HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This law requires certain entities that provide or pay for health care (like hospitals, insurance companies, and government health plans like MassHealth) to all use the same way to share health information. HIPAA also requires these health entities to set up protections for the security and privacy of certain health information.
Under HIPAA, the U.S. Department of Health and Human Services issued a new regulation, known as the Privacy Rule. This rule went into effect on April 14, 2003. The Privacy Rule limits how MassHealth and other covered entities may use and share your protected health information (PHI). It also gives you certain rights with your PHI.
PHI is any information that:
- has to do with the physical or mental health of an individual, providing health care to an individual, or paying for health care for an individual; and
- identifies the individual, or can be used to identify the individual.
You have the right* to:
- see and get a copy of your PHI;
- ask MassHealth to change your PHI if you think it is wrong or missing information;
- ask MassHealth to limit the use or sharing of your PHI;
- ask MassHealth to get in touch with you in some other way, if reaching you at the address or telephone number that we have on file for you would put you in danger;
- get a list, with certain exceptions, of when and with whom MassHealth has shared your PHI; and
- get a paper copy of our Notice of Privacy Practices at any time.
*These rights may not apply in certain situations.
For information on how to access your PHI, visit the MassHealth personal records request page.
MassHealth can use or share your PHI for certain purposes without your permission, like activities for running the MassHealth program or paying your health care providers for services that you get. There are also times when MassHealth is required by law to release your information. MassHealth does not need your permission to do this.
If you want MassHealth to share your information with someone, you may give MassHealth verbal permission to share your information over the telephone, once you verify your identity. However, you and that person must be together during the call. In this case, your permission will be good only for that call. MassHealth will not be able to share your information with that same person on other calls unless you and that person are together for the call and you give your verbal permission again.
If you want MassHealth to share your information with someone whenever they call without needing you to be present, MassHealth needs to have your permission in writing. You must fill out a MassHealth Permission to Share Information Form (PSI).
The Privacy Rule does not affect your choice of doctor and will not change your MassHealth benefits.
MassHealth takes your privacy very seriously. If you feel that MassHealth has violated your privacy rights, contact MassHealth's Privacy and Security Office in writing at the following address.
MassHealth Privacy Office
One Ashburton Place, Room 1109
Boston, MA 02108
Privacy.Officer@mass.gov