• English

    Google Translate Disclaimer

    The Maryland Department of Information Technology (“DoIT”) offers translations of the content through Google Translate. Because Google Translate is an external website, DoIT does not control the quality or accuracy of translated content. All DoIT content is filtered through Google Translate which may result in unexpected and unpredictable degradation of portions of text, images and the general appearance on translated pages. Google Translate may maintain unique privacy and use policies. These policies are not controlled by DoIT and are not associated with DoIT’s privacy and use policies. After selecting a translation option, users will be notified that they are leaving DoIT’s website. Users should consult the original English content on DoIT’s website if there are any questions about the translated content.

    DoIT uses Google Translate to provide language translations of its content. Google Translate is a free, automated service that relies on data and technology to provide its translations. The Google Translate feature is provided for informational purposes only. Translations cannot be guaranteed as exact or without the inclusion of incorrect or inappropriate language. Google Translate is a third-party service and site users will be leaving DoIT to utilize translated content. As such, DoIT does not guarantee and does not accept responsibility for, the accuracy, reliability, or performance of this service nor the limitations provided by this service, such as the inability to translate specific files like PDFs and graphics (e.g. .jpgs, .gifs, etc.).

    DoIT provides Google Translate as an online tool for its users, but DoIT does not directly endorse the website or imply that it is the only solution available to users. All site visitors may choose to use alternate tools for their translation needs. Any individuals or parties that use DoIT content in translated form, whether by Google Translate or by any other translation services, do so at their own risk. DoIT is not liable for any loss or damages arising out of, or issues related to, the use of or reliance on translated content. DoIT assumes no liability for any site visitor’s activities in connection with use of the Google Translate functionality or content.

    The Google Translate service is a means by which DoIT offers translations of content and is meant solely for the convenience of non-English speaking users of the website. The translated content is provided directly and dynamically by Google; DoIT has no direct control over the translated content as it appears using this tool. Therefore, in all contexts, the English content, as directly provided by DoIT is to be held authoritative.

    About HIPAA

    What is HIPAA?

    The Health Insurance Portability and Accountability Act (HIPAA) became effective on July 1, 1997. Initially, the primary goal of HIPAA was to protect an insured person's insurability. Before this law, if an insured person lost insurance coverage for some reason, such as changing jobs, they could be required to prove their insurability before obtaining new coverage. For most people this wasn't a problem; however, for people with chronic health problems or whose health deteriorated while they were covered, it was a serious problem. Such people lived in constant fear of losing their jobs and thereby losing their health insurance. As a result of HIPAA, if a person has been insured for the most recent 12 months, a new insurance company cannot refuse to cover the person or impose a waiting period before providing coverage. HIPAA also offered federal protections to those with pre-existing conditions for the first time. 

    It soon became evident that successful HIPAA implementation would require a major upgrade to communications between health care providers, insurance plans and employers. Many security, privacy, and confidentiality issues would also have to be addressed as technology and the means of sharing health information evolved. So, the law was written to include those kinds of mandates, with significant penalties for non-compliance, including monetary fines and criminal penalties such as prison time for serious, intentional privacy or security violations.

    Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act (ARRA) of 2009, which made several significant modifications to HIPAA. On January 25, 2013, the US Department of Health and Human Services (HHS) published the Omnibus Final Rule, which implemented changes to HIPAA pursuant to the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) of 2008. The Omnibus Final Rule also made additional changes to the HIPAA regulations. The Omnibus Final Rule became effective on March 26, 2013, and its compliance date was September 23, 2013.

    The most well-known aspects of HIPAA now are those created to ensure privacy and security in patients' health information. The information below concerns the aspects of HIPAA designed to protect health information. 

    Who is HIPAA for?
    HIPAA is for you. It protects your health information that is kept by providers (doctors, clinics, hospitals, etc.), health plans (insurance companies, Medicaid), and a type of entity called a health care clearinghouse, which is often a business that does medical billing for providers so that they can submit proper claims to insurers. These are called Covered Entities. Your protected health information (PHI) is health information that is kept or created by a Covered Entity and can be used to identify you individually.   

    Who does HIPAA apply to?
    HIPAA only applies to Covered Entities and their contractors, which are called Business Associates. When a Covered Entity hires a Business Associate to perform work which would give them access to your PHI they must sign an agreement called a Business Associate Agreement (BAA). HIPAA requires the BAA to hold the contractor to the same standards as the Covered Entity regarding protection of your health information. Also, the contractor, or Business Associate, can only have access to the parts of your PHI that they need to do their jobs. So, for example, if a Covered Entity hires a Business Associate for the sole purpose of calling patients to remind them of their appointments, the Business Associate would only have access to the information they need to do that. In this case that would usually be just your name, phone number, provider and appointment time.  

    What does HIPAA do?

    HIPAA requires Covered Entities and Business Associates to keep your Protected Health Information private and secure. 

    The Privacy Rule
    HIPAA requires Covered Entities and Business Associates not to disclose your PHI except in well-defined, limited circumstances. A Covered Entity must disclose your PHI to you or to a third party that you authorize to receive it. Other HIPAA-permitted disclosures include when your health providers need to discuss your health information with each other for treatment purposes or when your provider submits a claim to your insurance company. Sometimes, your health information must be disclosed because it is required by law or because it is the subject of a court order or subpoena. 

    The Privacy Rule also requires that Covered Entities keep any paper records private, to avoid unauthorized disclosure. This usually means that paper records are kept in a secure location such as a locked cabinet.

    A full explanation of HIPAA-authorized disclosures is available here: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html 

    The Security Rule
    The HIPAA Security Rule requires Covered Entities to keep your Protected Health Information secure. This means that electronic PHI (ePHI) should be stored only on encrypted, password protected devices. Exchange of your ePHI should only occur over networks with appropriate security safeguards (encryption, etc.) in place. 

    How Can I Report a HIPAA violation?
    If you believe PHI was disclosed in violation of HIPAA or if you believe that PHI has not been kept private and secure as required by HIPAA, you can file a complaint in ONE of the following ways: 

    1.  Contact the Privacy Officer for the Covered Entity. All Covered Entities are required by HIPAA to appoint a person as the Privacy Officer. Their name and contact information should be posted on the Covered Entity's website and should be made available to you if you ask them for the information. The information is required to be part of the “Notice of Privacy Practices" that all patients receive.
    2. File a Complaint with HHS

    You can file a complaint directly with the United States Department of Health and Human Services (HHS), Office of Civil Rights (OCR): https://www.hhs.gov/hipaa/filing-a-complaint/index.html

    ​​Maryland Department of Health
    Office of Internal Controls and Audit Compliance
    Lauren Boyce
    Chief Privacy Officer
    201 W. Preston Street
    Baltimore, MD 21201
    410-767-5411 office 
    410-333-7194 fax