Vitalii Gulenok/istock via Getty

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule protects patient privacy while enabling the flow of health information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established national standards for the security and privacy of protected health information (PHI). HHS issued the HIPAA Privacy Rule and the HIPAA Security Rule to ensure that PHI would remain protected and secure while enabling the flow of health information.

With a thorough understanding of the HIPAA Privacy Rule and its key components, summarized below, HIPAA-covered entities and their business associates can ensure compliance and align themselves with best practices for preserving patient privacy. It is important to note that while this guide addresses the core tenets of the HIPAA Privacy Rule, it is not exhaustive.

PURPOSE, SCOPE OF THE HIPAA PRIVACY RULE

“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being,” the HHS website states.

“The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”

The rule also contains provisions that give patients the right to obtain copies of their health records and to ask a covered entity to transmit electronic PHI (ePHI) to a third party.

HIPAA-covered entities consist of all health plans, healthcare clearinghouses, and healthcare providers, along with any of their business associates. All covered entities are subject to compliance and could face penalties for noncompliance.

The HIPAA Privacy Rule protects “individually identifiable health information,” which the rule refers to interchangeably as PHI. Specifically, HHS stated that the rule would protect information relating to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual

The rule excludes de-identified health information, since there would be no way for anyone to identify an individual with that information alone. It also excludes “employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act,” HHS explained.

A core tenet of the HIPAA Privacy Rule is the “minimum necessary” requirement, which aims to limit uses and disclosures of PHI to prevent covered entities from disclosing more information than necessary.

“A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request,” HHS notes.

In the sections below, we will dive into the few permitted and authorized PHI uses and disclosures. To limit the sharing and dissemination of PHI, covered entities are only allowed to disclose PHI under certain permitted uses and disclosures under the HIPAA Privacy Rule, or if the patient authorizes it in writing.

PERMITTED VS. AUTHORIZED PHI USES AND DISCLOSURES

There are six circumstances in which a covered entity may disclose PHI without the patient’s authorization.

“Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make,” HHS states.

The first permitted disclosure allows covered entities to disclose PHI to the individual that the information is about.

Secondly, a covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations. For example, providers can consult with other providers and coordinate care accordingly. Covered entities, particularly health plans, are allowed to obtain premiums and determine coverage for payment purposes using PHI. In addition, covered entities can disclose or use PHI for operational activities such as quality assessments, competency assurance activities, and business administration.

The third permitted use and disclosure rule is referred to as “uses and disclosures with opportunity to agree or object.”

“Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object,” HHS explains.

“Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.”

For example, healthcare facilities may maintain a patient contact information directory and may be able to disclose a patient’s condition and location to anyone asking about the patient by name.

The fourth situation involves incidental uses and disclosures. The HIPAA Privacy Rule permits “certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.”

The fifth circumstance in which covered entities may disclose or use PHI is for public interest and benefit activities. For example, covered entities may disclose information to government authorities if they find evidence of abuse, domestic violence, or neglect. This provision also permits the use and disclosure of PHI for law enforcement purposes, research, threats to health and safety, and workers’ compensation compliance.

The sixth and final permitted circumstance allows covered entities to disclose a limited data set to be sued for research, public health purposes, or healthcare operations, as long as the patient enters into a data use agreement.

Outside of those six parameters, covered entities must obtain written authorization for any use or disclosure of PHI.

“Examples of disclosures that would require an individual’s authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes,” HHS explains.

PATIENT RIGHTS UNDER THE HIPAA PRIVACY RULE

Along with protecting patients from improper PHI use or disclosure, the HIPAA Privacy Rule gives patients certain rights when it comes to accessing their own health information.

“The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more ‘designated record sets’ maintained by or for the covered entity,” HHS states on its website.

“This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.”

Covered entities must provide patients with copies of PHI records upon request in a timely manner and for a reasonable cost, if applicable. HIPAA requires entities to respond to a request for PHI within 30 calendar days.

There are very limited circumstances under which a covered entity can deny a request for PHI. For example, a covered entity can deny a request if the information requested is not part of a designated record set that the entity maintains, or if providing the information is reasonably likely to endanger lives or safety. HHS provides detailed answers to commonly asked questions surrounding patient right of access rules on its website.

Since HIPAA was enacted more than 25 years ago, additional rules and initiatives have continued to advocate for patient access rights. The passing of the HITECH Act in 2009 and the 21st Century Cures Act (signed into law in 2016) contributed to an increased focus on patients’ rights to health information.

In 2019, HHS’s Office for Civil Rights (OCR) launched the HIPAA Right of Access Initiative to advocate for individuals trying to obtain their health records in a timely manner at a reasonable cost, as outlined in the HIPAA Privacy Rule. Since the Office for Civil Rights (OCR) launched the HIPAA Right of Access Initiative in 2019, it has since resolved 25 enforcement actions relating to patient health record access.

Next Steps

Dig Deeper on HIPAA compliance and regulation