OLR Report 2016-R-0050 describes the laws that limit the circumstances in which health care providers may release a patient's personal health information. Personal health information is protected by both federal and state laws. The federal Health Insurance Portability and Accountability Act (HIPAA) provides the minimum level of protection, while state laws may provide additional protection.
HIPAA's privacy rule establishes national standards to protect patients' medical records and other personal health information (45 C.F.R. §§ 160, 164(A), (E)). The privacy rule limits the disclosure of patients' personal health information by covered entities without their authorization and gives patients a right to obtain, examine, and copy their medical records and request corrections.
HIPAA's security rule applies the protections of the privacy rule to electronic personal health information and requires that appropriate administrative, physical, and technical safeguards be put into place to maintain the confidentiality, integrity, and security of electronic health information (45 C.F.R. §§ 160, 164(A), (C)).
Several Connecticut laws also address the privacy and disclosure of patients' personal health information. These include laws that (1) establish a bill of rights that assures confidential treatment of patients' personal and medical records and (2) prohibit the sale of personal health information. Connecticut law allows the disclosure of personal health information to certain state agencies. For example, Department of Mental Health and Addiction Services (DHMAS) contractors must disclose personal health information to the commissioner in certain circumstances.
For more information, read the full report here.