Top 10: Myths and Facts About the HIPAA Privacy Rule

Myth #1 Healthcare providers can share personal health information with employers.

FACT The Privacy Rule absolutely prohibits healthcare providers and plans from disclosing personal health information to employers without a patient’s explicit, written authorization. A valid authorization under the law must include a description of the information to be shared, the name of the person allowed to use or disclose the information, an expiration date, and the signature of the individual.

Myth #2 One doctor’s office cannot send a patient’s medical records to another doctor’s office without that patient’s consent.

FACT No consent is necessary for one doctor’s office to transfer a patient’s medical records to another doctor’s office for treatment purposes. The Privacy Regulation specifically states that a covered entity “is permitted to use or disclose protected health information” for “treatment, payment, or healthcare operations” without patient consent.

Myth #3 The HIPAA Privacy Regulation prohibits or discourages doctor—patient e-mails.

FACT The Privacy Rule allows providers to use alternative means of communication, such as e-mail, with appropriate safeguards. Both the HIPAA Privacy and Security Regulations require providers to use reasonable and appropriate safeguards to “ensure the confidentiality, integrity, and availability” of any health information transmitted electronically, and to “protect against any reasonably anticipated threats” to the security of such information.

Myth #4 Hospitals are prohibited from sharing information with the patient’s family without the patient’s express consent.

FACT Under the Privacy Rule, a healthcare provider may “disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual,” the medical information directly relevant to such person’s involvement with the patient’s care or payment related to the patient’s care.

Myth #5 A patient’s family member can no longer pick up prescriptions for the patient.

FACT A family member or other individual may act on the patient’s behalf “to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.” The Department of Health and Human Services (HHS) specifically explains that the Rule “allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient.”

Myth #6 The Privacy Regulation mandates new disclosures of patient information.

FACT Disclosure is mandated in only two situations: to the individual patient upon request, or to the Secretary of HHS for use in oversight investigations. Disclosure is permitted, not mandated, for other uses under certain limits and standards, such as to carry out treatment, payment, or healthcare operations, or under other applicable laws.

Myth #7 Patients can sue healthcare providers for not complying with the HIPAA Privacy Regulation.

FACT Even if a person is the victim of an egregious violation of the HIPAA Privacy Rule, the law does not give people the right to sue. Instead, individuals must file a written complaint with the Secretary of HHS via the Office for Civil Rights. It is then within the Secretary’s discretion to investigate the complaint. HHS may impose civil penalties ranging from $100 to $25,000, and criminal sanctions ranging from $50,000 to $250,000—with corresponding prison terms—may be enforced by the Department of Justice.

Myth #8 Patients’ medical records can no longer be used for marketing.

FACT Use or disclosure of medical information is explicitly permitted for certain health-related marketing under the HIPAA Privacy Rule. For example, communication about a plan’s health-related products or alternative treatments and services is not considered marketing for the purposes of the Rule—even if the healthcare provider is paid to encourage the patient to use the product or service.

Myth #9 If a patient refuses to sign an acknowledgment stating that he or she received the healthcare provider’s notice of privacy practices, the healthcare provider can, or must, refuse to provide services.

FACT The HIPAA Privacy Rule grants the patient a “right to notice” of privacy practices for protected health information, and requires that providers make a “good faith effort” to get patients to acknowledge they have received the notice. The law does not grant healthcare providers the right to refuse to treat people who do not sign the acknowledgement, nor does it subject the provider to liability if a good faith effort was made.

Myth #10 The HIPAA Privacy Rule imposes many new restrictions on hospitals’ fundraising efforts so that fundraising becomes almost impossible.

FACT A hospital may use, or disclose to its “business associates” or an institutionally related foundation, demographic information and the dates of healthcare provided to an individual “for the purpose of raising funds for its own benefit, without an authorization [from the patient].” Such use or disclosure is not permitted unless disclosed in the notice of privacy practices. Any fundraising materials that the covered entity sends to an individual must include a description of how the individual may opt out of future fundraising communications.