HIPAA

HIPAA is the Health Insurance Portability and Accountability Act of 2003 (Privacy) and 2005 (Security). This act includes the HIPAA privacy and security rules created to establish national standards to protect individuals’ medical records and other protected health information (PHI).

What Are My Rights Under HIPAA?

A series of short educational videos is available at HealthIT.gov to help individuals better understand their right to see and get their health information and to have that information sent to others of their choosing (including family members, caregivers, or a mobile device application).

You have the right to inspect and obtain a copy of your protected health information.

This means that you may inspect and obtain a copy of protected health information about you that is contained in a designated record set for as long as we maintain your protected health information. A designated record set contains medical and billing records and any other records that we use in making decisions about you. You may request the records be provided in paper or electronic format. You may be charged a fee for the cost of copying, mailing, or supplies associated with your request.

Under federal and state law, however, you may be denied access to inspect or obtain a copy. Depending on the circumstances, the decision to deny access may be reviewable.

Please contact the medical records department at 501-202-1914 if you have any questions about access to your medical record.

You have the right to request a restriction of your protected health information.

This means that you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment, or healthcare operations. You may request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care. Your request must state the specific restriction requested and to whom this restriction applies. You may also request restriction of PHI to a health plan with respect to health care for which you have paid for in full out of pocket. The request and payment must occur in writing in advance of the services being provided.

The hospital/physician is not required to agree to the restriction that you request, except in the case of a requested restriction of PHI to a health plan for purposes of payment or healthcare operations with respect to health care for which you have paid for in full out of pocket. If the hospital/physician believes that it is in your best interest to permit use and disclosure of your protected health information, it will not be restricted. With this in mind, please discuss any restriction you wish to request with your physician.

You have the right to request to receive confidential communication from us by alternative means or at an alternative location.

We will accommodate reasonable requests. We may also condition this accommodation by asking you for information as to how payment will be handled or specification of any alternative address or other method of contact. We will not request an explanation from you as to the basis for the request. Please make this request in writing to the privacy contact listed below.

You have the right to request an amendment to your protected health information.

This means that you may request an amendment of protected health information about you in a designated record set for as long as we maintain the information. In certain cases, we may deny your request for an amendment. If we deny your request, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy. Please contact the appropriate medical record department if you have questions about amending your medical record.

You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information.

This right applies to disclosures made for purposes outside those for treatment, payment, and healthcare operations. You have the right to receive specific information regarding non routine disclosures that occurred after April 14, 2003. We must respond within sixty (60) days. You may request a shorter timeframe. You are entitled to receive one (1) free accounting each year. There will be a fee for any additional accounting requests during the year. The right to receive this information is subject to certain exceptions, restrictions, and limitations.

You have the right to obtain a copy of this notice from us.

Upon request, you may receive an additional paper or electronic copy of this notice from us.

You have the right to file a complaint.

If you believe your privacy rights have been violated by Baptist Health, you may file a complaint with us by contacting the Baptist Health Privacy Officer at 501-202-6776. You may also file a complaint with the Secretary of Health and Human Services. We will not retaliate against you for filing a complaint. We will not require you to waive the right to file a complaint with HHS as a condition to receive treatment from us.

You have the right to receive a notice following a breach of your unsecured PHI.

This notice will be provided by mail or through the media.

Those required to comply with these standards set by Congress include health plans, healthcare clearinghouses and healthcare providers who conduct certain financial and administrative transactions electronically. These entities (collectively called “covered entities”) are bound by the standards even if they contract with others (called “business associates”) to perform some of their essential functions. In compliance with these regulations, Baptist Health:

Provides information to patients about their privacy rights and how their information can be used.
Has privacy/security policies and procedures for its practice or hospital.
Trains employees so that they understand the policies and procedures.
Employs a Privacy Officer and a Chief Information Security Officer to be responsible for seeing that the policies and procedures are adopted and followed.
Secures patient records containing PHI so that the records are not readily available to those who do not need them.

The American Recovery and Reinvestment Act of 2009 contains a set of provisions known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This Act modifies the existing HIPAA privacy and security requirements by providing for the following:

Increases civil monetary penalties for HIPAA violations.
Requires business associates to comply with the HIPAA Security Rules.
Defines what constitutes a breach and the notification requirements for certain breaches to be reported to patients, the media and the Office of Civil Rights.
Imposes restrictions on certain types of disclosures (e.g. sale, marketing of PHI).

To report a privacy/security violation or to request additional information, please contact the Privacy Office at (501) 202-6776 or email Compliance@baptist-health.org.

Notice of Privacy Practices (PDF)
AVISO DE PRÁCTICAS DE PRIVACIDAD (PDF)

HIPAA FAQs

The Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is intended to make covered entities evaluate and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards.

The Privacy Rule is not intended to prohibit providers from talking to other providers and to their patients. We would consider the following practices to be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):

Healthcare staff may orally coordinate services at hospital nursing stations.
Nurses or other healthcare professionals may discuss a patient’s condition over the phone with the patient, a provider or a family member.
A healthcare professional may discuss lab test results with a patient or other provider in a joint treatment area.
Healthcare professionals may discuss a patient’s condition during training rounds in an academic or training institution.

The Privacy Rule provides for “conducting training programs in which students, trainees or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers.” Baptist Health’s policies and procedures will continue to permit medical trainees access to patients’ medical information, including entire medical records.

Yes. The Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered healthcare provider may maintain in a directory the following information about that individual:

the individual’s name;
location in the facility;
health condition expressed in general terms; and
religious affiliation. The facility may disclose this directory information to members of the clergy. For example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure.

Yes. Covered entities such as physician offices may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The Privacy Rule explicitly permits certain “incidental disclosures” that occur as a by-product of an otherwise permitted disclosure.

For additional information or questions, please contact Dana Williams, Privacy Officer, at (501) 202-6776.

Find Care Near You

Explore Our Services

Explore Our Resources

Get to Know Us