Concerns around data security have risen rapidly in recent years. According to researchers at Deloitte, 67% of consumers are worried about the safety of their personal information.

Fortunately, the US Government has stringent rules that dictate who is allowed to share medical information and under what conditions the data is processed. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy Rule underline these rules.

We created this guide to help you understand what information is shareable under HIPAA and your rights as a patient. Read on to find out what HIPAA is, what information can or can’t be shared under HIPAA, and how to keep your medical information secure using Trustworthy.

Key Takeaways

• HIPAA is a federal law that dictates how medical professionals and their business partners handle and transfer patient information.

• HIPAA allows certain groups to share health information as required for medical treatment, payment for medical treatment, operations, oversight of healthcare, and other disclosures required by law.

• Anyone who breaks the HIPAA Privacy Rule can face a fine of up to $50,000 or one year in jail.     

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring the U.S. Department of Health and Human Services (HSS) to create and publish rules around sharing medical information.      

To meet those requirements, HSS created and published a set of rules in 1999 known as the “HIPAA Privacy Rule.” Several revisions were then made to the HIPAA Privacy Rule before a final draft was approved in 2002.

Dr. Kelvin Fernandez, M.D., a Tutor and Medical Residency Advisor at Ace Med Boards explains:

“HIPAA, at its core, is a federal law ensuring the confidential handling of sensitive patient health information by healthcare entities. It provides strict guidelines on how, when, and to whom medical information can be shared.”

What Information Is Shareable Under HIPAA?

The HIPAA Privacy Rule has strict rules on the types of information that can and can’t be shared, and requires consent from the patient in many circumstances.

However, practitioners say the rules largely depend on the context of the data transfer and who is involved.

Dr. Fernandez explains:

“Information that can be shared under HIPAA mainly includes treatment details, payment information, and healthcare operations data necessary for quality assessment, accreditation, and licensing.”

Generally speaking, HIPAA permits the disclosure and sharing of most "individually identifiable health information" for the purposes of medical treatment, payment for medical treatment, operations, oversight of healthcare, and other disclosures required by law.

Medical information shared for any other reason is likely in violation of HIPAA.

The HIPAA Privacy Rule says identifiable information is anything that relates to:

• A patient’s past, present, or future medical condition

• A patient’s provision of healthcare

• A patient's past, present, or future payment for healthcare provision

  
  

The rules also apply to any form of data, including digital, oral, or paper records.

That being said, there are a couple of exceptions.

If personal identifying information like a name or a phone number is maintained by a healthcare provider outside of a patient’s designated medical record and doesn’t contain health information, that means HIPAA does not protect it.

For example, let’s say your dentist’s office maintains a contacts database to promote its services via email. Because that list is separate from the health records of its patients, the office could technically share the list without breaking the HIPAA Privacy Rule.

Ashley Murry, Chief Clinical Officer at Sana Lake Recovery Centers explains:

“In my clinical field, HIPAA is a law that presents rules and standards relating to the use, management, storage, and sharing of protected health records. Using HIPAA, we have always ensured that our patient’s sensitive information and records are protected, like billing records and health insurance.”

HIPAA dictates that healthcare professionals should get informed consent and permission before sharing patients’ sensitive information.”

In addition to covering what information can be shared under the HIPAA Privacy Rule, the standards also have rules around the data rights of patients.

Samuel Greenes, an insurance broker and CEO of BLUE Insurance explains:

“Rights include obtaining full copies of medical records, restricting certain sharing with insurers or third parties, being notified of any breaches involving your PHI, approving uses beyond care/payment, and complaining to the Department of Health and Human Services regarding perceived violations investigated through audits.

Patients also have the right to request specific transmission or access restrictions.”

What Information Is Not Shareable Under HIPAA?

While HIPAA enables healthcare providers to share a range of patient information, it’s important to note that not all data is shareable under the standards.

“Psychotherapy notes, certain research data, and substance abuse records are examples of information that are generally not shareable under HIPAA, unless with specific consent,” says Dr. Fernandez.

Anyone who knowingly breaks HIPAA Privacy Rule by sharing individually identifiable information about a patient can face a fine of up to $50,000 or one year in jail.      

Who Is Allowed To Share Information Under HIPAA?

Under HIPAA, a patient’s medical information can be shared and accessed by four groups:

• Healthcare providers

• Healthcare plans

• Healthcare clearinghouses

• Business associates

The Privacy Rule applies to every healthcare provider regardless of size. 

However, according to Greenes, access to your medical information should always be limited to the doctors, nurses, technicians, billing staff, or insurance personnel involved in your direct care, administration, or payment of provided services. 

He explains:

“Without explicit written authorization, other parties like family members cannot access Protected Health Information (PHI) except in emergency or incompetent situations with documented good faith justification.”

How to Ensure Your Medical Data Is Secure

While the HIPAA Privacy Rule dictates standards around how health practitioners and their business partners process patient data, it’s important to remember that not all personal data threats stem from external parties.

Ben Michael, an attorney at Michael & Associates explains: 

“These days, there are increasing legal implications of telehealth. The biggest risks are always going to come from the users, including both the patients and the practitioners.”

That’s why patients must ensure they’re protecting their health information by using a safe and secure digital platform like Trustworthy.

Trustworthy is a digital Family Operating System® that gives users one, centralized view of all their important family documents. This might include everything from family IDs and tax returns to medical bills and health treatment records.

When you upload documents onto Trustworthy, you create a digital copy protected by two-factor authentication, hardware keys, and AES 256 bit encryption. Trustworthy even redacts sensitive information on-screen to protect your personal data from prying eyes.

Trustworthy empowers you with the ability to collaborate online and share health information with those you trust. For example, you could grant access to a hospital bill with your financial adviser or treatment information to a new doctor.

Learn more about Trustworthy’s range of features and how it can help you secure your personal information.

Frequently Asked Questions

What describes the sharing of information with other covered entities?

The “sharing of information with other covered entities” is a process included within the HIPAA Privacy Rule that explains how different entities should process, store, and share personal data.

Can protected health information (PHI) be shared with anyone at any time?

Protected Health Information (PHI) can be shared as long as the HIPAA Privacy Rule allows it or the patient gives their authorization to share the information.

What are examples of information not covered by the privacy rule?

Examples of information sharing that would not be allowed under the HIPAA Privacy Rule include anything about research, marketing activity, or psychotherapy notes.