The Privacy Rule gives individuals the right to inspect, review, and receive a copy of their medical records and billing records that are held by health plans and health care providers covered by this rule. For example:
- Only you or your personal representative has the right to access your records.
- A health care provider or health plan may send copies of your records to another provider or health plan only as needed for treatment or payment or with your permission.
- The Privacy Rule does not require the health care provider or health plan to share information with other providers or plans.
- If you think the information in your medical or billing record is incorrect, you can request a change, or amendment, to your record. The health care provider or health plan must respond to your request. If it created the information, it must amend inaccurate or incomplete information.
- If the provider or plan does not agree to your request, you have the right to submit a statement of disagreement that the provider or plan must add to your record. See 45 C.F.R. §§ 164.508, 164.524 and 164.526
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. For example:
- Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
- Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
- Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
- Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
Protected Health Information
Personal health information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care. For example:
- Information your doctors, nurses, and other health care providers put in your medical record
- Conversations your doctor has about your care or treatment with nurses and others
- Information about you in your health insurer’s computer system
- Billing information about you at your clinic
- Most other health information about you held by those who must follow these laws