – Health care professionals may discuss a patient’s condition during training rounds in an academic or training institution. – A pharmacist may discuss a prescription with a patient over the pharmacy counter, or with a physician or the patient over the phone. In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing protected health information. However, in an emergency situation, in a loud emergency room, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care.

Q11: Can an adult or emancipated minor’s personal representative access that person’s medical record?
A: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support. There is an exception to the general rule that a covered entity must treat an adult or emancipated minor’s personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives.

Q12: Why is the HIPAA Privacy Rule needed?
A: In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. When it comes to personal information that moves across hospitals, doctors’ offices, insurers or third party payers, and State lines, our country has relied on a patchwork of Federal and State laws. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed – without either notice or authorization – for reasons that had nothing to do with a patient’s medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient’s application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will continue to apply over and above the new Federal privacy standards. Health care providers have a strong tradition of safeguarding private health information. However, in today’s world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the Rule provides clear standards for the protection of personal health information.

Q13: My State law is more proactive of HIV information. Is it preempted by the HIPAA Privacy Rule?
A: No. The Privacy Rule establishes a floor of Federal privacy protections and rights for individuals. If a provision of State law provides greater privacy protection than a provision of the Privacy Rule, and it is possible to comply with both the State law and the Privacy Rule (e.g., where a State law prohibits the disclosure of HIV status while the Privacy Rule permits such disclosure), there is no conflict between the State law and the Privacy Rule, and no preemption. Further, even in the unusual case where a “more stringent” provision of a State law is “contrary” to a provision of the Privacy Rule – that is, it is impossible to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA’s Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a more stringent provision of State law protects HIV patient information and is contrary to the Privacy Rule, the “more stringent” State law would prevail. Because HIPAA’s Administrative Simplification Rules themselves except more stringent, contrary State law from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services. See 45 C.F.R. 160.202 for the definitions of “more stringent” and “contrary,” and 45 C.F.R. 160.203 for the general rule and exceptions to preemption. An unofficial version of the Privacy Rule and the preemption requirements may be accessed at https://www.hhs.gov/ocr/combinedregtext.pdf.

Q14: Do I need an authorization to report a communicable disease to a public health authority?
A: No. All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness. The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices. See the fact sheet and frequently asked questions on this web site about the public health provision for more information

Q15: May I disclose facially identifiable information, such as name and address, for public health purposes?
A: Yes. The HIPAA Privacy Rule permits covered entities to disclose the amount and type of protected health information that is needed for public health purposes. In some cases, the disclosure will be required by other law, in which case, covered entities may make the required disclosure pursuant to 45 CFR 164.512(a) of the Rule. For disclosures that are not required by law, covered entities may disclose, without authorization, the information that is reasonably limited to that which is minimally necessary to accomplish the intended purpose of the disclosure. For routine or recurring public health disclosures, a covered entity may develop protocols as part of its minimum necessary policies and procedures to address the type and amount of information that may be disclosed for such purposes. Covered entities may also rely on the requesting public health authority⬔s determination of the minimally necessary information. See the fact sheet and frequently asked questions on this web site about the public health and minimum necessary standards for more information.

Q16: Does the HIPAA Privacy Rule provide rights for children to be treated without parental consent?
A: No. The Privacy Rule does not address consent to treatment, nor does it preempt or change State or other laws that address consent to treatment. The Rule addresses access to, and disclosure of, health information, not the underlying treatment.

Q17: May I make a disclosure concerning workers’ compensation if State law requires it?
A: Yes. The HIPAA Privacy Rule permits a covered entity to disclose protected health information as necessary to comply with State law. No minimum necessary determination is required.