top of page

The 411 on HIPAA

Updated: Sep 15, 2023

By Martine G. Brousse

"The Medical Bill Whisperer... and insurance stuff too"

Patient Advocate, Certified Mediator


view the YouTube video:

August 16, 2023

You’ve heard the term everywhere: at the Dr’s office and hospital, on the millions of forms you’ve been asked to file, on insurance notices and website.

But what is HIPAA exactly?

Who must abide?

What should you know?

A. HIPAA is a wide-reaching federal law

Established in 1996, the Health Insurance Portability and Accountability Act regulates the use and disclosure of individuals’ health information and gives patients rights to control their medical records.

The law aims to balance:

· the right of individuals to their privacy and

· allowing a certain flow of information between entities in order to provide high quality health care and promote wellness

B. What does “personal health information” include?

· Your demographic data (name, address, date of birth, social security #, etc)

· Your medical health (present or future) and past history

· Any clinical detail relating to your health whether held verbally, electronically or on paper (that call to your Dr is confidential, as are the online reports you find on your portal and notes in your chart)

· Your financial information including insurance coverage

C. Who must abide?

In a nutshell, any entity having access to individuals’ personal health information or medical records must abide. This includes:

· Commercial health, dental, vision, and Rx insurers

· Medicare, Medicaid, Medicare Advantage plans, Medicare gap or supplemental plans and any other plans acting as administers for the Medicare or Medicaid systems

· Long-term care insurers

· Every health care provider, whether an individual or a facility

· Billing services, clearinghouses (the go-betweens for electronic claim transmissions), third-party employer administrators, collection agencies

· “Business associates”: legal, accounting, consulting, management, administrative, advocacy, HR, financial services and other individuals or businesses with potential access to, use of or disclosure of your personal health information. Examples would be your accountant paying medical bills, or your patient advocate fighting your insurance)

· You! … as you hold information regarding another person’s medical data, especially other family members'.

D. The Key

The consent form, also called PHI (“Protected health Information”) or AOR for Medicare (“Assignment Of representation”) is the key to your controlling (some of) the transmission of your health information.

Insurances and hospitals have their own forms, available online or on demand, while most offices will accept a generic alternative.

1. Everyone will ask you for one:

· Every medical provider at your first visit (which included your consent to be treated)

· Every medical provider or facility you may need records from and for whatever reason (for your own files, to share with another practitioner, to file an appeal etc)

· Your insurance company when you apply so they can get your medical records when adjudicating claims or reviewing an authorization request

· Every medical provider needing medical records from another medical provider

· Every medical provider asked to send your records to an external person (advocate, family member, power of attorney, etc)

· Your insurance company if you want a family member, friend or advocate to discuss your claims, eligibility or policy with them

· Every entity that may need access to medical records for a legitimate reason (a new insurance you applied for, your attorney for a legal case, the State if you file an appeal there etc)

2. A separate and specific consent will be needed for:

· Mental health records

· Behavioral health records

· “Sensitive” info:

o Genetic data

o Abuse and Assaults

o Pregnancy

o Sexual health

o HIV/AIDS status

3. Minors age 12-18:

· While you, the parent or guardian, generally have automatic control over and access to your teen’s medical information, you can and likely will lose them over “sensitive” data and mental health or behavioral health records once he/she turns 12. Sorry.

· Your teen will need to sign a special consent allowing you access to their health information and medical records. Best of luck!

· Your insurance portal will likely require your teen’s written approval to display their claims after age 12, and other info such as messages or Explanations Of Benefits (how the insurance has processed sensitive claims).

E. Exceptions to the need for a consent

There are some instances where HIPAA will not apply:

· Public Health purposes: your Covid-related treatment was reported to Federal and State health agencies without your consent as is other similar data

· Notification of kin: if you are not conscious, or mentally incapacitated, the medical provider has the right to share your personal health info with a designated Power Of Attorney, family member or next of kin especially if decisions must be taken

· Directories: hospitals and insurance companies (especially) have the right to compile lists of demographic and other data within their own system

· Mandatory reporting: In case of suspected abuse, or threat of self-harm or harm to others, a medical provider is not only obligated to report it, but does not require your consent

· Deceased patients: a family member, advocate or POA can access medical and/or billing records without a consent that obviously cannot be signed

· Workers’ Comp cases: not sure why, it makes little sense in my book, but WKC cases are not covered under HIPAA. This could mean that your employer or their attorney have direct access to your medical files.

· Legal matters: if ordered by the Court, or by subpoena, your medical records must be produced without your consent.

F. Do consider:

You retain the right to:

· Restrict access to your medical data (certain family members, an abusive spouse, your parents if over 12, etc)

· Rescind a previous consent (someone no longer involved in your care, an advocate who finished the job, your ex-spouse etc)

As a rule, it is a good idea to:

· File consents for the person(s) who will help you through an upcoming treatment, hospitalization or other health ordeal ahead of time

· Review once or twice a year who has access to your information and records, and think of cancelling their consent if no longer in your best interest.

Martine Brousse was a long-time Billing Manager for Physicians before switching to the side of patients in 2013. The move has allowed her to apply her deep expertise and vast experience of the intricacies of resolving all types of medical bill and claim payment issues in ways that directly and positively impact her clientsʻ finances.

(424) 999 4705 - F (424) 226 1330

@martine brousse 2023

@ the medical bill whisperer 2023

HIPAA basics
HIPAA basics

7 views0 comments

Recent Posts

See All


bottom of page