This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded. Show
Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form. HIPAA Right of Access VideosOCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information. HIPAA Right of Access InfographicOCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:
HIPAA General Fact SheetsWho Must Follow These LawsWe call the entities that must follow the HIPAA regulations "covered entities." Covered entities include:
In addition, business associates of covered entities must follow parts of the HIPAA regulations. Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:
Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule. Who Is Not Required to Follow These LawsMany organizations that have health information about you do not have to follow these laws. Examples of organizations that do not have to follow the Privacy and Security Rules include:
What Information Is Protected
How This Information Is Protected
What Rights Does the Privacy Rule Give Me over My Health Information?Health insurers and providers who are covered entities must comply with your right to:
You should get to know these important rights, which help you protect your health information. You can ask your provider or health insurer questions about your rights. Learn more about your health information privacy rights. Who Can Look at and Receive Your Health InformationThe Privacy Rule sets rules and limits on who can look at and receive your health information To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:
Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:
Table of Contents: If you use consumer reports to underwrite insurance policies or screen high-risk applicants, you must comply with the Fair Credit Reporting Act (FCRA). The FCRA is designed to protect the privacy of consumer report information — sometimes informally called “credit reports” — and to guarantee that information supplied by consumer reporting agencies (CRAs) is as accurate as possible. Consumer reports may include information about a person’s credit history, medical conditions, driving record, criminal activity, and even their participation in dangerous sports. Insurer ObligationsYou must have a permissible purpose before obtaining a consumer report — generally, that the report will be used in connection with the underwriting of insurance involving the consumer or with the consumer’s permission (§ 604) — and must take certain steps after you take an adverse action based on information in the report. Getting and Using Medical InformationIf you need a consumer report that has medical information, you must get the applicant’s Adverse Action NoticeWhen an adverse action is taken — for example, when insurance is denied, rates are increased or a policy is terminated — and the decision is based partly or completely on information in a consumer report, Section 615(a) of the FCRA requires you to provide a notice of the adverse action to the consumer. The notice must include:
Disclosure of this information is important because some consumer reports may have errors. The adverse action notice is required even if information in the consumer report wasn’t the primary reason for the denial, rate increase, or termination. Even if the information in the report played only a small part in the overall decision, the applicant must be notified. While adverse action notices are not required to be in writing, many insurers provide them in writing and keep copies for two years to prove compliance with the FCRA. Examples A life insurance company orders a consumer report from the Medical Information Bureau (MIB), a CRA. Information in the MIB report leads to further investigation of the applicant. The application for insurance is rated or declined because of information learned from the investigation, whether the decision was based partly or completely on the information. Section 604(g) of the FCRA requires an insurance company or any other user of medical information to get the consumer’s consent — orally, electronically or in writing — before getting medical information. That means the life insurance company in this situation would have to have obtained the consumer’s consent before getting the consumer report from the MIB. In addition, since the MIB report was part of the basis for the adverse decision in this case, the Section 615(a) adverse action notice described above must be sent to the consumer. A person with an unfavorable credit history, say, due to a bankruptcy, is denied automobile insurance at standard rates. Although the credit history was considered in the decision, the applicant’s limited driving experience was a more important factor. The applicant is entitled to the Section 615(a) adverse action notice because the credit report played a part — even a small one — in the insurer’s decision to charge a higher premium. An insurance company orders a consumer report on an existing policyholder to make sure the policyholder continues to qualify for the coverage in the policy. The insurance company learns that the consumer’s credit history has declined since the policy was written originally, and raises the consumer’s premiums. The applicant is entitled to a Section 615(a) adverse action notice, because “adverse action” includes an increase in the charge for existing insurance or another unfavorable change in the terms of existing insurance, such as the amount of coverage or the policy’s terms. Disposing of Consumer Report InformationWhen you finish using a consumer report, you must securely dispose of the report and any information you gathered from it. That means burning, pulverizing or shredding paper documents, and disposing of electronic information so that it can't be read or reconstructed. For more information, see Disposing of Consumer Report Information? Rule Tells How. Other ConsiderationsIf you report information, like a consumer’s insurance claims, to a CRA, you have legal obligations under the FCRA’s Furnisher Rule. Your responsibilities include:
For more information, see Consumer Reports: What Information Furnishers Need to Know. Non-ComplianceIf you don’t comply with the FCRA, you may be sued by the FTC, Consumer Financial Protection Bureau (CFPB), state governments, or in some cases, consumers. The FCRA provides for maximum penalties of $4,367 per violation in the case of lawsuits brought by the FTC. FCRA Sections 616, 617, 621 Your Opportunity to CommentThe National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman. The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a video, How to Report Fraud at ReportFraud.ftc.gov, to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. [Note: Edited January 2022 to reflect Inflation-Adjusted Civil Penalty Maximums.] |