HIPAA Q&A

What is the Privacy Rule?  

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patient's rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

How do I obtain my medical records?        

If you reside locally, Release of Information Authorization/Request forms may be obtained at any of the Santa Barbara County Mental Health Clinics where staff is available to assist with the completion of the forms. 

If you are unable to make your request in person, Release of Information Authorization/Request forms may be obtained by calling the Medical Records Department at (805) 681-5328.  Incomplete information may delay processing.  Before submitting your request, it is important to review the form for completion, including:

1. Personal identifying information of client, including full name, date of birth and Social Security Number (the last four digits are acceptable) 

2. Name, address and phone number of the individual or organization to which you want the records released 

3. What the information will be used for 

4. Description of Requested Information 

5. Time period for the information requested 

6. Initials where required 

7. Signature and date 

How do I amend my medical records?

Please contact the Medical Records Department at (805) 681-5328.

Where may I learn more about HIPAA?

You can learn more at http://www.hhs.gov/hipaa/

Where may I get a Release of Information form?

Please contact the Medical Records Department at (805) 681-5328.

How does "consent" differ from "authorization"?

Consent refers to instances in which the privacy rule does not require a covered entity/health care provider to obtain consent for uses and disclosures of protected health information, such as for treatment, payment and healthcare operations. 

Authorization is required by the Privacy Rule for uses and disclosures of protected health information (PHI) not otherwise allowed by the Rule. 

Who has the right to view my medical records without my permission/authorization?

In some situations, PHI disclosures may be made without the patient's authorization, but they require an opportunity for the patient to verbally agree or object. 

These situations include: 

  • Disclosures to the patient's next-of-kin or to another person (designated by the patient) involved in the patient's health care  
  • Notification of a family member (or the patient's personal representative) of the patient's location, general condition or death 
  • Disaster relief situations. 
Authorization in an emergency: 

If the patient is incapacitated or in cases of an emergency, EMS responders, in the exercise of professional judgment, may determine whether disclosure of PHI is in the patient's best interests. 

This provision of the Privacy Rule allows responders to inform relatives or others involved in a patient's care that a patient has suffered an affliction and to provide updates on the patient's progress and prognosis. 

When Authorization Is NOT Required 

For certain uses and disclosures, an authorization or opportunity to agree or object, is not required: 

  1. Required by law 
  2. Public health activities (injury/disease control/prevention) 
  3. Victims of abuse, neglect, or domestic violence 
  4. Health oversight activities (DHS, regional EMS council) 
  5. Judicial and administrative proceedings 
  6. Law enforcement purposes
  7. Decedents 
  8. Cadaver donation of organs, eyes, or tissues 
  9. Research purposes 
  10. To avert a serious threat to health or safety 
  11. Specialized Government Functions 
  12. To comply with workers compensation law 

How may I file a HIPAA-related complaint?