Skip to Main Content

Office of Mental Health

Information for Consumers:
Privacy Rule
What Do You Need to Know?

Q: What is the HIPAA Privacy Rule?

A: The HIPAA Privacy rule refers to a new federal law that protects your health information from inappropriate use or disclosure. Under this new law, a health care provider or health plan cannot pass on your personal health information to other businesses or organizations except with your signed authorization or if needed for the purpose of treatment, payment and health care operations.

Q: What does the HIPAA Privacy Rule do and why is it needed?

A: It creates national standards to protect and safeguard patient medical records and other individual health information by

  • giving patients more control over their health information
  • setting boundaries on the use and release of patient health records
  • establishing administrative, physical and technical safeguards to protect the security of health information
  • holding violators accountable, with civil and criminal penalties that can be imposed if they violate patient privacy rights

Health care providers have a strong tradition of safeguarding patient health information. However, in today's world, the old system of paper records in locked filing cabinets is no longer enough. With information broadly held and transmitted electronically, the Privacy Rule provides strict standards for the protection and confidentiality of health information.

Q: What are the Rights of Consumers?

A: The Privacy Rule establishes basic rights for consumers, including

  • the right to receive an Notice of Privacy Practice from providers and health plans
  • the right to examine and obtain a copy of their own health record and request amendment or correction of protected health information that is inaccurate or incomplete
  • the right to receive an accounting of the instances where their protected health information was disclosed for purposes other than treatment, payment or health care operations, or if signed patient consent was required in order to make the disclosure.

Q: What does the Privacy Rule require providers and health plans to do?

A: Health plans and providers must

  • notify patients about their privacy rights and how their personal health information may be used
  • adopt and implement procedures in their office, program or facility to protect and safeguard the confidentiality of patient health information and limit disclosure to the minimum necessary
  • train employees so that they understand and follow these privacy procedures

Q: When will providers and health plan have to comply with the HIPAA Privacy Rule?

A: Congress requires most providers and health plans to comply with this rule by April 14, 2003. Small health plans have an additional year to comply - until April 14, 2004.

Q: What is Protected Health Information (PHI)?

A: PHI means individually identifiable information relating to the past, present or future physical or mental health condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual. HIPAA privacy standards cover medical records, health care claims and payments, benefit enrollments and disenrollments and any other individually identifiable health information held or disclosed by health plans, health care clearing houses and health care providers that transmit PHI electronically.

Comments or questions about the information on this page can be directed to the Office of the Counsel.