HIPAA Requirements for Releasing Information

Covered Entities

• HIPAA does not cover all entities (organizations or individuals). For instance, health-care providers such as doctors, dentists, chiropractors and pharmacies must follow HIPAA laws, but only if the written standards cover the ways in which they share information. All insurance companies and plans, including government plans, must follow HIPAA procedures. HIPAA regulations also apply to any entity that processes health information or is a health-care clearinghouse.

Minimum Necessary Standard

• The "Minimum Necessary Standard" regulation in the HIPAA act requires covered entities to limit access and disclosure of protected information to the minimum that is necessary to facilitate treatment. It is up to your health-care provider to decide how much information to disclose. However, if you authorize the transfer of information, your health-care provider is not required to follow the minimum necessary standard regulation.

Authorization to Release Information

• Information the privacy rule does not cover cannot be disclosed--unless the patient signs an authorization form. This form must be written in understandable language. It must detail under what circumstances information can be released, as well as the entities to which/whom it can be released. The authorization must contain an information release expiration date to be valid.

Marketing

• Your private information can be released for marketing purposes when a health-care provider, wishing to inform its patients of new equipment or services, uses its patient list for general mailings. Your private information cannot be used without your authorization when this marketing provides financial gain for the entity providing the information.