The Health Information Portability and Accountability Act (HIPAA) and other state privacy and security laws create a right to privacy and protect personal health information. These laws help shape an environment where patients are comfortable with the electronic sharing of health information. Ultimately, developing public trust in health care professionals to adhere to privacy and security laws is needed to realize the full benefit of health information technology-enabled health information exchange.
Sharing protected health information electronically
Privacy and security are important health care topics. It is essential health care providers have online access to patient health information while, at the same time, protecting it from privacy violations and security breaches. Achieving the right balance is the key to privacy and security in the electronic health care environment.
We know that patients can be just as concerned about quality of care as they are about the privacy and security of health information. Importantly, HIPAA not only protects health information from misuse, but also enables protected health information (PHI) to be accessed, used, or disclosed when and where it is needed for patient care. For example, in certain treatment cases, health care professionals are permitted to use and disclose PHI without first obtaining an individual’s authorization.
Source: The Office of the National Coordinator for Health Information Technology (ONC), Protecting Your Privacy and Security
HIPAA Permitted Uses and Disclosures of Health Information
For more information, providers can read these Understanding Some of HIPAA's Permitted Uses and Disclosures fact sheets on permitted uses and disclosures.
Health care consumers and professionals' role in protecting health information
Read below to better understand the different roles that health care consumers and professionals play in protecting health information.
The HIPAA Privacy and Security Rules provide individuals with health information privacy rights and safeguard the health information. These rights are important for you to know so you can take charge of protecting your health information and know if your rights are being denied.
Health information rights include, but are not limited to:
- Your right to access your health information.
- Your right to correct or amend your health information.
- Your right to file a complaint.
HIPAA balances the seamless electronic disclosures of your health information with technological safeguards. To make sure that your health information is protected in a way that does not interfere with your health care, information can be used and shared for your treatment and care coordination without waiting for consent.
Your health information cannot be used or shared without written permission unless HIPAA allows it. For example, without authorization, providers cannot:
- Give your information to your employer.
- Use or share your information for marketing or advertising purposes or sell your information.
- Share psychotherapy notes or information related to alcohol and substance abuse treatment that is received at federally supported treatment centers. For guidance about the confidentiality of behavioral health information and the HIPAA Privacy Rule, please see the Substance Abuse and Mental Health Services Administration (SAMHSA) website and this 42 CFR Part 2 FAQ.
Source: ONC, Protecting Your Privacy and Security
The HIPAA Privacy and Security Rules contain detailed requirements regarding both privacy and security.
- The Privacy Rule covers protected health information in any medium.
- The Security Rule covers electronic protected health information.
- The Security Rule also covers instructions for a required security risk assessment.
Importantly, the HIPAA Privacy Rule is not a list of requirements that limit the disclosure of information. HIPAA supports information sharing by:
- Permitting disclosure of PHI to another provider for treatment, billing, or operations without first obtaining an individual’s authorization if a relationship exists (with some special considerations applied).
- Requiring providers to provide individuals with a copy of their health information.
Source: ONC, Protecting Your Privacy and Security
With the introduction of more electronic health information, these rules have been updated to accommodate new situations. Please see the resources below for more information about how to effectively disclose and protect electronic health information.
Additional state and federal privacy and security resources
DHS HIPAA Notices of Privacy. The Wisconsin DHS ForwardHealth Program is committed to protecting the privacy of medical information. These notices describe how medical information may be used and disclosed and how enrollees can get access to this information.
The Health Information Security and Privacy Collaborative (HISPC) was established in June 2006 by RTI International through a contract with the U.S. Department of Health and Human Services. The goal of HISPC is to identify and solve privacy and security barriers to health information exchange (HIE) and create a knowledge base to inform of future HIE activities. It has grown from 34 to 42 U.S. states and territories. Most recently, in 2008, the HISPC divided into seven multistate collaborative, each focused on a specific project designed to develop common, replicable multistate solutions that could help reduce variation in and harmonize privacy and security laws, policies, and practices. Wisconsin participated in the 11-state Interstate Disclosure and Patient Consent Requirements Collaborative (IDPCRC), which documented state law requirements for disclosure of health information for treatment purposes within and across state lines.
Wisconsin's IDPCRC Scenario 1 and 2 Template (PDF) September 2008
Wisconsin's IDPCRC Scenario 3 Template (PDF) September 2008
Wisconsin's Implementation Plan Report (PDF) April 2007
Final HISPC Deliverables for the seven multistate collaborative privacy and security projects completed in Phase III of HISPC. These projects focused on education, state law and consent policy, and organizational policy. June 4, 2009