My Health Privacy: Questions and Answers about the new HIPAA rights

What are my rights under the privacy new regulations?

You can inspect, photocopy, and request corrections in your medical records. Medical records include doctors’ notes, x-rays, and lab results. Photocopies of the records must be provided within 30 days of a request.
You can find out who else has seen your medical records. At your request, doctors, hospitals, and health plans must disclose who has seen your medical records.
If you are admitted to a hospital, you have the right to not have your name and health status be made publicly available through the hospital. If you choose to opt out of the hospital’s directory, the hospital will not confirm that you are a patient to outside callers. If you are listed in the directory, the hospital will disclose your general condition to callers who ask for you by name.
Mental health providers must obtain a patient’s voluntary authorization before disclosing notes to health plans. Before the new privacy law, health plans could access psychotherapy notes to justify further treatment.
Your healthcare provider and health plan are not allowed to disclose any identifiable health information to your employer.

Will my doctor or dentist office no longer be able to have a sign-in sheet or call out the names of patient in the waiting room?

No. Sign-in sheets can still be used, as long they do not ask the reason for the visit or display medical information. Any incidental disclosures of information are permitted, such as hearing the names of other patients in the waiting room, or seeing names on a sign-in sheet. The health care provider must have reasonable safeguards in place to protect health information.

Must hospitals and doctor’s offices now have private rooms and soundproof walls to avoid the possibility that a conversation is overheard?

No. While health providers must have in place appropriate safeguards to protect health information and make reasonable efforts to prevent disclosures, facility restructuring is not required. Examples of modifications that may be needed to safeguard health privacy include: use of cubicles, dividers or curtains in large health clinics to separate the areas where health professionals talk to patients; pharmacies asking waiting customers to stand a few feet back from the counter used for patient counseling; and doctors using discretion when talking to a patient who shares a hospital room.

Can I have a friend or family member pick up a prescription for me?

Yes. A pharmacist can use professional judgment and common sense to make sure it is in the patient’s best interest to allow another person to pick up a prescription. If a friend or relative comes to the pharmacy to pick up your prescription, that means they are involved in your care. You do not need to give the pharmacist the names of such persons in advance.

Can I communicate with my doctor by phone or e-mail, and can appointment reminders be mailed to me?

Yes. Health care providers can communicate with their patients at their homes through the mail, by phone, or in some other manner. If your provider phones and you are not at home, messages can be left on answering machines, or with a family member or other person answering the phone if a limited amount of information is disclosed. For example, leaving only a name and number or other information to confirm an appointment, or requesting that the patient call back. Email communication is encouraged, as long as a secure network is used and the messages are encrypted.

You can request that your doctor or health care provider communicate with you in a confidential manner, such as only getting calls at the office and not at home, or have any mail delivered in a closed enveloped and not as a postcard. If such requests are reasonable, your provider must comply.

Can my personal health information be used by marketers?

While the law sets new restrictions on the use of health information for marketing purposes, communications about treatment, disease management, wellness programs and health promotion are not considered marketing.

More specifically, the new law requires that a person’s prior written authorization be obtained in order to use or disclose protected health information for marketing. However, the definition of marketing does not include communications related to health care. Communications that are not considered marketing include those that describe health-related products or services available to health plan members, those made for treatment, those more for case management or care coordination, and those made to recommend alternative therapies, providers or settings of care.