Frequently Asked Questions


An authorization is a more customized document that gives permission to use protected health information for specific purposes, which are generally other than treatment, payment, or operations. An authorization is often used to disclose protected health information to a third party specified by the individual. The authorization must state the purpose of each disclosure or use and the individual has the right to revoke it in writing.

Worker's Compensation plans are excluded from the definition of a "health plan." The Privacy Rule is not intended to impede the flow of health information to those who need it to process claims or coordinate care for injured or ill workers under the Worker's Compensation system. The minimum necessary provision requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose.

No consent is necessary for one doctor's office to transfer a patient's medical records to another doctor's office for treatment purposes.

The HIPAA Privacy Rule allows doctors to share your medical information for treatment purposes. This can be done by FAX, telephone or other means. Your health care provider is required to put in place reasonable and appropriate safeguards to protect your medical information. For example, your doctor's staff needs to confirm that the fax number they are using is correct

Yes, as long as the information disclosed is appropriately limited. For example, the sign-in sheet should not include the reason for your visit, since this is private medical information and does not need to be shared with other patients. This can be done by FAX, telephone or other means. Your health care provider is required to put in place reasonable and appropriate safeguards to protect your medical information. For example, your doctor's staff needs to confirm that the fax number they are using is correct

Under the Privacy Rule, patients can request that their doctor's health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example, a patient could ask a doctor to call his or her office rather than home, and the doctor's office should comply with that request if it can be reasonably accommodated.

The Privacy Rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out.

HIPAA specifically provides that hospitals may continue the practice of disclosing directory information "to members of the clergy," unless the patient has objected to such disclosure

Under "the Privacy Rule, a health care provider may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual," the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care

Under HIPAA, a family member or other individual may act on the patient's behalf "to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information."

No. Disclosure is mandated in only two situations:

  • To the individual patient upon request
  • To the Secretary of the Department of Health and Human Services for use in oversight investigations

The Privacy Rule sets limits on how health plans and covered providers may use individually identifiable health information. To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. In other situations, however, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, financial institution, employer, marketing firm or another outside business for purposes not related to their health care.

Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes. The covered entities may charge patients for the cost of copying and sending the records.

The Privacy Rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing. At the same time, the rule permits doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease management programs.

The new federal privacy standards do not affect State laws that provide additional privacy protections for patients. The confidentiality protections are cumulative; the Privacy Rule will set a national "floor" of privacy standards that protect all Americans, and any State law providing additional protections would continue to apply. When a State law requires a certain disclosure-such as reporting an infectious disease outbreak to the public health authorities-the federal privacy regulations would not preempt the State law

In limited circumstances, the Privacy Rule permits, but does not require, covered entities to continue certain existing disclosure of health information for specific public responsibilities. These permitted disclosures include: emergency circumstances; identification of the body of a deceased person, or the cause of death; public health needs; research that involves limited data or has been independently approved by the Institutional Review Board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security. The Privacy Rule generally establishes new safeguards and limits on these disclosures. Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgement to decide whether to make such disclosures based on their own policies and ethical principles.

No. The provisions of the Privacy Rule generally apply equally to private and public sector covered entities. For example, private hospitals and government run hospitals covered by the Privacy Rule have to comply with the full range of requirements.

Congress provided civil and criminal penalties for covered entities that misuse personal health information. For civil violations of the standards, the Office of Civil Rights may impose monetary penalties up to $100.00 per violation, up to $25,000 per year, for each requirement or prohibition violated.

Criminal penalties apply for actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under "false pretenses;" and up to $250,000 and up to ten years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.