A Patient Has the Following Rights Under the HIPAA Privacy Rule

In 1996, Congress passed HIPAA. As a result, the Act impacts all areas of the health care industry. HIPAA was designed to provide insurance portability, improve the efficiency of health care by standardizing the exchange of administrative and financial data, and protect the privacy, confidentiality and security of health care information.

A major principle of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

A patient has the following rights under the HIPAA Privacy Rule:

• To access his/her Protected Health Information;
• To request an amendment to his/her PHI if he/she disagrees with what is documented;
• To request an accounting of disclosure of his/her PHI;
• To request that certain information be restricted from use or disclosure;
• To request that certain PHI be communicated in a particular manner to ensure confidentiality;
• To withhold authorization for the release of PHI;
• To authorize the release of PHI.

A covered entity is permitted, to use and disclose protected health information without an individual’s authorization for the following purposes:

• To the Individual for his/her review of their PHI;
• For treatment, payment, and health care operations;
• Incidental to an otherwise permitted use and disclosure;
• Under the Opportunity to Agree or Object clause, if the individual is unavailable, incapacitated, or in an emergency situation, a covered entity may disclose PHI in the exercise of their professional judgment that the disclosure is in the best interest of the individual;
• Public interest and benefit activities; and
• Limited data set for the purposes of research, public health or health care operations.

The primary activities of the HIPAA Compliance Unit are: audit reviews, develop policy and procedures, enforce compliance, act as the County’s liaison to the Officer for Civil Rights and other agencies, review and comment on new local, State, or federal laws that may impact existing health privacy practices, facilitate in the resolution of reported health privacy breaches or complaints, prepare reports to the Board of Supervisors, and coordinate efforts with the HIPAA Security Program under the Chief Information Office.

Back…