FFFHIPAA and Medical Privacy

No. 129; Reviewed July 2019

HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA is a Federal law that was originally passed by Congress in 1996. One part of HIPAA is the HIPAA Privacy Rule, which regulates who can look at or receive information about your child’s health care. The HIPAA Privacy Rule applies to all forms of health information, including electronic, written, and oral. Some states may have laws that provide even stronger privacy protections than HIPAA. In those situations, the stricter State law generally applies.

What type of information must be kept private?

The HIPAA Privacy Rule applies to any identifiable information about your child’s health, health care, or payment for health care services. The HIPAA Privacy Rule does not apply when the information is used anonymously, in a way that it can’t be connected to a specific person.

Who has to keep medical information private?

“Covered entities” and their “Business Associates” are subject to the HIPAA Privacy Rule. Examples include:

  • Individual health care providers, such as physicians, mental health professionals, dentists, pharmacists, and nurses, provided they transmit information electronically
  • Medical facilities such as hospitals, clinics, and mental health centers
  • Health insurance companies, medical billing companies, and certain government programs that pay for health care, including Medicare and Medicaid

Are there exceptions to HIPAA?

Yes. The HIPAA Privacy Rule does allow release of medical information without separate consent or authorization for the purposes of treatment, payment, or other health care operations. For example:

  • A doctor can talk to the treatment team in an emergency room or hospital about your child’s medical history, diagnosis and previous care.
  • A doctor can provide information about your child’s treatment to your insurance company.
  • A hospital or outpatient clinic can access information about your child’s treatment as part of an ongoing quality monitoring and improvement program.
  • A doctor can share information with other members of your child’s treatment team, like your child’s therapist or primary care provider, in order to coordinate care.

Many entities are not covered by HIPAA. These include your employer, life insurance companies, banks, many state agencies, such as child protective services, most law enforcement agencies, and most schools, school districts and colleges.

Does HIPAA allow parents to see their child’s medical records?

The HIPAA Privacy Rule generally allows a parent to have access to their child’s medical records. There are some exceptions:

  • When the child is the one who consents to care, and the consent of the parent is not required by State law. (Note: The age of consent for mental health treatment varies from state to state.)
  • When the child obtains care at the direction of a court or a person appointed by the court.
  • When the parent agrees that the child and the health care provider may have a confidential relationship.

HIPAA specifically allows health care professionals to share information with family members in the case of an emergency or when there is a risk of serious and imminent harm to a child’s health or safety.

HIPAA gives you the right to get a copy of your child’s medical record. You may have to put your request in writing and pay for the cost of copying and mailing.

If you have questions about HIPAA, or concerns about the confidentiality of your family’s medical record or health information, talk to your doctor or other health care provider.

More information is also available at: www.hhs.gov/hipaa

See also: