HIPAA Notice

Anonymous User
Associate
House Staff
RN (NYSNA)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Federal privacy regulations to protect personal medical information went into effect on April 14, 2003 and were amended effective September 23, 2013 by the Health Information Technology for Economic and Clinical Health Act (HITECH). These privacy rules set limits on how health plans, pharmacies, hospitals, clinics, nursing homes and other direct-care providers (called covered providers) use individually identifiable health information.

This overview of HIPAA is intended to help you understand your rights and protection of personal information related to your health. Please review it carefully.

Key provisions of these privacy standards include:

  • Limits on Use of Personal Medical Information – The privacy rule sets limits on how covered providers may use your identifiable health information. These limits do not restrict the ability of health care professionals to share any medical information needed for treatment. They do restrict its use for purposes not related to health care. Covered providers may use or share only the minimum amount of protected information needed for a particular purpose. In no case will a covered provider use or disclose your personal medical information which is genetic information for underwriting purposes. You must provide written authorization for the following medical information to be disclosed:
  • Notice of Privacy Practices – Covered providers will provide you with a HIPAA notice advising you of your rights. You may be asked to sign, initial or otherwise acknowledge that you have received this notice. You may also ask to restrict the use or disclosure of your information beyond the practices included in the notice, but the covered providers would not have to agree to the changes.
  • Access To Medical Records – HIPAA gives you the ability to review and obtain copies of your medical records. If your medical records are maintained electronically, you may request access to your electronic medical records, if that format is readily producible. Otherwise, the covered provider must provide the requested information in an electronic format that you can read on your computer (e.g., Word, Excel, etc.)  You may also request corrections if you have identified any errors. Covered providers generally should provide access to your records within 30 days of your request and may charge for the cost of copying and sending the records to you.
    • Personal health information released to a life insurer, a bank, a marketing firm or another outside business for purposes not related to your health care.
    • Disclosures that constitute a sale of your personal medical information. A sale means that the covered entity receives direct or indirect remuneration in exchange for personal medical information. Your authorization is not required if remuneration for personal medical information is required to perform activities or provide service, such as research or for the services provided by the health information exchange.
    • Personal medical information for marketing purposes. For example, your written authorization will be required for the covered provider to share your medical information to promote health care products or services, alternative treatments, or provide appointment or treatment reminders. Your written authorization will not be required for prescription refill reminders, general health and wellness communications or communications about government or government-sponsored programs, such as eligibility for Medicare or Medicaid.
    • Psychotherapy notes if maintained by the plan.
  • Stronger State Laws – The federal privacy standards do not affect state laws that provide additional privacy protections for patients. The confidentiality protections are cumulative; any state law providing additional protections would continue to apply. When a state law requires a certain disclosure – such as reporting an infectious disease outbreak to the public health authorities – the federal privacy regulations would not preempt the state law.
  • Confidential communications – Under the privacy rule, you can request that your doctors, health plans and other covered providers take reasonable steps to ensure that their communications with you are confidential. For example, you could ask your doctor to call you at work rather than home, and the doctor's office should comply with that request if it can be reasonably accommodated.
  • Complaints – You may file a formal complaint regarding Montefiore Medical Center privacy practices to:

Health Plan Privacy Officer
HR – Benefits Office
Montefiore Medical Center
111 East 210th Street
Bronx, NY 10467-2490
Telephone: 1.914.349.8531

Complaints may also be made in writing to the Secretary of the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which is charged with investigating complaints and enforcing the privacy regulation.

If there is a breach of your unsecured personal medical information, you will be notified promptly.

For More Information – You can find additional HIPAA information on the Internet at www.hhs.gov/ocr/hipaa or by calling 1.866.627.7748. If you have questions about your HIPAA rights, you may contact your state insurance department or the U.S. Department of Labor, Employee Benefits Security Administration (EBSA) toll-free at 1.866.444.3272 (for free HIPAA publications ask for publications concerning changes in health care laws). You may also contact the CMS publication hotline at 1.800.633.4227 (ask for Protecting Your Health Insurance Coverage). These publications and other useful information are also available on the Internet at: www.dol.gov/ebsa the DOL’s inter- active Web pages – Health Elaws.