By law, The clinic must keep protected health information private. The federal government defines protected health information as any information, whether oral, electronic or paper, which is created or received by Clinics and relates to a patient’s health care or payment for the provision of health care. This includes the results of tests and notes written by doctors and nurses, as well as your name, address and telephone number. Clinics will follow the rules of its privacy notice currently in effect.
How Clinics fulfill these duties
• Clinics make every effort to maintain the confidentiality of medical information.
• Clinics take necessary precautions against inappropriate use or disclosure of medical information.
A word about federal and state law
Federal and state laws require Clinics to protect your medical information, and federal law requires Clinics to describe to you how we handle that information. When state and federal privacy laws differ, and state law is more protective of your information or provides you with greater access to your information, then state law will override federal law.
Part I Treatment, payment and health-care operations
This section describes the most common uses of protected health information. These apply to virtually all Clinic patients. There are three common ways Clinics will use medical information. They include treatment, billing and health-care operations. Clinics may also release information, where appropriate.
“Protected health information”means any information, whether oral, electronic or paper, which is created or received by Clinics and relates to a patient’s health care or payment for the provision of health care. This includes not only the results of tests and notes written by doctors and nurses, but also certain demographic information (such as your name, address and telephone number) that is related to your health records.
Clinics will use and disclose protected health information to provide, coordinate or manage your care. This includes communication and consultation between health-care providers—doctors, nurses, technicians and other members of your medical team. For example, following orthopedic surgery, your doctor may refer you for rehabilitation. Information will be shared to ensure continuity of care.
Clinics use protected health information to create bills and collect from insurance companies, Medicare and other payers. This includes providing information such as dates of service, symptoms and diagnosis to your insurance company to show that Clinics provided medical services to you.
Clinics use protected health information for internal activities to monitor and improve patient care, license staff to care for patients, prepare for state and federal regulatory reviews, manage health-care operations and improve health-care services. Here are some examples:
• To reduce the infection rate after a surgery, it would be necessary to look at medical records to determine the rate of infections that occurred.
• To be licensed to do a certain procedure, a doctor may be required to show that he or she has successfully completed a number of procedures under the supervision of another physician.
• A Federal Drug Administration inspector may review patient records in a laboratory to ensure that accurate and complete records are maintained for patient safety.
At times, the clinic accesses information, such as name, address and general medical condition, to contact you to:
• Provide appointment reminders
• Provide information about treatment alternatives or other information that may be of interest to you
• Disclose health-related benefits or services that may be of interest to you Philanthropy
Clinics may contact you to raise funds to sustain the Clinics mission. When conducting fundraising activities, Clinics may access only your basic demographic information (such as name and address) and the dates you were treated at The clinic. You may receive letters or other publications asking you to consider making a tax-deductible contribution to The clinic.
Medical research is vital to the advancement of medical science. Federal regulations permit use of protected health information in medical research, with either your authorization or when the research study at Clinics are reviewed and approved by an Institutional Review Board before any medical research study begins. In some situations, limited information may be used before approval of the research study to allow a researcher to determine whether enough patients exist to make a study scientifically valid.
Part II Other potential external disclosures
This section outlines less common circumstances that apply to some patients. Federal and/or state law requires or permits Clinics to provide protected health information outside the organization in the following situations:
To avert a serious threat of harm
Clinics use and disclose protected health information to alert those able to lessen or prevent the threat of a serious threat to the health or safety of a patient, another person or the public.
Organ and tissue donation
If Clinic professionals determine that a patient might be a candidate for organ or tissue donation, Clinics may release protected health information to organizations that handle organ procurement, or organ, eye, tissue donation banks, or other health-care organizations as needed to make organ or tissue donation and transplantation possible.
Military and veterans
Under federal regulations, if a patient is a member of the United States Armed Forces, The clinic is permitted to release protected health information as required by military authorities. Clinics also may release protected health information about foreign military personnel to the appropriate foreign military authority. When the military organization is sponsoring the medical evaluation, the patient’s medical information is shared with both the patient and the sponsoring organization. Patients being evaluated on behalf of the military are aware of these arrangements.
If you are seen for a workers’ compensation claim, federal rules permit the release of information related to your claim, as permitted or required by state law.
Public health purposes
Clinics may disclose protected health information for public health purposes. The following are some examples of releases that are allowed for public health purposes:
• To prevent or control disease or injury
• To report births and deaths
• To report maltreatment of a child or vulnerable adult
• To report to the federal government adverse reactions to medication or safety problems with FDA-regulated products
• To notify people of product recalls
• To notify a person exposed to certain types of disease or those at risk for contracting or spreading a disease
• To report vital statistics
Media relations activities
Clinics may share extremely limited information about patients who are seen as a result of an incident documented in a public record. In these cases, if the media contacts The clinic with a patient’s name, Mayo Clinic may provide the patient’s condition in general terms (such as “fair”).
Health oversight activities
Clinics must disclose protected health information to health-care oversight agencies, where required by law. Oversight activities can include licensure, accreditation, audits and investigations. It is standard practice for regulatory agencies such as the Joint Commission on Accreditation of Healthcare Organizations to review a sample of medical records to assure the quality of care provided.
Clinics must disclose protected health information in response to a valid court or administrative order.
Law enforcement activities
Clinics may disclose protected health information to law enforcement officials:
• In response to a court order or valid warrant
• To identify a suspect, fugitive or missing person
• About the victim of a crime under certain limited circumstance
• About a death believed to be a result of criminal conduct
• About a crime committed on Clinic premises
• In emergency circumstances when necessary to maintain safety and security of Clinic personnel and patients
Coroners, medical examiners and funeral directors
Clinics may release protected health information to a coroner or medical examiner when necessary to identify the deceased or determine the cause of death, or as otherwise authorized by law. Release of information to a funeral director may occur when necessary to handle arrangements after death.
National security activities
Clinics may release protected health information to authorized federal officials for intelligence, counterintelligence or other national security activities authorized by law. Clinics may disclose protected health information to authorized federal officials so they may provide protection to the President or other authorized individuals.
Part III Patients’ rights with respect to protected health Information
Right to inspect and copy
You have the right to inspect and to request a copy of information maintained in The clinic’s records about you. This includes medical and billing records maintained and used by Clinics to make decisions about your care. In certain situations, where providing access may be detrimental to your health, The clinic is permitted by state and federal law to withhold access.
To obtain or inspect a copy of your medical information, submit a written request to the Office of Patient Affairs at The clinic. Clinics may charge a reasonable, cost-based fee to cover the expense of providing the copies.
Most patients have full access to inspect and receive a copy of the full medical record. On rare occasions, Clinics may deny a request to inspect and receive a copy of some information in the medical record. This may occur if, in the professional judgment of your physician, the information could cause a threat to you or others. In these cases, Mayo Clinic may supply the information to an appropriate third party who may then release the information to the patient.
If you are denied access to information, you may request a review of the denial. Another licensed health-care professional who was not involved in the original decision within Clinics will independently review both the original request and denial. Clinics will comply with the outcome of the independent review.
Right to a list of certain disclosures
You can ask The clinic for a list of where The clinic has shared your protected health information. This list would provide you with a summary of all disclosures The clinic has made that you would not otherwise expect or already know about. The list would not include any of the following disclosures:
• for treatment, payment and health-care operations
• made directly to you (the patient)
• that you have specifically authorized
• provided from facility directories
• made for national security or intelligence purposes
• made to correctional institutions or law enforcement having custody of
• that took place before April 14, 2003
Right to request restrictions
You can ask The clinic to restrict the use or disclosure of protected health information about you.Your request must be in writing and submitted to the Office of Patient Affairs at The clinic.
The clinic will carefully consider all requests. However, because of the integrated nature of The clinic’s medical record, The clinic is not generally able to honor most requests, nor is The clinic legally required to do so.
Right to request alternate methods of communication
You have a right to request that The clinic communicate with you in various ways (such as a letter or phone) or at a certain location. For example, you may ask that contact occur only at home or only at your place of business. In this situation, you may submit a written request to the Office of Patient Affairs at The clinic specifying the communication method or alternate location being requested.
The clinic will accommodate reasonable requests. However, if the request could result in The clinic not being able to collect for services, The clinic reserves the right to require you to provide additional information about how payment for services will be handled.
Except as described above or specifically required or permitted by law, The clinic will not use or disclose your protected information without a specific authorization from you. At times, The clinic may ask you to provide a specific written permission to allow The clinic to use or disclose medical information about you.
• An authorization is your signed, written permission to release medical information.You may be asked to sign the same authorization form periodically as required by state or federal law.
• An authorization may be revoked in writing at any time. Written revocation of authorization must be submitted to the Office of Patient Affairs at The clinic.
- Smith, Hugh; Notice of privacy practices; Mayo Clinic Bulletin; 2001.
The article above contains foundational information. Articles below contain optional updates.
Reflection Exercise #3
The preceding section contained information about the effect of HIPAA on clinics’ privacy practices. Write three case study examples
regarding how you might use the content of this section in your practice.
Ethics CEUs QUESTION 7
Under what conditions can a clinic deny access to a person’s personal health information?
Record the letter of the correct answer the