In this lesson, we're going to go over patients' rights, what information requires authorization, what information does not require information, and give you a few examples along the way. At the end of the lesson, we'll provide you with an additional Word about patient health information privacy rights.

Most of us believe that our medical information and other health information is private and should be protected, and many want to know who has this information. The HIPAA Privacy Rule gives patients rights over their health information and sets rules and limits on who can look at and receive their protected health information.

Covered Entities and Patients' Rights

Pro Tip #1: All covered entities are required to provide individuals a private practice policy if requested at all times. Healthcare organizations' private practice policy should describe several things, including:

  • How medical information about the patient will be used and disclosed
  • How patients can get access to their medical information if it is requested
  • The process for patients to use when filing complaints regarding their PHI
  • What types of uses and disclosures of PHI are permitted
  • What types of uses and disclosures require authorization

These patient rights include asking for a copy of their healthcare provider's rights and privacy policies when they visit their primary physician or local hospital. All patients are entitled to see or get a copy of his or her own medical records that each healthcare practice or organization keeps.

Pro Tip #2: All covered entities must provide an accounting of all protected health information disclosures that are made for treatment, payment, and healthcare operations during the prior six years upon request. This includes all financial records as they are tied to the healthcare services.

One important caveat for patients: If you are receiving medical care while also paying for your own medical services, you are not required to disclose any protected health information with your health plan.

Patient Authorization

Pro Tip #3: Patient authorization is necessary for covered entities, like healthcare organizations, to obtain an individual's personal health information and billing information. However, it is not required in order for the patient to receive treatment. And as you'll see below, there are some exceptions that should be noted.

A common question many physicians have is: Can I see a patient without getting written authorization? The answer is, yes, you can. However, it's a good idea to update their medical records and make a note of that when or if it happens.

If you're a physician and you refer a patient to another healthcare provider, you must have written authorization from the patient in order to share their health information. But the rule changes in the event of a worker's compensation claim or a directive from OSHA. In these instances, physicians can provide patient information without the need to receive authorization from the patient.

Other circumstances that do not require patient authorization are situations when there's a need to alert law enforcement officials of an imminent danger, either to the patient himself/herself or if the patient is a danger to others.

An example of this would be trying to protect a minor from abuse. If you're a physician who suspects abuse, you are authorized to report it.

Another example: The HIPAA Privacy Rule allows covered healthcare providers to disclose protected health information about students to school nurses, physicians, or other healthcare providers for treatment purposes without requiring authorization of the student or the student's parents or guardians.

For instance, a student's primary care physician can discuss a student's medication or other healthcare needs with a school nurse who will administer medications and provide care to the student while he or she is at school

A Word About Patient Health Information Privacy Rights

For patients, knowing their rights is the first step to protecting them.

How can Patients get Their Health Information?

As noted at the beginning of this lesson, patients can ask to see or get a copy of their medical records and other health information. However, if they want a copy, they may have to put their request in writing and pay for the cost of copying and mailing. In most cases, their copies must be given to them within 30 days.

How can Patients Change Their Health Information?

Patients can ask to change any wrong information in their file or add information if they think something is missing or incomplete. For example, if a patient and his or her hospital agree that the file has the wrong results for a test, the hospital must change it. Even if the hospital believes the test result is correct, patients still have the right to have their disagreement noted in their file. In most cases, the file should be updated within 60 days.

How can Patients Know Who Has Seen Their Health Information?

By law, patients' health information can be used and shared for specific reasons not directly related to their care, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in the patients' area, or reporting as required by state or federal law. In many of these cases, patients can find out who has seen their health information.

Patients have two options:

  1. Learn how their health information is used and shared by their doctor or health insurer.
  2. Let their providers or health insurance companies know if there is information they do not want to share.