Genetic Privacy and Medical Care
Today you have more reason than ever to care about the privacy of your medical information, including genetic information. Today, sensitive information about your health will almost certainly end up in data files. Your records may be seen by hundreds of strangers who work in health care, and a host of businesses associated with medical organizations.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule.
California law sets standards for records held by doctors, hospitals and other health care providers within the state. Most health care providers must follow both the HIPAA Privacy Rule and California law. If a standard is different under the HIPAA Privacy Rule than it is under California law, your health care provider must follow the law that is the most protective of your rights.
HIPAA and Discrimination:
In general, HIPAA does not allow group health plans and group health insurance issuers to establish any rule of eligibility for a person or his/her dependents that discriminates against that person based on any health factor. The term “health factor” includes genetic information.
- You cannot be excluded from or denied enrollment into a group health plan based on your genetic information.
- Your group health plan cannot be cancelled based on your genetic information.
- You cannot be charged premiums higher than others in your group health plan based on your genetic information.
- Your genetic information cannot be used to determine your eligibility for a group health plan, nor can it be viewed as a pre-existing condition (a medical problem or illness you have at the time you enroll in or purchase your health insurance).
HIPAA only applies to group health coverage. It does not apply to individually purchased health insurance, to life insurance, or to employment.
HIPAA, California Law and Privacy:
Longstanding California state laws and federal regulations give you rights to help keep your medical records private. (1) That means that you can set some limits on who sees personal information about your health. You can also set limits on what information they can see. And you can decide when they can see it. You can also review and ask for corrections to your medical records. The following contains general descriptions of your basic rights.
Your right to be told how your doctor will use your personal health information
Most doctors, hospitals, HMOs, and other healthcare organizations must give you a Notice of Privacy Practices. This Notice tells you how personal information about your health will be used. It tells you who will see your information, what your rights are, and where to complain.
Generally, your doctor uses your health information to treat you and to refer you to specialists. Your doctor also uses your information to bill your insurance company. (3)
Your right to set limits on who gets to see your personal health information
Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can release your personal health information. This is true unless the release is for the purpose of treatment, payment, or healthcare operations. (4)
In the case of sensitive information, your written permission is required in most situations. (5)
Giving your permission
Your written permission is called an “authorization.” It must state what information can be released, to whom, and for what purpose. It must be dated. You have the right to say no without fearing any kind of pressure or retaliation. You have the right to change your mind at any time and take back your written authorization. (6)
You can also ask your doctor or health plan to limit how they use or release your information for treatment, payment, or healthcare operations. But they are not required to agree to your request. (7)
You also have the right to ask your doctor or health plan to contact you only in certain ways or at certain locations. For example, you can ask your doctor to send reminder notices to you at a certain address. Or you can ask to be called only at home rather than at work. (8)
What your employer can see
You can stop your employer from receiving most health information about you. Your doctor, insurance company, and other healthcare providers have to ask for your written permission before they can give your employer health information about you. (9)
You have the right to say no without fearing any pressure or retaliation from your employer. There are some situations in which your employer can receive information about your health. For example, your employer can receive certain information as the sponsor of an employee health plan. Another example is when you are required to pass a drug test for your job. However, your employer is not allowed to request genetic information, including family history (see Genetic Information Nondiscrimination Act).
Your right to be told to whom your personal health information has been given
You have the right to ask most healthcare providers for information on who has received your personal health information.
Accounting of disclosures
This is called an “accounting of disclosures.” It must include the date of the disclosure, the name of the person who received the information, what information was disclosed, and the purpose of the disclosure. It must be given to you within 60 days of the receipt of your request. There are some exceptions for disclosure for treatment, payment, or healthcare operations. (10)
Your right to stop unwanted mail about new drugs or medical services
Most healthcare providers have to ask for your written authorization before they can use or sell your health information for marketing purposes.
Giving your permission
The authorization form they ask you to sign must tell you if they will receive payment for sharing your information. For example, your doctor cannot sell your health information to a drug manufacturing company so that the company can mail you a letter encouraging you to buy a certain drug instead of the one you are using. There are exceptions related to your treatment. For example, your health plan is allowed to send you information about new healthcare services it offers. (11)
Your right to see and ask to correct information about you in your medical records
You may ask to read the information about you in your medical records. Your doctor or health plan must respond to your written request within five working days of receiving it. If they deny your request, they must tell you why. For example, your doctor could refuse if he or she thinks showing you the information may cause harm to you or to someone else. (12)
· Copying your records
You may make copies of your personal health information in your medical records. Your doctor or health plan may charge you a reasonable fee for making these copies. (13)
· Asking for changes
You may ask your doctor or health plan to change information about you in your medical records if it is not correct or complete. Your doctor or health plan may deny your request. If this happens, you may add a statement to your file explaining the information. (14)
Your right to file a complaint
Most doctors, health plans, hospitals, and other healthcare providers must tell you their process for handling complaints. They must tell you the name of the person to whom you may complain. File your complaint with the doctor, plan or organization first.
If you are an enrollee of a health plan and you have a concern that your health plan violated any state law regarding the privacy or confidentiality of your medical records, you may contact the California Department of Managed Health Care’s HMO Help Center at 1-888-HMO-2219 for assistance.
You also have the right to complain to the federal Office of Civil Rights about possible violations of federal health privacy law. (15)
Office for Civil Rights, Region IX
U.S. Department of Health and Human Services
50 United Nations Plaza, Room 322
San Francisco, CA 94102
Voice Phone (415) 437-8310
Fax (415) 437-8329
TDD (415) 437-8311
You may have remedies under California law
California law also gives you the right to bring suit to recover damages in some cases of violation of state laws on health information privacy. (16)
Additional Resources on Health Information Privacy
- Health Privacy Project
- Privacy Rights Clearinghouse, “Fact Sheet 8A: HIPAA Basics: Medical Privacy“
- Office for Civil Rights, U.S. Department of Health and Human Services
- California Privacy and Security Advisory Board (on Health Information Exchange), information available at California Office of Health Information Integrity
1 The federal authority on health information privacy arises from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164). California has several laws on health information privacy, including the Confidentiality of Medical Records Act (Civil Code § 56 et seq.), the Patient Access to Health Records Act (Health & Safety Code § 123110 et seq.), the Insurance Information and Privacy Protection Act (Insurance Code § 791 et seq.), and the Information Practices Act (Civil Code § 1798 et seq.). Citations for specific rights enumerated in this document are provided below. All the referenced laws may be found on the Privacy Laws page of the California Department of Justice’s Web site.
2 HIPAA regulates only healthcare providers that transmit personal health information electronically. For notice, see HIPAA, 45 CFR §164.520. Also on notice, see California Civil Code § 1798.17, which applies to state agencies.
3 For use and disclosure of health information for treatment, payment, or healthcare operations, see HIPAA, 45 CFR § 164.506, and California Civil Code § 56.10 subdivision (c)(a).
4 For disclosure limits, see HIPAA, 45 CFR § 164.502, and California Civil Code § 56.10.
5 For confidentiality of HIV test results, se California Health & Safety Code §§ 120975-121125. For confidentiality of psychiatric records, see California Civil Code § 56.104. Also see HIPAA, 45 CF § 164.50, 1 for definition of “psychotherapy notes,” and 45 CFR § 164.508 subdivision (a)(2) for authorization requirements for use or disclosure of psychotherapy notes.
6 For authorization, see HIPAA, 45 CFR § 164.508, and California Civil Code § 56.11.
7 For limits on use and disclosure for treatment, payment or healthcare operations, see HIPAA, 45 CFR § 164.522 subdivision (a).
8 For confidential communications requirements, see HIPAA, 45 CFR § 164.522 subdivision (b).
9 For disclosure to employers, see HIPAA, 45 CFR § 164.512 subdivision (b)(1)(v), and California Civil Code § 56.20.
10 For accounting of disclosures, see HIPAA 45 CFR § 164.528, and California Civil Code §§ 1798.25 and 1798.28.
11 For marketing use, see HIPAA 45 CFR § 164.508 subdivision (a)(3), California Civil Code § 56.10 subdivision (d), California Health & Safety Code section 123148, and California Insurance Code §§ 791.13 subdivision (k) and 791.05.
12 For access to records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (a), and California Civil Code § 1798.32.
13 For copying records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code § 123110 subdivision (b), and California Civil Code § 1798.33.
14 For amending records, see HIPAA, 45 CFR § 164.526, California Health & Safety Code § 123111, and California Civil Code § 1798.35.
15 For complaints under HIPAA, see 45 CFR § 164.530 subdivision (d). HIPAA complaints must be filed with the Office of Civil Rights within 180 days of the date when the complainant knew or should have known of the violation (45 CFR § 160.306).
16 See California Civil Code § 56.35 on remedies for improper use or disclosure, California Health and Safety Code § 123120 on remedies for violation of access rights, and California Civil Code §§ 1798.45-1798.57 on remedies for violations by state agencies.