ABA Family Legal Guide

Health-Care Law

Patients' Rights

Confidentiality and Privacy

How does the privacy rule protect my medical privacy?

Under the rule, you have significant rights to help you understand and control how your health information is used, including the following:

Access to Medical Records

The rule gives you the right to see and obtain copies of your medical records and request corrections if you identify errors and mistakes. Doctors, hospitals, health plans, and other organizations covered by the rule generally should provide access to your records within thirty days, and may charge you for the cost of copying and sending the records.

Notice of Privacy Practices

Doctors, hospitals, and health plans must provide you with a notice containing information on how they may use your personal medical information.

Limits on Use of Personal Medical Information

The rule sets limits on how doctors, hospitals, health plans, and other organizations to which the rule applies may use individually identifiable health information. The rule does not restrict the ability of doctors, nurses, and other providers to share the information needed to treat you. However, your personal health information may not be used for purposes not related to health care.

In addition, you have to sign a specific authorization before a covered entity can release your medical information to a life insurer, a bank, a marketing firm, or another outside business for purposes not related to their health care.

Prohibition on Marketing

The rule sets new restrictions and limits on the use of your information for marketing purposes. Doctors, hospitals, health plans, and pharmacies must obtain your specific authorization before disclosing your health information for marketing purposes. However, the rule does allow communication with patients about treatment options and other health-related information, including disease-management programs.

Stronger State Laws

The federal privacy standards do not affect state laws that provide additional privacy protections for patients, like those covering mental health, HIV infection, and AIDS information. When a state law requires a certain disclosure—such as reporting an infectious disease outbreak to the public health authorities—the federal privacy regulations do not preempt the state law.

Confidential Communications

Under the privacy rule, you can request that your doctor or health plan take reasonable steps to ensure that their communications with you are confidential. For example, you could ask a doctor to call your office rather than home, and the doctor's office should comply with your request if it can be reasonably accommodated.