Health Insurance Portability and Accountability Act
Contact: Florida Health
DOH’S HIPAA INFORMATION PRIVACY AND SECURITY
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). One component of HIPAA was to streamline the process to exchange information and to make health information more readily accessible to patients.
The HIPAA Privacy Rule went into effect it April 2003 and created a federal standard for protecting the privacy of health information. The Privacy Rule also requires DOH to comply with Florida laws that provide greater protection to patients.
HIPAA and You
The Privacy Rule, generally prohibits the use and disclosure of health information without written permission from the patient. The Privacy Rule also gives patient’s rights to access their medical and billing records, request amendments to those records, and obtain an accounting of disclosure of protected health information. The Department’s Notice of Privacy Practices further describes the use and disclosure of patient medical information and how patients may obtain access to their information.
What does the Privacy Rule require?
The Privacy Rule prohibits the use or disclosure of protected health information or PHI, unless the patient has signed an authorization to disclose PHI.
What is PHI?
PHI is defined as any health information created or received by a health care provider that: (1) identifies and individual; and (2) relates to that individual’s past, present, or future physical or mental health condition or to payment for health care.
Protected health information includes information in any form or medium, from a paper medical record to a conversation between colleagues consulting on the care of a patient.
What is the Notice of Privacy Practices?
The Notice of Privacy Practices explains to patients the ways DOH is allowed to use a patient’s protected health information and lists the rights patients have with respect to their health information.
What is an Authorization to Disclose?
A written document signed by the patient giving permission for a health care provider to disclose PHI to specified individuals and/or entities.
A patient’s authorization to disclose is not required for the following purposes:
- For the treatment of a patient
- For payment of or billing for services
- For health care operations (for example, quality assurance, credentialing, audits, compliance monitoring)
Protected health information may also be provided to patient caregivers (for example family members) but only if the patient expressly agrees or impliedly consents.
Certain disclosure may also be made by a health care provider without patient authorization to accomplish public health activities and other permitted uses as set forth in the Privacy Rule.
HIPAA Questions and Complaints
The following is a list of commonly asked questions that should be directed to the Department of Health and Human Services, Office of Civil Rights at 202-619-0257 or toll free at 877-696-6775
- What is HIPAA and what are my rights?
- How do I file a HIPAA complaint against my health care provider
- What do it do if my doctor will not give me my medical records?
- If I am a health care provider, how do I comply with HIPAA?
If you believe your privacy rights have been violated by a DOH employee, you may file a complaint with the Department of Health’s Inspector General at 4052 Bald Cypress Way, BIN A03/ Tallahassee, FL 32399-1704/ telephone 850-245-4141 or with the Secretary of the U.S. Department of Health and Human Services at 200 Independence Avenue, S.W./ Washington, D.C. 20201/ telephone 202-619-0257 or toll free 877-696-6775.
The complaint must be in writing, describe the acts or omissions that you believe violate your privacy rights, and be filed within 180 days of when you knew or should have known that the act or omission occurred. The Department of Health will not retaliate against you for filing a complaint.
Forms and Notices
Public Health Activities
HIPAA and Disease Reporting Requirements
HIPAA privacy standards and public health disease reporting.
HIPAA and Poison Control Centers
This letter relates to providing health information to the Poison Control Centers.