Privacy rights are important, especially when it comes to healthcare. Unfortunately, protections and requirements for adults, minors, family members, and even treatment providers can be unclear. Below, we have answered some of the most common questions people have about privacy and healthcare.
Much of this information falls under the Federal Health Insurance Portability and Accountability Act, often referred to as HIPAA. In addition to Federal guidelines, states may have additional requirements and clarifications.
Learn about privacy issues for:
What healthcare information is protected under privacy laws?
Under HIPAA, the following information is considered protected:
- information your doctors, nurses, and other healthcare providers put in your medical record;
- conversations your doctor has about your care or treatment with nurses and others;
- billing information about you; and
- most other health information about you held by any person providing you physical or mental health treatment.
Before receiving services, you should be provided a Notice of Privacy Practices. This is a written statement about how your provider uses and shares your information. They are required to receive an acknowledgment that you have seen the notice, but acknowledgement does not necessarily mean that you accept or reject how they use your information. If you do not agree with the terms, you are able to ask questions and discuss specific uses of information with your provider.
Who can access my healthcare information?
You have the right to decide how and with whom your protected health information is shared. Providers must respect your decisions regarding your privacy, and many states require individuals to complete paperwork stating who may or may not see their information. While providers generally follow their clients’ wishes, there are emergency situations when a provider may disclose relevant, protected health information to an outside party, including family members or law enforcement. These special circumstances include times when a provider believes there is an imminent threat of harm to self or others, or where an individual is deemed “incapacitated,” lacking the ability to make one’s health decisions, and sharing information is in the best interest of the client’s care.
You insurance company also has access to general health information including what treatment was provided (Current Procedural Terminology (CPT) codes), diagnoses (ICD-10 codes), medications, and summaries or discussions needed to justify billing or payment of the submitted services. Your insurance company does not have access to services not submitted to them or that you have paid for in full out of your own pocket.
Can I plan how my information will be shared in an emergency?
Psychiatric Advance Directives are documents in which you list your preferences in case you are determined to lack the ability to make your own decisions during a mental health crisis. Creating this document when your ability to make decisions is not in question gives you an opportunity to impact what happens to you during a mental health crisis. Some things to be considered include:
- types of treatment you want or do not want;
- family members, friends, or treatment providers who should be alerted and/or involved;
- alternatives to hospitalizations; and
- preferred treatment facilities.
While doctors ultimately have the power to make decisions, these documents can influence your care and give you a more active role in the case of crisis. Read more about psychiatric advance directives here.
How can I access my healthcare records?
You have the right to see your health records—even if you have not paid for services. Depending on your provider, you may be asked to submit a request in writing. They may also charge a fee for copying and/or mailing your records. Providers are typically required to give access to your records within thirty days of your request.
In terms of therapy, you have a right to see your general health information including dates of services, billing, and diagnoses; however, you may not have access to your therapists’ notes from your sessions together. While laws differ by state, access to psychotherapy notes is granted if your provider records them in your general health information records or gives you access to them. If you want to see your psychotherapy notes, it is often good to start with a conversation with your provider about your feelings and concerns.
What if I believe my health record is incorrect?
If you believe something is missing or incomplete in your health record, you can request that your provider make corrections. If the provider does not agree that your information is inaccurate, you have the right to note in your file that you disagree.
What are my privacy rights in regards to alcohol and/or drug use?
Information on alcohol and/or drug use is unique from other mental health information. You are required to separately provide permission for any alcohol and/or drug use information to be shared. While this is a personal decision, it is useful for providers to share this information, especially if you take medications that may be less effective or harmful with substance use or you have additional medical conditions. It is very hard for providers to treat people without their full record.
If I am hospitalized, what health information can be shared with law enforcement?
Hospitals are able to disclose specific information to law enforcement for the purposes of “locating or identifying a suspect, fugitive, material witness, or missing person.” This information includes admission and discharge dates and times, description of distinguishing characteristics, and name and address, among other general identifying information. Your provider may not share information related to DNA, dental records, or any analysis of bodily fluids.
I feel that my privacy rights have been violated. What can I do?
If you feel that your privacy rights have been violated, you can file a complaint with the US Department of Health and Human Services’ Office of Civil Rights, your provider, or your health insurer. A group, company, or organization is not allowed to discriminate against you for filing a complaint. Click here to learn more information about the complaint process.
Can I make my own decisions about my mental health treatment?
In most states, you are considered an adult at 18 and are then able to make healthcare decisions for yourself. If you are under 18, the ability to make decisions about your mental health treatment varies by state. Some states allow a minor to consent to treatment as early as age 12 but may have specific guidelines as to how often or what circumstances this consent is allowed. Decisions about treatment may be affected by services available, payment options, and insurance policies.
Does my parent/guardian have access to my health records?
Depending on state laws, your parent/legal guardian may have access to all or some of your health records. If a parent/guardian agrees to confidentiality between you and your provider, the treatment provider does not have to grant access to your health records. In states where there is no requirement to share information with a parent/guardian, disclosing information, such as diagnosis, is at the discretion of the provider. Neither you nor your parent/guardian has the right to access your psychotherapy notes. Disclosure of this information is also at the discretion of the provider.
Are my communications with my school counselor private?
Generally, communications with your school counselor are considered private information. In cases where there is a compelling reason to share information and an adult is in a position to help you, a school counselor may choose to disclose this information. While requirements on sharing this information vary by state, most states require reporting on cases of child abuse or neglect.
My family member/friend refuses to share their healthcare information with me. What can I do?
HIPAA allows individuals to make decisions as to who is allowed to see their protected health information. As a family member or friend, a provider may listen to you but cannot provide information about the patient, including whether or not they are in treatment. Except for in cases where the provider determines there is a serious and imminent threat to the health or safety of the client or others and that you may be able to mitigate this threat, or if the provider determines the client is incapacitated. In both cases, the provider must use clinical judgment and respect any prior decisions of the consumer.
What if I just want to share important information with my family member/friend’s provider?
You are welcome to call and leave a voicemail or email with your family member/friend’s provider giving them whatever information you would like to share. You may or may not hear back from that provider. It is likely that the provider will tell your family member/friend that you contacted them and will ask for permission to speak to you.
If the provider calls you, they may or may not confirm or deny that your family member/friend is seeing them. If your family member/friend has provided permission to share information, the provider will share whatever information was permissible and/or is appropriate for care.
*Providers should read federal and state laws for other legal requirements and follow professional ethical standards as determined by their professional board.
Do I need my client’s permission in writing to discuss their medical information with their family members/friends?
You do not need signed permission from your client to share information with their family members/friends if you are reasonably sure that the patient does not object or has given verbal consent. This can be inferred if your client invites their family member/friend to sit in on therapy or if the client is given a clear opportunity to object disclosure and they do not.
All information shared must be in the best interest of your client and must be directly related to their care and/or payment. If your client objects to the disclosure, you may not share the information.
If I feel that my client is incapacitated, am I able to discuss their care with their family/friends?
If you feel that your client is incapacitated, you are able to provide protected healthcare information to family and friends if you determine it is in the best interest of the client. Using professional judgment, you may share information directly relevant to the family member or friend involved in care or payment. You may also provide specific information to individuals involved in treatment who are not family members or friends if you are reasonably sure that the patient wants the individual involved in their care. When your client is capable of making decisions for their care, you should ask what information he or she would like to be shared and with whom. Ideally, this would be done using an Advanced Psychiatric Directive.
What do I do when I feel there is a serious threat of injury to my client or someone else?
If you feel your client is a serious and imminent threat to the health and safety of him or herself or to others, you may report to individuals who you believe could help address the threat, including family members and law enforcement. Depending on your state, you may be required or allowed to share an individual’s health information if a serious and imminent threat of physical violence has been communicated. These “Duty to Protect/Warn” laws exist in 45 states.
What are the penalties for violating HIPAA?
There is often confusion and fear among healthcare professionals when it comes to HIPAA violations. Penalties for violations were specified in 2009 and vary based on the circumstances and intent of the provider. For example, an individual who “did not know (and by exercising reasonable diligence would not have known)” that he or she was violating HIPAA has a first time penalty between $100 and $50,000. In the most severe cases, any provider who has “[committed an offense] with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to ten years”. For more information describing HIPAA violations and enforcement click here.
In practice, penalties are typically not given as long as the physician or professional determines a disclosure is in the patient’s best interest. According to Leon Rodriguez, former director of the Department of Health and Human Services Office of Civil Rights, as of 2013, only 12 of the 80,000 reported violations had resulted in penalties.
Your Rights Under HIPAA, U.S. Department of Health and Human Services. http://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
HIPAA Privacy Rule and Sharing Information Related to Mental Health, U.S. Department of Health and Human Services http://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html
Legal and Ethical FAW, American School Counselor Association. https://www.schoolcounselor.org/school-counselors-members/legal-ethical/legal-ethical-faq
Confidentiality Laws Tip Sheet, American Academy of Pediatrics. https://www.aap.org/en-us/advocacy-and-policy/aap-health-initiatives/healthy-foster-care-america/Do…
Your Health Information and Privacy Rights, U.S. Department of Health and Human Services Office for Civil Rights. http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/consumer_rights.pdf
Misreading HIPAA privacy law blocks mental health discussion, American Medical News http://www.amednews.com/article/20130503/government/130509992/8/