Health Insurance Portability and Accountability Act (HIPAA)

HIPAA (the Health Insurance Portability and Accountability Act) is a federal law that helps protect you and your family's private health data and ability to have health Insurance.

HIPAA (along with other federal laws such as the Affordable Care Act) says that:

• Your medical records must be kept private. This includes printed records, computer records, and anything said at your health provider’s office.
• There must be uniform national coding standards for electronically storing and sending health care information.

HIPAA also says that your insurance company:

• May not deny you coverage because of a medical problem you had treated in the past.
• Must not discriminate against you or your family because of your current health.
• Must allow you to renew your health coverage after you lose your job.

Yes. In fact, Texas has two laws that seek to protect Texans’ privacy: The Texas Medical Records Privacy Act, and the Texas Identity Theft Enforcement and Protection Act.

First, like HIPAA, Texas law uses broadly defined terms to make the rules applicable to anyone that creates, receives, obtains, maintains, uses, or transmits protected health information. “Covered entities” cannot use personal health information (sometimes called “PHI”) for any reason other than for providing treatment or for securing payment, or for insurance purposes. Otherwise, the covered entity must get written permission from the individual before it can release personal health information.

Texas law also seeks to protect “sensitive personal information” (such as your name when combined with a Social Security number, a driver’s license number (or government ID number), or a credit card or debit card number. Businesses must implement and maintain reasonable procedures to protect the information, and prevent unauthorized disclosures.

The term “covered entity” includes insurance companies, Medicare, Medicaid, employers, schools, government agencies, healthcare providers, and businesses that handle healthcare information.

HIPAA protects all information that could be used to identify you (i.e., your PHI), including:

• Past, present, or future health
• Health care or treatment
• Payment for your health care.

Yes. HIPAA set up new rules to protect your health information. These rules are called “Standards for Privacy of Individually Identifiable Health Information.” They apply to any person or group in the nation who handles your health records (“covered entities”), including:  

• Health insurance companies 
• Healthcare clearinghouses (like medical billing service companies) that process information they get from other health sources  
• Health care providers 

Unless you give your permission, your providers, insurance company, and any other company that handles your information must not share it.  

This includes all of your health information, whether it is on paper, sent electronically, or spoken.

Yes. Your doctor or health insurance company can share your private health information (PHI) without your permission for:  

• Treatment and healthcare 
• Payment 
• Public health reasons 
• Certain kinds of research 

For example, your doctor can share your PHI with the hospital where you will have surgery, a specialist who will treat you, or in order to get paid for your care. But your doctor cannot give your PHI to a life insurance company unless you give specific written permission.  

When your PHI is shared, only the minimum amount of information should be shared. Ask your doctor what information was shared and how it will be used.

Yes, but only if you give written permission. Here are some examples: 

• You can appoint someone, such as the person who is your power of attorney for health care, to see your records if needed. 

• You can allow someone to pick up your prescriptions at the drug store. 

• If you are a parent, you can see your child’s medical records, unless your child has consented to care that does not require your permission.

Yes. Texas law says you can see and copy your records. And if you find mistakes, you can ask to have them fixed.

It is a crime to violate your privacy. You can file a complaint with the U. S. Department of Health and Human Services, Office of Civil Rights (OCR) by mail, fax, or email.  If you need help filing a complaint or have a question about the complaint form, please visit the OCR website at How to File a Civil Rights Complaint | Guidance Portal (hhs.gov) or the OCR toll-free number: 800-368-1019. 

HIPAA protects information relating to reproductive healthcare. The federal Privacy Rule does not prevent disclosures that are expressly required by state law. However, the Privacy Rule says that covered entities should disclose only the information relevant to the specific requirements of the state law.

Disclosures that do not meet the “required by law” definition in HIPAA rules or that exceed what is required by state law, do not qualify as permissible disclosures.

The Privacy Rule’s permission to disclose PHI without an individual’s authorization is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”

Current Texas law prohibits almost all abortion procedures. Texas law also requires doctors to submit reports to the state detailing specific information about abortions that they do perform. However, the physician reports cannot identify the patient by any means. If you would like more information on HIPAA and privacy rights surrounding reproductive healthcare, you can visit the federal Health and Human Services website at HIPAA and Reproductive Health | HHS.gov.

This is a rapidly changing area of law. Consult an attorney if you need specific legal advice.

No. HIPAA’s rules limited the insurance company’s ability to limit coverage because of “preexisting conditions.” Those rules were essentially superseded (and improved) by the Affordable Care Act. Under current federal law, unless you purchased your insurance before 2010, the insurance company is prohibited from using a “preexisting condition” to deny coverage. If you have had a condition (like asthma, diabetes, or cancer) the insurance company generally cannot deny coverage, charge you more, or limit benefits based on your preexisting condition.

HIPAA defines “creditable coverage” as any health insurance you had before, including:  

• Group health insurance 
• COBRA (Consolidated Omnibus Budget Reconciliation Act)  
• An individual policy 
• Medicaid or Medicare 

Health insurance companies were required to provide evidence of creditable coverage when an individual requested a certification. However, the Affordable Care Act changed the law such that (unless your insurance plan was purchased before 2014) certificates of creditable coverage are no longer required for new health plans. 

Nevertheless, creditable coverage is still an important issue, particularly for Medicare-eligible individuals getting prescription drug coverage. 

Yes. HIPAA says insurance companies cannot discriminate against you or your family. Your group health plan cannot refuse you or drop your coverage because of your: 

• Physical or mental health 

• Previous health claims 

• Genetic information 

• Disability  

• Particular disease 

Historically, insurance companies could place limits on the dollar amounts they would pay for health coverage for various conditions (e.g., cancer). They cannot do that anymore. Insurance companies cannot set “lifetime” limits or annual limits on what they will spend on coverages for essential health benefits. Further, if the insurance company sets limits for something that is not considered an essential health benefit, then that limit must be applied to the entire group in the coverage plan (not just to you and your family). 

No. Making you pass a physical is discrimination because of your health. 

It depends.

The plan must comply with HIPAA and Affordable Care Act rules designed to prevent illegal discrimination. If the program gives the “reward” (i.e., lower premium) based on the fact that you participate in the program (and not on any results that may follow), then the program is probably okay. But, if the wellness program reward is based on the outcome you achieve from participating in the program, then the program has to comply with rules that ensure the reward is not impermissibly discriminatory. For example, an outcome-based reward must allow an alternative pathway for those that cannot complete the program due to a medical condition.