Managing Your Health Care

Protecting Private Information

Federal Law

A number of federal laws and regulations restrict the ways that health plans, pharmacies, hospitals and other entities can use patients’ personal medical information. The most important of those laws is the Health Insurance Portability and Accountability Act of 1996, known as HIPAA. HIPAA is designed to provide a minimum standard of privacy protection for consumers across the United States, but it does not replace state laws that provide greater privacy protections. Most health care providers were first required to comply with the federal privacy standards in 2003. You may have noticed that your health care provider asks you to sign various notices and consent forms. Here is a summary of some of the key HIPAA provisions:

Access to Medical Records:
Under HIPAA, patients generally have the right to view and obtain copies of their medical records and request corrections if they identify errors and mistakes. Access to these records should be provided within 30 days, but the patient may be charged for the cost of copying and sending the records. The records should be provided in the form requested by the patient if it is readily producible in that form.

Notice of Privacy Practices:
Patients must be provided with a notice about their privacy rights and how their personal medical information may be used.

Limits on Use of Personal Medical Information:
HIPAA sets limits on how health plans and covered providers may use individually identifiable health information. It does not eliminate the sharing of such information, but it restricts the sharing to the minimum necessary to accomplish the intended purpose of the disclosure. Employees must be trained on privacy procedures and each covered entity must designate a privacy officer.

Restrictions on Marketing:
The final privacy rule sets some restrictions and limits on the use of patient information for marketing purposes. Unfortunately, it appears the HIPAA restrictions on marketing are fairly weak and may not curb many unfortunate marketing practices, such as health plans hiring telemarketers to contact patients to sell them more health plan services.

Health Care Identity Theft:
Because of concern about identity theft, Congress enacted the Fair and Accurate Credit Transaction (FACT) Act of 2003, which applies to financial institutions and other entities that accept payments over time. Under FACT, the Federal Trade Commission (FTC) has enacted a “Red Flag Rule” that requires covered entities, which can include health care companies that offer credit or deferred billing, to develop and implement a written identity theft prevention program. If you think that your private health information has been used for identity theft, you should contact the FTC as follows:

Federal Trade Commission
Identity Theft Clearinghouse
600 Pennsylvania Avenue NW
Washington, D.C. 20580
(877) 382-4357 external link icon

The United States Department of Health and Human Services Office for Civil Rights (OCR) has primary jurisdiction to oversee and enforce HIPAA. To obtain further information or to file a complaint regarding the privacy practices of a health plan or provider, contact the OCR as follows:

United States Department of Health & Human Services
Office for Civil Rights, Midwest Region
233 North Michigan Avenue, Suite 240
Chicago, IL 60601-5519
(800) 368-1019 link icon

Medical Information Bureau

MIB Group, Inc. is an organization that compiles a central database of medical information. Approximately 430 insurance firms use the services of the MIB, primarily to obtain information about life insurance and individual health insurance policy applicants. You are entitled to a free medical record disclosure once a year. You can get a copy by calling the Medical Information Bureau toll-free at (866) 692-6901. For other questions or to correct your report, write to:

MIB Group, Inc.
50 Braintree Hill Park, Suite 400
Braintree, MA 02184-8734
(866) 692-6901
www.mib.comexternal link icon

State Law

Minnesota has a number of state laws restricting the use and dissemination of personal health information by participants in the health care system. Some of these laws provide greater privacy protection than that granted under HIPAA. The general rule under Minnesota law is that a health care provider cannot share your health information with a third party unless you have given written consent or there is a law that authorizes the provider to share your information. Minnesota’s health privacy laws are complex, but the law requires providers to give patients notice of when a patient’s health records may be disclosed without the patient’s consent. This notice should be posted in the provider’s place of business or given to you. There are also government resources available to help you address your health privacy concerns. First, the Minnesota Department of Health regulates many health care facilities, such as hospitals and nursing homes, and health maintenance organizations (HMOs), such as Medica, Blue Plus, PreferredOne, and HealthPartners. If you believe that a health care facility or HMO may have violated your privacy rights, you can contact the Department of Health as follows:

Minnesota Department of Health
Managed Care Systems Section
P.O. Box 64882
Saint Paul, MN 55164-0882
(651) 201-5100 or (800) 657-3916 link icon

Second, the Minnesota Department of Commerce regulates certain health plan companies and health insurance companies, such as Blue Cross Blue Shield of Minnesota. If you believe that an insurance company or health plan company may have violated your privacy rights, you can contact the Department of Commerce as follows:

Minnesota Department of Commerce
85 7th Place East, Suite 280
St. Paul, MN 55101
(651) 539-1500 (local)
(800) 657-3602 (Greater MN only) external link icon

Finally, if your health privacy complaint involves an individual health care practitioner, or if you are otherwise unsure which state agency or board to contact about your concerns, you can contact the Attorney General’s Office at (651) 296-3353 (Twin Cities Calling Area) or (800) 657-3787 (Outside the Twin Cities) and we will assist you in identifying the proper regulatory agency.