HIPAA Law Summary
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a federal law that protects individuals’ medical records and other personal health information. It establishes rules for the use and disclosure of Protected Health Information (PHI) and grants individuals rights over their own health data.
What HIPAA Can Do
• Protects your private health information (PHI), including diagnoses, treatments, and billing records.
• Gives you rights to access and request corrections to your medical records.
• Requires providers to give a Notice of Privacy Practices.
• Restricts unauthorized sharing of health data, especially for marketing/sales.
• Requires safeguards for electronic health data security.
• Allows filing of complaints with the Office for Civil Rights (OCR) and imposes penalties for violations.
What HIPAA Cannot Do
• Does not apply to all organizations (e.g., schools, employers, social media).
• Does not prevent all sharing — information can be shared in emergencies, for public safety, or under court order.
• Does not guarantee total privacy — sets minimum standards, and breaches may still happen.
• Does not give parents or guardians unlimited access to a child’s records (depends on state laws and situation).
• Does not require written permission for all disclosures — verbal/implied consent is sometimes enough.
Common Myths About HIPAA
Here are some common misconceptions and the realities behind them:
• “HIPAA means no one can ever share my health info without my permission.”
– Not true. Providers can share info for treatment, payment, operations, or in emergencies.
• “HIPAA applies to schools, employers, or family members.”
– Only if they are providing healthcare services or handling PHI under HIPAA rules.
• “Talking about someone’s condition breaks HIPAA.”
– Only covered entities (like doctors) are bound by HIPAA.
• “HIPAA blocks doctors from talking to families.”
– Doctors can share info unless the patient explicitly requests confidentiality.
• “You need written permission for any info sharing.”
– Not always. Written authorization is needed mainly for non-routine or marketing disclosures.
⚖️ HIPAA Misuse in Legal/Custody Cases
HIPAA is sometimes misunderstood or misused in court and custody settings. Court orders can compel the release of health records, and misuse of HIPAA as an excuse to avoid helpful communication (e.g., between a therapist and a parent) is common. Although HIPAA limits access to PHI, it doesn’t block properly issued subpoenas or court-ordered disclosures.
*For Ohio-specific HIPAA compliance details, see OAC Rule 5122-1-03, which requires ODMH to follow HIPAA and ARRA regulations
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.