Skip to site content

California Area Office logoCalifornia Area Office

April - Maintaining Patient Information Privacy

Beverly Miller

Beverly Miller, MHA, MBA, Acting Area Director
Indian Health Service California Area Office

Most of us feel that our health information is private and should be protected. That is why a federal law known as HIPAA (Health Insurance Portability and Accountability Act of 1996) was put in place.  HIPAA sets rules for health care providers and health insurance companies.  These rules define what information is protected as well as who can look at and receive patient health information. 

One major purpose of HIPAA is to improve the quality of health care by restoring trust in the healthcare system.  Maintaining patient privacy is especially important in Native American communities since past history has left many with decreased trust.  Even a single privacy breach in a small community can have a huge impact on patient trust.

Protected Health Information (PHI) includes any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. There are 18 elements of Protected Health Information.*

More Patient Rights.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) granted patients specific rights over their health information, including the right to receive a copy of their health information, make sure it is correct, and know who has seen it.  Health care providers must provide patients with a notice of their facility privacy practices.  This notice must also be posted publicly within the healthcare facility and on the organization’s webpage.

Get It. Patients can ask to see or get a copy of their medical record and other health information. (Patients who want an electronic or hard copy of their health record must make a written request and pay for copy and postage costs). 

Check It. Patients have the right to request correction or addition of information contained in their health record.  The patient has a right to have the disagreement noted even if the health care provider believes the information is correct.

Know Who Has Seen It. By law, patient health information can be used and shared for specific reasons not directly related to your care, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in the area, or reporting as required by state or federal law.  It is important to note that HIPAA requires health care providers and insurers to limit PHI disclosed to the “minimum necessary”.

In many of these cases, patients can request information about who has seen their health information.

Limit Who Sees It. Patients can request that their health information not be shared with certain people, groups, or companies. In a clinic setting, the patient can ask their caregiver not to share any of the patient’s medical records with other caregivers.  A patient may also request other restrictions however the health care facility does not always have to agree to do what is requested, particularly if it could affect the patient’s care.

Patients can request the health care provider or pharmacy not to disclose information to the patient’s health insurance company about care received or drugs prescribed if the patient pays for the care or drugs in full.

Specify contact methods. A patient can make reasonable requests to be contacted at different places or in a different way. For example, a patient can be asked to be called at their office or to have correspondence sent in an envelope instead of a postcard. 

Complaints. Patients have the right to file a complaint with their health care provider, health insurer, or the U.S. Department of Health and Human Services if they believe their health information if not being protected or that their rights are being denied.

It is important for all of us (healthcare providers, health insurers, and patients) to work together to insure that patient privacy is protected.  Are you doing your part?

Privacy resource:  Exit Disclaimer: You Are Leaving

The 18 elements of PHI:

  1. Names
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Telephone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code