Order Code RS20500
Updated March 10, 2004
CRS Report for Congress
Received through the CRS Web
Medical Records Privacy: Questions and
Answers on the HIPAA Rule
C. Stephen Redhead
Specialist in Life Sciences
Domestic Social Policy Division
Summary
The HIPAA privacy rule gives patients the right of access to their medical
information and prohibits health plans and health care providers from using or
disclosing individually identifiable health information without a patient’s written
authorization except as expressly permitted or required by the rule. Plans and providers
are permitted to use and disclose health information for treatment, payment, and other
routine health care operations and for various specified national priority activities (e.g.,
law enforcement, public health, research). Providers may also share certain information
with family members and others, as long as the patient is given the opportunity to object.
Health plans and providers must give enrollees and patients a notice explaining their
privacy rights and how their information will be used. They are also required to have
in place reasonable safeguards to protect the privacy of patient information and, in
general, must limit the information used or disclosed to the minimum amount necessary
to accomplish the intended purpose of the use or disclosure. Entities that fail to comply
with the rule are subject to civil and criminal penalties, but patients do not have the right
to sue in federal court for violations of the rule. The privacy rule does not preempt, or
override, state laws that are more protective of medical records privacy.
Introduction
Health plans and health care providers and their business associates are subject to
the federal health information privacy regulation (45 CFR 160, 164). The privacy rule
gives patients the right of access to their medical information and prohibits health plans
and health care providers from using or disclosing individually identifiable information
without a patient’s written authorization except as expressly permitted or required by the
rule. For routine health care operations, including treatment and payment, plans and
providers may use and disclose health information without the individual’s authorization.
In certain other circumstances (e.g., disclosures to family members and friends), the rule
requires plans and providers to give the individual the opportunity to object to the
disclosure. The rule also permits the use and disclosure of health information without the
individual’s permission for various specified activities (e.g., public health oversight, law
Congressional Research Service ˜ The Library of Congress

CRS-2
enforcement) that are not directly connected to the treatment of the individual. For uses
and disclosures that are not permitted by the rule, plans and providers must obtain a
patient’s written authorization. They must also have in place reasonable administrative,
technical, and physical safeguards to protect patient information from intentional or
unintentional uses or disclosures that are in violation of the rule.
The health privacy rule is one of several new standards mandated by the 1996 Health
Insurance Portability and Accountability Act (HIPAA) to support the growth of electronic
record keeping and claims processing in the nation’s health care system. Under HIPAA,
the Secretary of Health and Human Services (HHS) has issued electronic format and data
standards for several routine administrative transactions between plans and providers
(e.g., claims for payment). The Secretary has also issued security standards to safeguard
electronic patient information against unauthorized access, use, and disclosure. Most
plans and providers have until April 21, 2005, to comply with the security standards.
The HIPAA electronic transactions and security standards are intended to improve
the efficiency and effectiveness of health care by facilitating the electronic interchange
of health information. However, the growing use of networked, electronic health
information has raised serious privacy concerns among the public. Patients are worried
about who has access to their health information without their consent. They fear that the
information will be used to deny them employment or insurance. Congress added privacy
standards to HIPAA in an effort to address those concerns by giving patients some control
over the use and disclosure of their medical information. But implementation of the
complex rule has not been without incident. Reports indicate that some providers,
apparently concerned about violating the privacy rule, are refusing to disclose health
information in situations where disclosure is in fact permissible under the rule.
Questions and Answers about the Health Privacy Rule
Who is Covered? As specified under HIPAA, the privacy regulation applies to
three groups of entities: (i) individual and group health plans that provide or pay for
medical care; (ii) health care clearinghouses (i.e., entities that facilitate and process the
flow of information between health care providers and payers); and (iii) health care
providers who transmit health information electronically in a standard format in
connection with one of the HIPAA-specified transactions, or who rely on third-party
billing services to conduct such transactions. The rule, therefore, does not apply directly
to other entities that collect and maintain health information such as life insurers,
researchers, employers (unless they are acting as providers or plans), and public health
officials. However, business associates with whom covered entities share health
information are covered. Business associates include persons who provide legal,
actuarial, accounting, data aggregation, management, administrative, accreditation, or
financial services to or for a covered entity. The rule permits a covered entity to disclose
health information to a business associate or to allow the business associate to create or
receive health information on its behalf, provided both parties sign a written contract that
essentially binds the business associate to the covered entity’s privacy practices.
What Types of Health Information are Covered? The rule covers all
individually identifiable health information that is created or received by a covered entity,
including genetic tests and information about an individual’s family history. It applies to

CRS-3
both paper and electronic records, as well as oral communications. Health information
from which all personal identifiers have been removed is not subject to the rule.
Can Patients Access and Amend their Health Information? Yes, covered
entities must allow patients to inspect or obtain a copy of their health information, except
in certain limited circumstances. Covered entities may charge a reasonable, cost-based
copying fee. Patients may also request amendment or correction of information that is
incorrect or incomplete. Finally, patients have the right to receive a detailed accounting
of certain types of disclosures of their health information made by covered entities during
the past six years. Disclosures for routine health care operations and those made pursuant
to an authorization (see below) are exempt from the accounting requirement.
How May Plans and Providers Use and Disclose Patient Information?
The privacy rule places certain limitations on when and how health plans and health care
providers may use and disclose medical information. Generally, plans and providers may
use and disclose health information for their own treatment, payment, and health care
operations (TPO)
without the individual’s authorization and with few restrictions. A
covered entity may also disclose information for: the treatment and payment activities of
another provider; the payment activities of another health plan; and for certain health care
operations of another covered entity, if each entity has a relationship with the patient. For
example, a physician can mail or fax medical test results or a patient’s medical record to
a specialist who intends to treat the patient, provided that “reasonable safeguards” are
used. Patients may request that covered entities restrict the use and disclosure of their
information for TPO, but covered entities are not required to agree to such a request.
The privacy rule also permits the disclosure of health information without a patient’s
authorization for the following specified national priority activities, consistent with other
applicable laws and regulations. First, disclosures may be made for public health
purposes (e.g., reporting diseases, collecting vital statistics), as required by state and
federal law. Second, health information may be disclosed to public agencies to conduct
health oversight activities such as audits; inspections; civil, criminal, or administrative
proceedings; and other activities necessary for oversight of the health care system. Third,
disclosures may be made to law enforcement officials pursuant to a warrant, subpoena,
or order issued by a judicial officer, or pursuant to a grand jury subpoena. Disclosures for
law enforcement purposes are also permitted pursuant to an administrative subpoena or
summons where a three-part test is met (i.e., the information is relevant, the request is
specific, and non-identifiable information could not reasonably be used). Fourth, health
information may be disclosed in judicial and administrative proceedings if the request
for the information is made through or pursuant to a court order. Fifth, covered entities
may disclose health information to researchers without a patient’s authorization,
provided an Institutional Review Board (IRB) or an equivalent, newly formed “privacy
board” reviews the research protocol and waives the authorization requirement.1
1 All federally funded research that involves human subjects, as well as clinical trials of new
drugs and medical devices (regardless of the source of funding), are governed by a set of federal
regulations called the Common Rule (45 CFR 46, Subpart A). Under the Common Rule,
research proposals must be approved by an IRB, which decides whether or not to require
informed consent based on the level of risk to the research subjects.

CRS-4
Additionally, health information may be disclosed without authorization: (i) to
coroners, medical examiners, and funeral directors; (ii) to workers’ compensation
programs; (iii) to a government authority authorized to receive reports of abuse, neglect,
or domestic violence; (iv) to organizations in order to facilitate organ, eye, and tissue
donation and transplantation; (v) to government agencies for various specialized functions
(e.g., national security and intelligence activities); (vi) to avert a serious threat to health
or safety; (vii) and in other situations as required by law.
For the most part, the privacy rule addresses permissible uses and disclosures. HHS
expects covered entities to rely on their professional judgement in deciding whether to
permit the use or disclosure of health information. Covered entities are required to
disclose information only to the individual who is the subject of the information and to
HHS for enforcement of the rule. For all uses and disclosures of health information that
are not otherwise required or permitted by the rule (e.g., releasing information to financial
institutions that offer mortgages and other types of loans, or selling mailing lists to
marketing companies), covered entities must obtain a patient’s written authorization.
Authorization forms must contain certain specified core elements including a
description of the health information to be used or disclosed and the identity of the
recipient of the information. In general, a covered health care provider may not condition
treatment on receiving a patient’s authorization. Health plans may condition enrollment
or eligibility for benefits on the provision of an authorization prior to an individual’s
enrollment in the plan. Patients may in writing revoke their authorization at any time.
Can Medical Information be Shared with a Patient’s Family or Friends?
There have been numerous accounts of hospitals and other health care facilities refusing
to disclose information about an inpatient to a spouse or relative and citing HIPAA as the
reason for their decision. Such actions are based on a misinterpretation of the privacy
rule, which permits covered entities to disclose information to a family member, relative,
close friend, or other person identified by the individual. Only information that is directly
relevant to such person’s involvement with the individual’s care may be shared. If the
individual is present and able to make health care decisions, the covered entity may
disclose information provided (1) the patient has been given, in advance, the opportunity
to object to any disclosures, or (2) the covered entity, using professional judgment,
reasonably infers that the patient does not object. In an emergency situation or if the
patient is not present, the covered entity may use its professional judgment and experience
with common practice in deciding whether a disclosure is appropriate. HHS has
repeatedly stated that it is not the intent of the rule to impede common health care
practices (e.g., hospitals discussing treatment options with spouses and relatives, and
family members picking up a prescription).
Does the Rule Restrict Parental Involvement and Notification? The
privacy rule does not affect laws that govern when a minor may consent to treatment
without parental involvement. Generally, a parent is deemed to have the rights associated
with a minor’s health information, including the right to authorize disclosure or to request
access to the information. However, if a minor is authorized by law to consent to
treatment and has consented to care (with or without the consent of a parent), the minor
has the rights associated with that information.

CRS-5
Also, the rule does not affect state parental notification laws. It allows covered
entities to disclose a minor’s information to a parent (or provide the parent with access
to such information) if such disclosure is permitted or required by state law. Similarly,
disclosure to (and access by) a parent is prohibited where prohibited by state law. Where
state law is silent or unclear about parental notification, the rule permits a covered entity
to provide or deny access to the parent provided that action is consistent with state law.
Are There Limits on the Amount of Information Disclosed? The rule
requires that whenever a covered entity uses or discloses health information, or requests
such information from another covered entity, it must make a reasonable effort to limit
the information to the minimum amount necessary to accomplish the intended purpose
of the use or disclosure. The minimum necessary standard does not apply to: disclosures
to or requests by a provider for treatment purposes; disclosures made to patients upon
their request; disclosures made to the Secretary to enforce compliance; authorized uses
or disclosures; and uses or disclosures that are required by law.
What about Incidental Disclosures? Incidental uses and disclosures of health
information that occur as a result of a use or disclosure that is otherwise permitted under
the privacy rule are not considered violations of the rule, provided that the covered entity
has met the reasonable safeguards and minimum necessary standards. Examples of
incidental uses and disclosures include patient sign-in sheets, bedside charts, and
confidential conversations that are inadvertently overheard by others.
Are Covered Entities Required to Explain their Privacy Practices to
Patients? Health plans and health care providers must provide patients with a written
notice of their privacy practices. Plans are required to give notice at enrollment.
Providers that have a direct treatment relationship with the patient are required to give
notice at the date of first service delivery and, except in emergency situations, make a
good faith effort to obtain a written acknowledgment from the patient of receipt of the
notice. The notice must include a description of the patient’s rights, the legal duties of
the covered entity, and a description of the types of uses and disclosures of information
that are permitted, including those that do not require an authorization.
Does the Rule Restrict Employers’ Access to Health Information? The
rule permits a group health plan to disclose individually identifiable health information
to an employer that sponsors the plan, provided the information is used only for plan
administration purposes. In order for a group health plan to disclose health information
to a plan sponsor, the plan documents must be amended so that they limit the uses and
disclosures of information by the sponsor to those consistent with the privacy rule. In
addition, an employer must certify to a group health plan that it will not use the
information for employment-related actions (e.g., hiring and promotion decisions). The
employer must agree to establish adequate firewalls, so that only those employees that
need health information to perform functions on behalf of the group health plan have
access to such information.
Can Health Information be Used for Marketing? A covered entity may not
disclose health information to a third party (e.g., pharmaceutical company), in exchange
for direct or indirect remuneration, for the marketing activities of the third party without
first obtaining a patient’s authorization. Similarly, a covered entity may not use or
disclose health information for its own marketing activities without authorization.

CRS-6
However, communications made by a covered entity (or its business associate) to
encourage a patient to purchase or use a health care-related product or service are not
defined as marketing under the rule and, therefore, do not require the patient’s
authorization, even if the covered entity is paid. Such communications include
prescription refill reminders and information about alternative treatments, as well as more
controversial activities paid for by third parties (e.g., communications by pharmacies, paid
for by a drug manufacturer, that recommend patients switch their medication to the
company’s product).
What Must Covered Entities do to Ensure Compliance? Covered entities
must have reasonable administrative, technical, and physical safeguards in place,
commensurate with the size and scope of their business, to protect the privacy of patient
information. These include designating a privacy official, training employees, and
developing a system of sanctions for employees who violate the entity’s policies.
Covered entities are not directly liable for the actions of their business associates. They
may be held liable if they know of a business associate’s pattern of activity or practice in
violation of the contract unless they take reasonable steps to correct the problem and, if
such steps are unsuccessful, terminate the contract or report the problem to HHS.
Does the Rule Preempt State Health Privacy Laws? As mandated by
HIPAA, the rule does not preempt, or override, state laws that are more protective of
patient privacy. Although most states do not have comprehensive health privacy laws,
many states have detailed, stringent standards governing the use and disclosure of health
information related to certain medical conditions, such as mental illness, genetic testing,
and communicable diseases (e.g., HIV/AIDS). These stronger privacy protections will
remain in force. The rule only preempts state laws that are in conflict with its
requirements and that provide less stringent privacy protections. Therefore, it serves as
a federal “floor” of minimum privacy protections.
How Will the Rule be Enforced? Any person who believes a covered entity is
not complying with the privacy rule may file a complaint with HHS’s Office of Civil
Rights (OCR), which is responsible for implementing and enforcing the rule. OCR is
working with covered entities to encourage voluntary compliance. It says that
enforcement of the rule will be reactive and complaint-driven. Under HIPAA, OCR has
the authority to impose civil monetary penalties against covered entities that fail to
comply with the rule, and the Department of Justice may seek criminal penalties for
certain wrongful disclosures of personal health information. The civil fines are $100 per
incident, capped at $25,000 per year for each provision that is violated. The criminal
penalties include fines of up to $250,000 and up to 10 years in prison for disclosing or
obtaining health information with the intent to sell, transfer or use it for commercial
advantage, personal gain, or malicious harm. HIPAA did not provide a private right of
action for individuals to sue for violations of their health information privacy in federal
court. However, nothing in HIPAA prohibits aggrieved individuals from filing a state law
claim against a covered entity for its noncompliance and resulting harm.
Where Can I Obtain More Information? General information on all the
HIPAA standards can be found at [http://aspe.os.dhhs.gov/admnsimp]. Implementation
guidance, answers to frequently asked questions, and other details on complying with the
privacy rule may be found on the OCR Web site at [http://www.hhs.gov/ocr/hipaa].