Medical Records Privacy: Questions and Answers on the HIPAA Rule

Publication Date: February 2005

Publisher: Library of Congress. Congressional Research Service

Author(s):

Research Area: Health

Type:

Abstract:

The HIPAA privacy rule gives patients the right of access to their medical information and prohibits health plans and health care providers from using or disclosing individually identifiable health information without a patient's written authorization except as expressly permitted or required by the rule. Plans and providers are permitted to use and disclose health information for treatment, payment, and other routine health care operations and for various specified national priority activities (e.g., law enforcement, public health, research).

Providers may also share certain information with family members and others, as long as the patient is given the opportunity to object. Health plans and providers must give enrollees and patients a notice explaining their privacy rights and how their information will be used. They are also required to have in place reasonable safeguards to protect the privacy of patient information and, in general, must limit the information used or disclosed to the minimum amount necessary to accomplish the intended purpose of the use or disclosure. Entities that fail to comply with the rule are subject to civil and criminal penalties, but patients do not have the right to sue in federal court for violations of the rule. The privacy rule does not preempt, or override, state laws that are more protective of medical records privacy.