St. Jude Family of Websites
Explore our cutting edge research, world-class patient care, career opportunities and more.
St. Jude Children's Research Hospital Home
- Fundraising
How HIPAA Protects Patient Privacy
HIPAA is a federal law that protects your child’s private health information.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law in the United States that helps make sure a patient’s medical records are safe and private. It covers all forms of health information.
HIPAA limits who can view and receive this information.
Health information protected by HIPAA
HIPAA protects health information in electronic, oral (spoken) or written forms. This is called protected health information (PHI) and includes:
- Information that a patient’s health care providers put in their medical record, such as their age, race, sex, physical or mental health, care, treatment, and services
- Conversations providers have about a patient’s care or treatment
- Details about a patient in St. Jude computer systems
- Billing information about a patient
How health information is protected
St. Jude takes steps to protect a patient’s health information. These actions include:
- Storing paper information in locked cabinets and rooms with locked doors
- Securely storing and transmitting electronic health information
- Placing limits on who can see patient information
- Limiting the information employees can view about patients to only what is needed for the employees to do their jobs
- Training staff on how to protect patient information
- Talking about health information only in private areas
Who can see health information
Patient information cannot be used or shared without the patient’s or legal guardian’s written permission unless the law allows it. The patient can grant written permission about who can be involved in their care and view their records. For example, without written permission, health care providers often cannot share patient information with:
- An employer
- St. Jude staff who are not involved in the patient’s care
HIPAA does allow patient information to be used and shared without written permission to:
- Set up treatment and care
- Pay doctors and hospitals for health care
- Use for St. Jude internal business operations
- With a patient’s family, relatives, friends, or others you name who are involved with your child’s health care or health care bills, unless you say no
Patient rights under HIPAA
Patients and their legal guardians have the right to:
- See and get a copy of the patient’s health records, except in a few cases
- Have corrections made to a patient’s health information
- Ask that a patient’s information not be given out, except in some cases
- Get a Notice of Privacy Practices that tells how a patient’s health information may be used and shared
- Decide whether to allow a patient’s health information to be used or shared for some purposes, such as for fundraising
- Get a report called an “accounting” that tells a patient or a guardian when and why health information was shared
- Get private information in a different way or location, rather than at a home address
If a patient or a legal guardian believes the patient’s rights are being denied or their health information is not being protected, they may file a complaint. To file a complaint, do 1 of the following:
- Contact the St. Jude privacy officer at (901) 595-6141
- Call the confidential EthicsPoint Hot Line at 1-800-433-1847
- Email hipaaprivacy@stjude.org
- Contact the U.S. Department of Health and Human Services, Office for Civil Rights at:
Office for Civil Rights
U.S. Department of Health and Human Services
Atlanta Federal Center
Suite 16T70
61 Forsyth St., S.W.
Atlanta, GA 30303-8909
(404) 562-7886 (phone)
(404) 562-7881 (fax)
(404) 331-2867 (TDD)
www.hhs.gov/ocr/hipaa
How to keep health information private
To protect health information, visit Patient Registration, located on the 1st floor of the Patient Care Center near the main lobby. Ask for a Privacy Restriction Form, then:
- Fill out the form.
- List who can access a patient’s health information and who should not receive it
- Sign the form and turn it in.
A patient’s information may be given out, even if they or their guardian say no in these cases:
- In an emergency St. Jude may share a patient’s health information with their family members or other people in an emergency.
- If the law requires it or if HIPAA allows it
- If St. Jude is legally required to share a child’s health information with a parent. St. Jude may have to share information with a parent even if:
- That parent does not have custody of the child
- The patient or primary caregiver does not want the information shared
If you believe that sharing this information would put your child in danger, please tell a member of the St. Jude clinical staff.