Most of us believe our medical and other health information is private and should be protected. Most of us also want to know who has access to this private information. The Privacy Rule gives you rights over your health information and sets rules and limits on who can look at and receive your health information.
The following information is protected for each individual:
Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly. They must also have procedures in place to limit who can view and access your health information, as well as implement training programs for employees about how to protect your health information.
Under HIPAA, patients are entitled to more information about and more control over their individual health information.
The Privacy Rule controls how a health plan or covered health care provider discloses protected health information to an employer, including your manager or supervisor.
The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs, or health insurance.
If your employer asks for your health care provider directly for information about you, your provider cannot disclose the information without your authorization. Covered health care providers must also have your authorization to disclose this information to your employer, unless other laws require them to disclose it.
Generally, the Privacy Rule applies to disclosures made by your health care provider, not to the questions of your employer.
The Privacy Rule does not protect your employment records, even if the information in those records is health-related. Generally, the Privacy Rule also does not apply to the actions of an employer, including the actions of a manager in your workplace.
If you work for a health plan or covered health care provider:
Under HIPAA, your health care provider may share your personal information face-to-face, over the phone, or in writing. A health care provider or health plan may share relevant information if:
A health care provider or health plan may also share relevant information if you are not around or cannot give permission when a health care provider or plan representative believes, based on professional judgment, that sharing the information is in your best interest.
For example, if you had emergency surgery and are still unconscious, your surgeon may tell your spouse about your condition, either in person or by phone, while you are unconscious.
Your doctor may discuss your drugs with your caregiver who calls your doctor with a question about the right dosage. However, a doctor may not tell your friend or family member about an unrelated past medical problem.
Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care.
If the patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object. A health care provider also may share information with these persons if, using professional judgment, he or she decides the patient does not object. In either case, the health care provider may share or discuss only the information the person involved needs to know about the patient’s care or payment for care.
If the patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines it is in the best interest of the patient.
When someone other than a friend or family member is involved, the health care provider must be reasonably sure the patient asked the person to be involved in his or her care or payment for care. Again, the health care provider may discuss only the information the person involved needs to know about the patient’s care or payment.
However, a nurse may not tell a patient’s friend about a past medical problem unrelated to the patient’s current condition. Also, a health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.
The HIPPA Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances including, but not limited to:
An employee, or representative of an employee, who believes he or she has been retaliated against for disclosing HIPAA-protected information in the course of reporting or complaining about a workplace safety or health issue, may file a complaint with OSHA within 30 days of the retaliation.
The complaint should be filed with the OSHA office responsible for enforcement activities in the geographical area where the employee resides or was employed. It also may be filed with any OSHA officer or employee.
For more information, contact your closest OSHA Regional Office.
Before beginning this quiz, we highly recommend you review the module material. This quiz is designed to allow you to self-check your comprehension of the module content, but only focuses on key concepts and ideas.
Read each question carefully. Select the best answer, even if more than one answer seems possible. When done, click on the "Get Quiz Answers" button. If you do not answer all the questions, you will receive an error message.