Federal and State Privacy Protections and Health Insurance

The HIPAA (the Health Insurance Portability and Accountability Act) is a federal law that helps protect you and your family.

HIPAA (along with other federal laws such as the Affordable Care Act) says that: o Your medical records must be kept private. This includes printed records, computer records, and anything said at your health provider’s office.

Yes. Texas has two laws that seek to protect Texans’ privacy. The Texas Medical Records Privacy Act, and the Texas Identity Theft Enforcement and Protection Act.

First, like HIPAA, Texas law uses broadly defined terms to make the rules applicable to anyone that creates, receives, obtains, maintains, uses, or transmits protected health information. “Covered entities” cannot use personal health information (sometimes called “PHI”) for any reason other than for providing treatment or for securing payment or for insurance purposes. Otherwise, the covered entity must get written permission from the individual before it can release the personal health information.

Texas law also seeks to protect “sensitive personal information” (such as your name when combined with a Social Security number, a driver’s license number (or government ID number), or a credit card or debit card number. Businesses must implement and maintain reasonable procedures to protect the information and prevent unauthorized disclosures.

The term “covered entity” includes insurance companies, Medicare, Medicaid, employers, schools, government agencies, health care providers, and businesses that handle health care information.

HIPAA protects all information that could be used to identify you (i.e., your PHI), including:

• Past, present, or future health
• Health care or treatment
• Payment for your health care

Yes. HIPAA set up new rules to protect your health information. These rules are called “Standards for Privacy of Individually Identifiable Health Information.” They apply to any person or group in the nation who handles your health records (“covered entities”), including:

• Health insurance companies
• Healthcare clearinghouses (like medical billing service companies) that process information they get from other health sources.
• Health care providers

Unless you give your permission, your providers, insurance company, and any other company that handles your information must not share it.

This includes all your health information, whether it is on paper, sent electronically, or spoken.

Yes. Your doctor or health insurance company can share your private health information (PHI) without your permission for:

• Treatment and healthcare
• Payment
• Public health reasons
• Certain kinds of research

For example, your doctor can share your PHI with the hospital where you will have surgery, a specialist who will treat you, or to get paid for your care. But your doctor cannot give your PHI to a life insurance company unless you give specific written permission.

Only the minimum amount of information should be shared when your PHI is shared. Ask your doctor what information was shared and how it will be used.

Yes, but only if you give written permission. Here are some examples:

• You can appoint someone, such as the person who is your power of attorney for health care, to see your records if needed.
• You can allow someone to pick up your prescriptions at the drugstore.
• If you are a parent, you can see your child’s medical records unless your child has consented to care that does not require your permission.

Yes. Texas law says you can see and copy your records. And if you find mistakes, you can ask to have them fixed.

Yes. HIPAA protects information relating to abortion and other sexual and reproductive health care. The federal Privacy Rule does not prevent disclosures that are expressly required by state law. However, the Privacy Rule says that covered entities should disclose only the information relevant to the specific requirements of the state law.

Disclosures that do not meet the “required by law” definition in HIPAA rules or that exceed what is required by state law, do not qualify as permissible disclosures.

The Privacy Rule’s permission to disclose PHI without an individual’s authorization is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”

Current Texas law prohibits almost all abortion procedures. Texas law also requires physicians to submit reports to the state detailing specific information about abortions that they do perform. However, the physician reports cannot identify the patient by any means. If you would like more 

information on HIPAA and privacy rights surrounding reproductive healthcare, you can visit the federal Health and Human Services website at HIPAA and Reproductive Health.

Be aware that is a rapidly changing area of law. Consult an attorney if you have a need for specific legal advice.

It is a crime to violate your privacy. You can file a complaint with the U. S. Department of Health and Human Services, Office of Civil Rights (OCR) by mail, fax or email. If you need help filing a complaint or have a question about the complaint form, please visit the OCR website at How to File a Civil Rights Complaint | Guidance Portal (hhs.gov) or the OCR toll-free number: 800-368-1019.