HIPAA's Privacy Regulations: Increased Privacy Comes at a Cost

Deeb Salem, MD


September 24, 2003

In This Article

HIPAA's Key Provisions

Reviewing the key provisions of HIPAA, as summarized by the United States Department of Health and Human Services (HHS), is a useful place to begin an examination of how the regulations work in theory and in practice. The key provisions, found at (, are:


  • Access to medical records. Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes. Health plans, doctors, hospitals, clinics, nursing homes, and other covered entities generally should provide access to these records within 30 days and may charge patients for the cost of copying and sending the records.

  • Notice of privacy practices. Covered health plans, doctors, and other healthcare providers must provide a notice to their patients as to how they can use personal medical information and about their rights under the new privacy regulation. Doctors, hospitals, and other direct-care providers generally will provide the notice on the patient's first visit following the April 14, 2003 compliance date and upon request. Patients generally will be asked to sign, initial, or otherwise acknowledge that they have received this notice. Health plans generally were required to mail the notice to their enrollees by April 14, 2003, and they will be required to notify enrollees again if the notice changes significantly.

  • Limits on use of personal medical information. The privacy rule sets limits on how health plans and covered providers can use individually identifiable health information. To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses, and other providers to share information needed to treat their patients. In other situations, however, personal health information generally cannot be used for purposes not related to healthcare, and covered entities can use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, bank, marketing firm, or another outside business for purposes not related to their healthcare.

  • Prohibition on marketing. The final privacy rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans, and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing. At the same time, the rule permits doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease management programs.

  • Stronger state laws. The new federal privacy standards do not affect state laws that provide additional privacy protections for patients. The confidentiality protections are cumulative; the privacy rule will set a national "floor" of privacy standards that protects all Americans, and any state law providing additional protections would continue to apply. When a state law requires a certain disclosure -- for example, reporting an infectious disease outbreak to public health authorities -- the federal privacy regulations would not preempt the state law.

  • Confidential communications. Under the privacy rule, patients can request that their doctors, health plans, and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example, a patient could ask a doctor to call his or her office rather than his or her home, and the doctor's office should comply with that request if it can be reasonably accommodated.

  • Complaints. Consumers can file a formal complaint regarding the privacy practices of a covered health plan or provider. Such complaints can be made directly to the covered provider or health plan or to the Office for Civil Rights, the arm of the Department of Health and Human Services charged with investigating complaints and enforcing the privacy regulation. Information about filing complaints should be included in each covered entity's notice of privacy practices. Consumers can obtain more information about how to file a complaint at or by calling 866-627-7748.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.