HIPAA Privacy Training - Personal Rights - OSHAcademy free online training
Safety guides and audits to make your job as a safety professional easier

Your Personal Rights Under HIPAA

prescription
Learn about your rights at HealthIT.gov.

Most of us believe our medical and other health information is private and should be protected. Most of us also want to know who has access to this private information. The Privacy Rule gives you rights over your health information and sets rules and limits on who can look at and receive your health information.

Protected Information

The following information is always protected for each individual:

  • information your doctors, nurses, and other health care providers put in your medical records
  • conversations your doctor has about your care or treatment with nurses and others
  • information about you in your health insurer’s computer system
  • billing information about you at your clinic
  • most other health information about you held by those who must follow these laws

Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly. They must also have procedures in place to limit who can view and access your health information, as well as implement training programs for employees about how to protect your health information.

1. When are conversations your doctor has about your care or treatment with nurses and others protected?

a. Never
b. Always
c. Sometimes
d. Rarely

Individual Rights

prescription
You have a right to see your individual health information.

Under HIPAA, you are entitled to more information about and more control over your individual health information.

  1. Access to Information – You can request and receive a copy of your health information and may request the copy in electronic form. The covered entity may charge a reasonable fee for providing the copy either in paper or electronic form.
  2. Amend information – You may ask for your information to be amended to correct errors but covered entities are only responsible for making changes in the records that they created.
  3. Accounting of disclosures – You may request a list of all the times your information was released improperly.
  4. Notice of Privacy Practices – You have the right to receive a written notice of privacy practices from covered entities that details rights of the individual and duties of the covered entity under HIPAA.

2. Under HIPAA, an individual may request each of the following, EXCEPT _____.

a. written notice of privacy practices from covered entities
b. a list of all times their information was released improperly
c. copies of their health information in electronic form
d. cancellation of any fees for copies of health information

Employers and Health Information in the Workplace

employer

The Privacy Rule controls how a health plan or covered health care provider discloses protected health information (PHI) to an employer, including your manager or supervisor.

Employer Requests

The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs, or health insurance.

If your employer asks for your health care provider directly for information about you, your provider cannot disclose the information without your authorization. Covered health care providers must also have your authorization to disclose this information to your employer, unless other laws require them to disclose it.

Generally, the Privacy Rule applies to disclosures made by your health care provider, not to the questions of your employer.

Employment Records

The Privacy Rule does not protect your employment records, even if the information in those records is health-related. Generally, the Privacy Rule also does not apply to the actions of an employer, including the actions of a manager in your workplace.

If you work for a health plan or covered health care provider:

  • The Privacy Rule does not apply to your employment records.
  • The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.

3. The HIPAA _____ controls how a health plan or covered health care provider discloses protected health information (PHI) to an employer, including your manager or supervisor.

a. Protection Rule
b. Non-compete Rule
c. Privacy Rule
d. Security Rule
prescription
Your health care provider may share personal information face-to-face, over the phone, or in writing.

Sharing Health Information

Under HIPAA, your health care provider may share your personal information face-to-face, over the phone, or in writing. A health care provider or health plan may share relevant information if:

  • You give your provider or plan permission to share the information.
  • You are present and do not object to sharing the information.
  • You are not present, and the provider determines, based on professional judgment, that it’s in your best interest.

4. A health care provider or health plan may share relevant information if any of the following apply, EXCEPT _____.

a. you are present and do not object to sharing the information
b. you are not present, but the provider believes you will not object
c. you are not present, but the provider believes it is in your best interest
d. you give the provider permission to share the information

Sharing Information with a Family Member or Friend

Sharing PHI with family and friends.

HIPAA requires most doctors, nurses, hospitals, nursing homes, and other health care providers to protect the privacy of your health information. However, if you don't object, a health care provider or health plan may share relevant information with family members or friends involved in your health care or payment for your health care in certain circumstances.

Examples

  • An emergency room doctor may discuss your treatment in front of your friend if you ask that your friend comes into the treatment room.
  • A doctor’s office may discuss your bill with your adult daughter who is with you at your medical appointment and has questions about the charges.
  • A doctor may discuss the drugs you need to take with your health aide who has accompanied you to a medical appointment.
  • A doctor may give information about your mobility limitations to your sister who is driving you home from the hospital.
  • A nurse may discuss your health status with your brother if you give permission or do not object. But, a nurse may NOT discuss your condition with your brother after you have stated you do not want your family to know about your condition.

5. When may a health care provider discuss a patient's health information with a family member, friend, or other person?

a. If the family member signs a non-disclosure agreement (NDA)
b. If the patient is under the age of 18 and does not object
c. If parental permission has been received by the health care provider
d. If the patient gives the provider permission to share information

Incapacitated or Not Present Patient

incapacitated

If are not present or are incapacitated, a health care provider may share your information with family, friends, or others when the health care provider determines it is in your best interest.

When someone other than a friend or family member is involved, the health care provider must be reasonably sure you asked the person to be involved in his or her care or payment for care. Again, the health care provider may discuss only the information the person involved needs to know about your care or payment.

Examples

  • A surgeon who did emergency surgery on you may tell your spouse about your condition while you are unconscious.
  • A pharmacist may give a prescription to your friend sent to pick up the prescription.
  • A hospital may discuss your bill with your adult son who calls the hospital with questions about charges to your account.
  • A health care provider may give information regarding your drug dosage to your health aide who calls the provider with questions about the particular prescription.

However, a nurse may not tell your friend about a past medical problem unrelated to your current condition. Also, a health care provider is not required by HIPAA to share your information when you are not present or are incapacitated, and can choose to wait until you have an opportunity to agree to the disclosure.

6. Generally, a health care provider may discuss _____ about the patient’s care or payment.

a. any information
b. need-to-know information
c. information that seems reasonable
d. unclassified information

Disclosing PHI to Law Enforcement

complaint

The HIPAA Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue.

The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual's written authorization, under specific circumstances including, but not limited to:

  • To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.
  • To respond to a request for PHI about a victim of a crime, and the victim agrees.
  • To report PHI to law enforcement when required by law to do so.
  • To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.

For a more complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the HHS FAQ Page for this topic.

7. In which situation may a health care refuse to disclose protected health information (PHI) to law enforcement individuals?

a. When they request PHI about a medical condition unrelated to a crime
b. When required by law to do so
c. If it is necessary to comply with a court order or court-ordered warrant
d. When the request is for PHI about a victim of a crime, and the victim agrees

How to File a Complaint

complaint

An employee, or representative of an employee, who believes he or she has been retaliated against for disclosing HIPAA-protected information when reporting or complaining about a workplace safety or health issue, may file a complaint with OSHA within 30 days of the retaliation.

The complaint should be filed with the OSHA office responsible for enforcement activities in the geographical area where the employee resides or was employed. It also may be filed with any OSHA officer or employee.

For more information, contact your closest OSHA Regional Office.

8. An employee, or representative of an employee, who believes he or she has been retaliated against for disclosing HIPAA-protected information may file a complaint with OSHA _____.

a. at the time the retaliation occurs
b. within 30 days of the retaliation
c. within any reasonable time period
d. after first conferring with the HIPAA administrator

Check your Work

Click on the "Check Quiz Answers" button to grade your quiz and see your score. You will receive a message if you forgot to answer one of the questions. After clicking the button, the questions you missed will be listed below. You can correct any missed questions and check your answers again.

Next Module

Videos

This first video provides a high-level overview of the HIPAA access rights and introduces the topics of fees, timing and sharing health information with a third party. Length 3:27

Video 2 tells the story of Hannah, who is moving across the country. At her last visit with her current doctor, Hannah asks to have a copy of her records to take with her. The video helps explain the associated fees, forms and the time it may take for Hannah to get a copy of her records. Length 5:14

Video 3 tells the story of Martin, who would like to share the health information in his medical record with a heart health application on his smartphone. The video provides information on the right to provide access to a third party, including a mobile application device. Length 3:16

OSHAcademy Ultimate Guide Banner Ad