Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 348 Why would HIPAA Privacy Rule require covered entities to turn over anybody's personal health information as part of a government enforcement process?

This is guidance related to the disclosure of protected health information as part of a government enforcement process

Final

Issued by: Office for Civil Rights (OCR)

h1>Why would HIPAA Privacy Rule require covered entities to turn over anybody's personal health information as part of a government enforcement process?

Answer:

An important ingredient in ensuring compliance with the Privacy Rule is the Department of Health and Human Services’ (HHS) responsibility to investigate complaints that the Rule has been violated and to follow up on other information regarding noncompliance. At times, this responsibility entails seeing personal health information, such as when an individual indicates to the Department that they believe a covered entity has not properly handled their medical records.

What information would be needed depends on the circumstances and the alleged violations. The Privacy Rule limits HHS Office for Civil Rights’ (OCR) access to information that is “pertinent to ascertaining compliance.” In some cases, no personal health information may be needed. For instance, OCR would need to review only a business contract to determine whether a health plan included appropriate language to protect privacy when it hired an outside company to help process claims.

Examples of investigations that may require OCR to have access to protected health information include:

  • Allegations that a covered entity refused to note a request for correction in a patient’s medical record, or did not provide complete access to a patient’s medical records to that patient.
  • Allegations that a covered entity used health information for marketing purposes without first obtaining the individuals’ authorization when required by the Rule. OCR may need to review information in the marketing department that contains personal health information, to determine whether a violation has occurred.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.