Protected health information

Patient privacy is a top priority at Kaiser Permanente. Any information about a patient is confidential regardless of the medium upon which it is stored. Contracted providers must have documented policies and procedures for safeguarding patient privacy.

Policies and procedures should address such aspects as:

• Disclosure of health information
• Elements of a valid authorization to release health information
• Access and correction/amendment to medical records
• Handling of specially protected information such as drug and alcohol abuse, mental health, sexually transmitted diseases, reproductive care, and HIV/AIDS
• Proper disposal of confidential waste for all types of media
• Confidentiality and security training
• A confidentiality and security attestation signed by all employees

See Member rights for more information about patient access to medical records.

When providing services in Kaiser Permanente facilities, we require that you handle protected health information in a manner consistent with the Kaiser Permanente Notice of Privacy Practices . This notice applies only to services provided at a Kaiser Permanente facility. For services provided at a non-Kaiser Permanente facility, you may not rely upon Kaiser Permanente's notice to satisfy your own privacy notice obligations under the Health Insurance Portability and Accountability (HIPAA) Act.

To protect our patients, we strive to:

• Limit the use of protected health information to the minimum necessary for the intended purpose.
• Provide our employees with confidentiality and security awareness training.
• Control access to information based on the principle of legitimate business need-to-know.

All information identifying our patients is confidential, regardless of the medium upon which it is stored. Only authorized individuals with a legitimate business need-to-know may access health care information that identifies patients. Individuals using health information that identifies patients must observe appropriate confidentiality and security safeguards.

You may not disclose health information to third parties without prior authorization by the patient or the patient's legally recognized representative, except as provided by law.