State and federal health privacy laws give you the right to keep your medical records private and provide other rights with respect to that information.

Federal Law
The federal Health Insurance Portability and Accountability Act (HIPAA) requires providers of health care (including mental health care) to ensure the privacy of patient records and health information and requires the federal Department of Health and Human Services (HHS) to adopt implementing rules. HIPAA and its rules apply to health care providers, health plans and other entities that process health insurance claims and these are referred to as “HIPAA covered entities.” The business associates of these covered entities that receive protected health information (PHI) must also comply with the HIPAA rules.

On March 26, 2013, HHS’ Final Omnibus Rule adopted pursuant to HIPAA and related federal laws go into effect. This final rule includes the Privacy Rule, the Security Rule and the Breach Notification Rule.

The HIPAA Privacy Rule gives consumers rights over their health information and sets limits on who can look at and receive a consumer’s protected health information (PHI). That Rule applies to all forms of PHI, whether oral, electronic or written.

The HIPAA Security Rule protects PHI that is in electronic form and requires entities covered by HIPAA to maintain reasonable safeguards to ensure that electronic PHI is secure.
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notice to affected consumers and to HHS in the event of a breach of unsecured PHI.

HIPAA also provides that if a state law grants more privacy protection to a patient, the state law will apply.

Texas Laws
Effective September 1, 2012, the Texas Medical Records Privacy Act provides additional protections to consumers. The Act is broader in scope than HIPAA because it applies not only to health care providers, health plans and other entities that process health insurance claims but also to any individual, business, or organization that obtains, stores, or possesses PHI as well as their agents, employees and contractors if they create, receive, obtain, use or transmit PHI.

Under the Act, these individuals, businesses and organizations must comply with several requirements including mandatory training for employees regarding PHI. In most instances, the Act prohibits covered entities from using or disclosing PHI without first obtaining an individual’s authorization.

Overview of Your Rights under State and Federal Laws
Right of Access to Health Records
State and federal laws give you the right to ask to review and obtain a copy of your health records from most health care providers such as doctors, hospitals, pharmacies and nursing homes, as well as from your health plan. Your provider may have a form you can use to request your records. In a few special cases, such as instances in which your doctor decides that information in the file may endanger you, you may not be able to obtain all of your information.

A provider may charge for the reasonable costs of copying and mailing your records if you request copies and mailing but may not charge a retrieval fee.

Texas law specifies that if the provider is using an electronic health records system capable of fulfilling the request, the records must be provided not later than the 15th business day after the date your provider receives your written request. The records must be provided to you in electronic form unless you have agreed to accept the records in another form.

Right to amend information in your health records
If you believe that information in your medical records is incorrect, you have the right to request that the provider or health plan correct or amend the record and they must respond to your request. If the provider or health plan does not agree to make your requested corrections, they must notify you in writing and tell you why your request was denied. You have the right to submit a statement of disagreement that the provider or plan must add to your record.

Right to know how your personal health information will be used and shared and to limit who gets to see it
Your provider or health plan must give you a notice of their privacy practices that informs you of three things: (1) the uses and disclosures of your PHI which they are permitted to make; (2) other disclosures which require your authorization; and (3) that in the event of a breach of unsecured PHI, you will receive a notice of that breach. This notice of privacy practices will generally be provided on your first visit to a provider or in the mail from your health plan. You can also obtain a copy at any time that you request it.

In general, your health information cannot be used or shared for other purposes including sales calls or advertising, unless you first give your permission by signing a form authorizing such use. The authorization form must tell you who will get your information and what your information will be used for. Generally, this type of authorization is not required if the disclosure of your health information is for the purpose of treatment, payment, health care operations or performing certain insurance or health care maintenance organization functions.

Under certain circumstances, a covered entity may disclose PHI without the authorization of the person who is the subject of the protected information. Those circumstances include, but are not limited to, disclosures made to or in connection with a health oversight agency for audits and investigations, a threat to public safety, and situations involving victims of abuse or neglect. Also, if you are incapacitated or in an emergency, providers sometimes may use or disclose your PHI without your authorization if, in the exercise of medical judgment, they determine it is in your best interests. Your PHI may also be disclosed without your authorization if the disclosure is required by law, including a subpoena or court order.

Right to limit marketing uses of protected health information
In general, your health information cannot be used or shared for marketing communications without your authorization. Certain exceptions apply including face to face communications between a covered entity and an individual.

If your PHI is used or disclosed to send a written marketing communication through the mail, that mailing must include the name and toll free number of the entity which sent you the marketing communication and an explanation of your right to have your name removed from the sender’s mailing list. In addition, the mailing must be in an envelope which shows only the name and address of the sender and recipient.

OTHER TEXAS LAWS
Other Texas laws also serve to protect from disclosure specific types of medical records and information including certain doctor-patient communications, genetic information, test results for HIV and AIDS, hospital records, pharmacy records, donor records, regulatory records and mental health records.

TO FILE A COMPLAINT
Under the Texas Medical Records Privacy Act, consumers have the right to file a complaint with the state agencies that regulate covered entities as well as with the Texas Attorney General.

If you believe your protected health information has been used or disclosed in violation of HIPAA, you have the right to complain to the federal Office of Civil Rights which has authority to investigate complaints against HIPAA covered entities and their business associates:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F; HHH Bldg.
Washington, D.C. 20201

Region VI – Dallas (Arkansas, Louisiana, New Mexico, Oklahoma, Texas)
Ralph Rouse, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202
Voice Phone (214) 767-4056
FAX (214) 767-0432
TDD (214) 767-8940

In December 2013, the Texas Attorney General will prepare and file a report of all complaints received by the OAG and state agencies pursuant to the Texas Medical Records Privacy Act. That report will be made available at this webpage. Also, as required by Section 181.154(d) of the Act, the Attorney General adopted a standard Authorization to Disclose Protected Health Information form.

HB 300 Report 2013