Broadly speaking, the HIPAA privacy rules provide that entities covered by HIPAA must restrict the use or disclosure of Protected Health Information (PHI), provide access and notice rights to individuals, and adopt certain administrative safeguards.
Protected Health Information
PHI is all individually identifiable health information not exempted by HIPAA. See PHI for a detailed discussion of what information constitutes PHI.
The HIPAA privacy rules apply to all covered entities. A covered entity includes:
- a health care provider that conducts certain transactions in electronic form, (called here a “covered health care provider”),
- a health care clearinghouse, or
- a health plan.
See this chart from HHS for flowcharts to decide if an entity is a covered entity.
Covered entities may also be required to ensure that other entities performing functions for them comply with HIPAA privacy rules. Thus, a business associate of a covered entity or the plan sponsor of a group health plan (e.g., an employer) may need to obey HIPAA privacy rules. See business associate.
Privacy Rule Substantive Requirements
Use and Disclosure
The general rule is a covered entity may not use or disclose protected health information, except as permitted or required by HIPAA regulations.
Permitted uses and disclosures
A covered entity is permitted to use or disclose protected health information as follows:
- To the individual;
- For treatment, payment, or health care operations, as permitted by and in compliance with the regulations (see § 164.506);
- Incident to a use or disclosure otherwise permitted or required by the regulations, provided that the covered entity has disclosed the minimum necessary and used reasonable safeguards (as defined by the regulations);
- With respect to psychotherapy notes or information to be used for marketing, pursuant to and in compliance with a valid authorization under special rules in the regulations (see §164.508);
- Pursuant to an agreement under, or as otherwise permitted by, §164.510; and
- To maintain facility directories and communicate with relatives and close friends as permitted by the regulations (after the individual has the right to object).
Required Uses and Disclosures
A covered entity is required to disclose protected health information:
- To an individual, when requested under, and required by §164.524 or §164.528 of the regulations; and
- When required by the government to investigate the covered entity's compliance with HIPAA.
Individual Access and Notices
The HIPAA privacy rule gives individuals broad rights to inspect and amend their PHI, as well as to obtain an accounting of disclosures and to request additional restrictions on the use or disclosure of their PHI.
HIPAA requires that an individual receive a notice that describes the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to PHI.
The HIPAA regulations include detailed specifications as to the content that must appear in a HIPAA privacy notice. See 164.520(b).
A health plan must provide the notice:
- At the time of enrollment, to individuals who are new enrollees; and
- Within 60 days of a material revision to the notice, to individuals then covered by the plan.
In addition, no less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice.
The notice does not need to be provided to dependents. The notice requirements are satisfied if notice is provided to the named insured of a policy.
Special rules apply to health providers and electronic notices.
A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
A covered entity must designate a contact person or office who is responsible for receiving complaints and who is able to provide further information about matters covered by the HIPAA privacy notice.
A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity.
A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of HIPAA.
A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of HIPAA by the covered entity or its business associate.
Refraining from intimidating or retaliatory acts
A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established by HIPAA.
Waiver of rights
A covered entity may not require individuals to waive their rights under HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
Policies and procedures
A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of HIPAA. Policies must be updated as the law changes.
A covered entity must maintain the policies and procedures provided for above in written or electronic form. If a communication is required by HIPAA to be in writing, the covered entity must maintain such writing, or an electronic copy, as documentation. If an action, activity, or designation is required by HIPAA to be documented, maintain a written or electronic record of such action, activity, or designation.
A covered entity must retain the documentation required for six years from the date of its creation or the date when it last was in effect, whichever is later.
Special Rules for Fully Insured Group Health Plans
Group health plans that are fully insured are exempt from many of the above administrative safeguard requirements if they do not generate PHI beyond enrollment information and summary health information.
Health Information Technology for Economic and Clinical Health (HITECH): HIPAA Breaches
The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA), requires health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach in the security of their health information. Notice of a breach must also be given to the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The breach notification regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
Definition of Unsecured PHI
A breach of HIPAA security can only occur as to unsecured PHI. This is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary through published guidance. The interim final rule specifies encryption and destruction technology as the only “safe harbor” methods for rendering PHI secure.
Definition of Breach
A breach occurs when there is an unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of that information. The incident must create a significant risk of financial, reputational or other harm to the individual (or individuals, if a group is affected).
Timing of HIPAA Breach Notification
Notifications of a breach must be made without unreasonable delay and not later than 60 days of discovery of breach.
Reporting a HIPAA Breach to HHS
A HIPPA breach may be reported online.
Preambles are located at 65 Fed Reg 82461 and 67 Fed Reg 53181.
- Interim Final Regulations on HITECH Breach Notification Requirements
- Interim Final Regulations on HIPAA Violation Enforcement and Penalties
See also HIPAA security for a discussion of security standards that apply to PHI.
- HHS Proposed Rule Fine-Tunes HITECH and HIPAA Requirements (BNA's Health Law Reporter)