When you are seeing a new doctor, one of the many documents you’re given is a HIPAA privacy statement. HIPAA stands for the Health Insurance Portability and Accountability Act, which was enacted in 1996 by President Bill Clinton. While HIPAA governs many aspects of the healthcare industry, the document your doctor provides discusses your rights under the HIPAA Privacy Rule. Since you may not have ever taken the time to read this document, here’s a brief primer on the HIPAA Privacy Rule.

The HIPAA Privacy Rule protects “individually identifiable health information held by covered entities and their business associates.”[1] “Individually identifiable health information” means information that could identify a specific person. For example, if you were to receive an email from an insurance company or hospital with a patient’s full name in the subject line, that would be a potential HIPAA violation because, if someone intercepted that email, it would be easy for you to identify the patient in question.

That’s not to say healthcare facilities and professionals are not allowed to share any health information about a patient. These entities need to be able to share this information within their own entities and with their business associates. Otherwise, doctors couldn’t coordinate a patient’s treatment plan and hospitals couldn’t bill for services. That’s why HIPAA also includes a Security Rule that dictates how to protect patient information. With regard to our example above, the proper way for an insurance company to send you patient-specific information via email is to make sure the content is encrypted.

If you believe your rights under HIPAA have been violated, HIPAA allows patients to file complaints with the health entity you believe committed the breach or with the U.S. Government..