Skip to main content

What responsibility does my health care provider have to keep my information confidential?

Your health information includes records and communications with your care provider about the services, tests, diagnoses, and treatment that you receive. Various state and federal laws protect the privacy of your health information. One of these laws is the federal Health Insurance Portability and Accountability Act (HIPAA). HIPAA allows your care provider to share your health information without your written permission for a purpose directly related to your health care, like treating your condition, or paying your health care bill. Your care provider may also share information without your permission for things like making sure doctors give good care, making sure health care facilities are clean and safe, or reporting when the flu is in your area. In other cases not directly related to your care, your health care provider must get your written permission to share your health information. For example, HIPAA requires your care provider to get your written permission to give your health information to your employer, or to share it for things like marketing and advertising.

Some types of health information get additional protection under federal and state laws that are stricter than HIPAA. These laws require your care provider to get your written consent to share the following types of health information, even though it is for a purpose directly related to your care:
  • Behavioral and mental health services that are provided by the Michigan Department of Community Health (MDCH), a Community Mental Health Service Provider, or an entity under contract with the MDCH or a Community Mental Health Service Provider. 
  • Referrals and/or treatment for a substance use disorder. 
  • Information about communicable diseases and infections, such as sexually transmitted diseases, and Human Immunodeficiency Virus (HIV Infection, Acquired Immune Deficiency Syndrome, or AIDS Related Complex).
Care providers who get certain types of federal funding must follow additional laws that provide the highest level of protection for information about services for domestic violence, sexual assault, or stalking. These care providers must get your written consent before disclosing any personally identifying information or individual information about you. The only exceptions to this very strict requirement are cases where a law or court order requires the provider to disclose the information. These exceptions may include reporting child abuse or neglect, or obeying a subpoena to provide information in a legal case.

If you have questions about your care provider's duty to protect your health information, ask your provider.