In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). One component of HIPAA was to streamline the process to exchange information and to make health information more readily accessible to patients.
The HIPAA Privacy Rule went into effect it April 2003 and created a federal standard for protecting the privacy of health information. The Privacy Rule also requires DOH to comply with Florida laws that provide greater protection to patients.
The Privacy Rule, generally prohibits the use and disclosure of health information without written permission from the patient. The Privacy Rule also gives patient’s rights to access their medical and billing records, request amendments to those records, and obtain an accounting of disclosure of protected health information. The Department’s Notice of Privacy Practices further describes the use and disclosure of patient medical information and how patients may obtain access to their information.
What does the Privacy Rule require?
The Privacy Rule prohibits the use or disclosure of protected health information or PHI, unless the patient has signed an authorization to disclose PHI.
What is PHI?
PHI is defined as any health information created or received by a health care provider that: (1) identifies and individual; and (2) relates to that individual’s past, present, or future physical or mental health condition or to payment for health care.
Protected health information includes information in any form or medium, from a paper medical record to a conversation between colleagues consulting on the care of a patient.
The Notice of Privacy Practices explains to patients the ways DOH is allowed to use a patient’s protected health information and lists the rights patients have with respect to their health information.
A written document signed by the patient giving permission for a health care provider to disclose PHI to specified individuals and/or entities.
A patient’s authorization to disclose is not required for the following purposes:
Protected health information may also be provided to patient caregivers (for example family members) but only if the patient expressly agrees or impliedly consents.
Certain disclosure may also be made by a health care provider without patient authorization to accomplish public health activities and other permitted uses as set forth in the Privacy Rule.
The following is a list of commonly asked questions that should be directed to the Department of Health and Human Services, Office of Civil Rights at 202-619-0257 or toll free at 877-696-6775
If you believe your privacy rights have been violated by a DOH employee, you may file a complaint with the Department of Health’s Inspector General at 4052 Bald Cypress Way, BIN A03/ Tallahassee, FL 32399-1704/ telephone 850-245-4141 or with the Secretary of the U.S. Department of Health and Human Services at 200 Independence Avenue, S.W./ Washington, D.C. 20201/ telephone 202-619-0257 or toll free 877-696-6775.
The complaint must be in writing, describe the acts or omissions that you believe violate your privacy rights, and be filed within 180 days of when you knew or should have known that the act or omission occurred. The Department of Health will not retaliate against you for filing a complaint.
HIPAA and Disease Reporting Requirements
HIPAA privacy standards and public health disease reporting.
HIPAA and Poison Control Centers
This letter relates to providing health information to the Poison Control Centers.