The Health Insurance Portability Accountability Act is a federal law that protects your privacy. We are required to inform you of your rights under this law. This is a short summary of your rights.
For additional information, please continue to read the Patient Privacy Rights below or you may also visit: https://www.hhs.gov/ocr/privacy/
Privacy rights are important, especially when it comes to healthcare. Unfortunately, protections and requirements for adults, family members, and even treatment providers can be unclear. Below, we have answered some of the most common questions people have about privacy and healthcare.
Much of this information falls under the Federal Health Insurance Portability and Accountability Act, HIPAA. In addition to Federal guidelines, states may have additional requirements and clarifications.
What healthcare information is protected under privacy laws?
Under HIPAA, the following information is considered protected:
Before receiving services, you should be provided a Notice of Privacy Practices. This is a written statement about how your provider uses and shares your information. They are required to receive an acknowledgment that you have seen the notice, but acknowledgement does not necessarily mean that you accept or reject how they use your information. If you do not agree with the terms, you are able to ask questions and discuss specific uses of information with your provider.
Who can access my healthcare information?
You have the right to decide how and with whom your protected health information is shared. Providers must respect your decisions regarding your privacy, and many states require individuals to complete paperwork stating who may or may not see their information. While providers generally follow their clients’ wishes, there are emergency situations when a provider may disclose relevant, protected health information to an outside party, including family members or law enforcement. These special circumstances include times when a provider believes there is an imminent threat of harm to self or others, or where an individual is deemed “incapacitated,” lacking the ability to make one’s health decisions, and sharing information is in the best interest of the client’s care.
You insurance company also has access to general health information including what treatment was provided (Current Procedural Terminology (CPT) codes), diagnoses (ICD-10 codes), medications, and summaries or discussions needed to justify billing or payment of the submitted services. Your insurance company does not have access to services not submitted to them or that you have paid for in full out of your own pocket.
Can I plan how my information will be shared in an emergency?
Psychiatric Advance Directives are documents in which you list your preferences in case you are determined to lack the ability to make your own decisions during a mental health crisis. Creating this document when your ability to make decisions is not in question gives you an opportunity to impact what happens to you during a mental health crisis. Some things to be considered include:
While doctors ultimately have the power to make decisions, these documents can influence your care and give you a more active role in the case of crisis. Read more about psychiatric advance directives here.
How can I access my healthcare records?
You have the right to see your health records – even if you have not paid for services. Depending on your provider, you may be asked to submit a request in writing. They may also charge a fee for copying and/or mailing your records. Providers are typically required to give access to your records within thirty days of your request.
In terms of therapy, you have a right to see your general health information including dates of services, billing, and diagnoses; however, you may not have access to your therapists’ notes from your sessions together. While laws differ by state, access to psychotherapy notes is granted if your provider records them in your general health information records or gives you access to them. If you want to see your psychotherapy notes, it is often good to start with a conversation with your provider about your feelings and concerns.
What if I believe my health record is incorrect?
If you believe something is missing or incomplete in your health record, you can request that your provider make corrections. If the provider does not agree that your information is inaccurate, you have the right to note in your file that you disagree.
What are my privacy rights in regards to alcohol and/or drug use?
Information on alcohol and/or drug use is unique from other mental health information. You are required to separately provide permission for any alcohol and/or drug use information to be shared. While this is a personal decision, it is useful for providers to share this information, especially if you take medications that may be less effective or harmful with substance use or you have additional medical conditions. It is very hard for providers to treat people without their full record.
If I am hospitalized, what health information can be shared with law enforcement?
Hospitals are able to disclose specific information to law enforcement for the purposes of “locating or identifying a suspect, fugitive, material witness, or missing person.” This information includes admission and discharge dates and times, description of distinguishing characteristics, and name and address, among other general identifying information. Your provider may not share information related to DNA, dental records, or any analysis of bodily fluids.
I feel that my privacy rights have been violated. What can I do?
If you feel that your privacy rights have been violated, you can file a complaint with the US Department of Health and Human Services’ Office of Civil Rights, your provider, or your health insurer. A group, company, or organization is not allowed to discriminate against you for filing a complaint. Click here to learn more information about the complaint process.
My family member/friend refuses to share their healthcare information with me. What can I do?
HIPAA allows individuals to make decisions as to who is allowed to see their protected health information. As a family member or friend, a provider may listen to you but cannot provide information about the patient, including whether or not they are in treatment. Except for in cases where the provider determines there is a serious and imminent threat to the health or safety of the client or others and that you may be able to mitigate this threat, or if the provider determines the client is incapacitated. In both cases, the provider must use clinical judgment and respect any prior decisions of the consumer.
What if I just want to share important information with my family member/friend’s provider?
You are welcome to call and leave a voicemail or email with your family member/friend’s provider giving them whatever information you would like to share. You may or may not hear back from that provider. It is likely that the provider will tell your family member/friend that you contacted them and will ask for permission to speak to you.
If the provider calls you, they may or may not confirm or deny that your family member/friend is seeing them. If your family member/friend has provided permission to share information, the provider will share whatever information was permissible and/or is appropriate for care.
*Providers should read federal and state laws for other legal requirements and follow professional ethical standards as determined by their professional board.
Do I need my client’s permission in writing to discuss their medical information with their family members/friends?
You do not need signed permission from your client to share information with their family members/friends if you are reasonably sure that the patient does not object or has given verbal consent. This can be inferred if your client invites their family member/friend to sit in on therapy or if the client is given a clear opportunity to object disclosure and they do not.
All information shared must be in the best interest of your client and must be directly related to their care and/or payment. If your client objects to the disclosure, you may not share the information.
If I feel that my client is incapacitated, am I able to discuss their care with their family/friends?
If you feel that your client is incapacitated, you are able to provide protected healthcare information to family and friends if you determine it is in the best interest of the client. Using professional judgment, you may share information directly relevant to the family member or friend involved in care or payment. You may also provide specific information to individuals involved in treatment who are not family members or friends if you are reasonably sure that the patient wants the individual involved in their care. When your client is capable of making decisions for their care, you should ask what information he or she would like to be shared and with whom. Ideally, this would be done using an Advanced Psychiatric Directive.
What do I do when I feel there is a serious threat of injury to my client or someone else?
If you feel your client is a serious and imminent threat to the health and safety of him or herself or to others, you may report to individuals who you believe could help address the threat, including family members and law enforcement. Depending on your state, you may be required or allowed to share an individual’s health information if a serious and imminent threat of physical violence has been communicated. These “Duty to Protect/Warn” laws exist in 45 states.
What are the penalties for violating HIPAA?
There is often confusion and fear among healthcare professionals when it comes to HIPAA violations. Penalties for violations were specified in 2009 and vary based on the circumstances and intent of the provider. For example, an individual who “did not know (and by exercising reasonable diligence would not have known)” that he or she was violating HIPAA has a first time penalty between $100 and $50,000. In the most severe cases, any provider who has “[committed an offense] with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to ten years”. For more information describing HIPAA violations and enforcement click here.
Changes to the Terms of this Notice
We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our office, and on our web site.
Other Instructions for Notice