HIPAA Privacy Summary


  • The Standards for Privacy of Individually Identifiable Health Information (“Privacy
    Rule”) establishes, for the first time, a set of national standards for the protection of
    certain health information. The U.S. Department of Health and Human Services
    (“HHS”) issued the Privacy Rule to implement the requirement of the Health
    Insurance Portability and Accountability Act of 1996 (“HIPAA”). 1 The Privacy Rule
    standards address the use and disclosure of individuals’ health information—called
    “protected health information” by organizations subject to the Privacy Rule — called
    “covered entities,” as well as standards for individuals’ privacy rights to understand
    and control how their health information is used. Within HHS, the Office for Civil
    Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule
    with respect to voluntary compliance activities and civil money penalties.
    A major goal of the Privacy Rule is to assure that individuals’ health information is
    properly protected while allowing the flow of health information needed to provide
    and promote high quality health care and to protect the public’s health and well being.
    The Rule strikes a balance that permits important uses of information, while
    protecting the privacy of people who seek care and healing. Given that the health
    care marketplace is diverse, the Rule is designed to be flexible and comprehensive to
    cover the variety of uses and disclosures that need to be addressed.
    This is a summary of key elements of the Privacy Rule and not a complete or
    comprehensive guide to compliance. Entities regulated by the Rule are obligated to
    comply with all of its applicable requirements and should not rely on this summary as
    a source of legal information or advice. To make it easier for entities to review the
    complete requirements of the Rule, provisions of the Rule referenced in this summary
    are cited in notes at the end of this document. To view the entire Rule, and for other
    additional helpful information about how it applies, see the OCR website:
    http://www.hhs.gov/ocr/hipaa. In the event of a conflict between this summary
    and the Rule, the Rule governs.
    Links to the OCR Guidance Document are provided throughout this paper. Provisions
    of the Rule referenced in this summary are cited in end-notes at the end of this
    document. To review the entire Rule itself, and for other additional helpful
    information about how it applies, see the OCR website:
    Statutory &
    The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public
    Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA
    require the Secretary of HHS to publicize standards for the electronic exchange,
    privacy and security of health information. Collectively these are known as the
    Administrative Simplification provisions.
    HIPAA required the Secretary to issue privacy regulations governing individually
    identifiable health information, if Congress did not enact privacy legislation within
    OCR Privacy Rule Summary 2 Last Revised 05/03
    three years of the passage of HIPAA. Because Congress did not enact privacy
    legislation, HHS developed a proposed rule and released it for public comment on
    November 3, 1999. The Department received over 52,000 public comments. The
    final regulation, the Privacy Rule, was published December 28, 2000.2
    In March 2002, the Department proposed and released for public comment
    modifications to the Privacy Rule. The Department received over 11,000 comments.
    The final modifications were published in final form on August 14, 2002.3 A text
    combining the final regulation and the modifications can be found at 45 CFR Part
    160 and Part 164, Subparts A and E on the OCR website:
    Who is
    Covered by the
    Privacy Rule
    The Privacy Rule, as well as all the Administrative Simplification rules, apply to
    health plans, health care clearinghouses, and to any health care provider who
    transmits health information in electronic form in connection with transactions for
    which the Secretary of HHS has adopted standards under HIPAA (the “covered
    entities”). For help in determining whether you are covered, use the decision tool at:
    Health Plans. Individual and group plans that provide or pay the cost of medical
    care are covered entities.4 Health plans include health, dental, vision, and
    prescription drug insurers, health maintenance organizations (“HMOs”), Medicare,
    Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care
    insurers (excluding nursing home fixed-indemnity policies). Health plans also
    include employer-sponsored group health plans, government and church-sponsored
    health plans, and multi-employer health plans. There are exceptions—a group health
    plan with less than 50 participants that is administered solely by the employer that
    established and maintains the plan is not a covered entity. Two types of government
     funded programs are not health plans: (1) those whose principal purpose is not
    providing or paying the cost of health care, such as the food stamps program; and (2)
    those programs whose principal activity is directly providing health care, such as a
    community health center,5 or the making of grants to fund the direct provision of
    health care. Certain types of insurance entities are also not health plans, including
    entities providing only workers’ compensation, automobile insurance, and property
    and casualty insurance.
    Health Care Providers.   Every health care provider, regardless of size, who
    electronically transmits health information in connection with certain transactions, is
    a covered entity. These transactions include claims, benefit eligibility inquiries,
    referral authorization requests, or other transactions for which HHS has established
    standards under the HIPAA Transactions Rule.6 Using electronic technology, such as
    email, does not mean a health care provider is a covered entity; the transmission must
    be in connection with a standard transaction. The Privacy Rule covers a health care
    provider whether it electronically transmits these transactions directly or uses a
    billing service or other third party to do so on its behalf. Health care providers
    include all “providers of services” (e.g., institutional providers such as hospitals) and
    “providers of medical or health services” (e.g., non-institutional providers such as
    physicians, dentists and other practitioners) as defined by Medicare, and any other                                                                                                                                                                                                   person or organization that furnishes, bills, or is paid for health care.
  • Health Care Clearinghouses. Health care clearinghouses are entities that process
    nonstandard information they receive from another entity into a standard (i.e.,
    standard format or data content), or vice versa. 7 In most instances, health care
    clearinghouses will receive individually identifiable health information only when
    they are providing these processing services to a health plan or health care provider as
    a business associate. In such instances, only certain provisions of the Privacy Rule are
    applicable to the health care clearinghouse’s uses and disclosures of protected health
    information.8 Health care clearinghouses include billing services, repricing
    companies, community health management information systems, and value-added
    networks and switches if these entities perform clearinghouse functions.
    Business Associate Defined. In general, a business associate is a person or
    organization, other than a member of a covered entity’s workforce, that performs
    certain functions or activities on behalf of, or provides certain services to, a covered
    entity that involve the use or disclosure of individually identifiable health
    information. Business associate functions or activities on behalf of a covered entity
    include claims processing, data analysis, utilization review, and billing.9 Business
    associate services to a covered entity are limited to legal, actuarial, accounting,
    consulting, data aggregation, management, administrative, accreditation, or financial
    services. However, persons or organizations are not considered business associates if
    their functions or services do not involve the use or disclosure of protected health
    information, and where any access to protected health information by such persons
    would be incidental, if at all. A covered entity can be the business associate of
    another covered entity.
    Business Associate Contract. When a covered entity uses a contractor or other nonworkforce
    member to perform “business associate” services or activities, the Rule
    requires that the covered entity include certain protections for the information in a
    business associate agreement (in certain circumstances governmental entities may use
    alternative means to achieve the same protections). In the business associate contract,
    a covered entity must impose specified written safeguards on the individually
    identifiable health information used or disclosed by its business associates.10
    Moreover, a covered entity may not contractually authorize its business associate to
    make any use or disclosure of protected health information that would violate the
    Rule. Covered entities that have an existing written contract or agreement with
    business associates prior to October 15, 2002, which is not renewed or modified prior
    to April 14, 2003, are permitted to continue to operate under that contract until they
    renew the contract or April 14, 2004, whichever is first.11 Sample business associate
    contract language is available on the OCR website at:
    http://www.hhs.gov/ocr/hipaa/contractprov.html. Also see OCR “Business
    Associate” Guidance.
    Information is
    Protected Health Information. The Privacy Rule protects all “individually
    identifiable health information” held or transmitted by a covered entity or its business
    associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule
    calls this information “protected health information (PHI).”12
    “Individually identifiable health information” is information, including demographic
    data, that relates to:
    • the individual’s past, present or future physical or mental health or
    • the provision of health care to the individual, or
    • the past, present, or future payment for the provision of health care to the
    and that identifies the individual or for which there is a reasonable basis to believe
    can be used to identify the individual.13 Individually identifiable health information
    includes many common identifiers (e.g., name, address, birth date, Social Security
    The Privacy Rule excludes from protected health information employment records
    that a covered entity maintains in its capacity as an employer and education and
    certain other records subject to, or defined in, the Family Educational Rights and
    Privacy Act, 20 U.S.C. §1232g.
    De-Identified Health Information. There are no restrictions on the use or
    disclosure of de-identified health information.14 De-identified health information
    neither identifies nor provides a reasonable basis to identify an individual. There are
    two ways to de-identify information; either: 1) a formal determination by a qualified
    statistician; or 2) the removal of specified identifiers of the individual and of the
    individual’s relatives, household members, and employers is required, and is
    adequate only if the covered entity has no actual knowledge that the remaining
    information could be used to identify the individual.15
    Principle for
    Uses and
    Basic Principle. A major purpose of the Privacy Rule is to define and limit the
    circumstances in which an individual’s protected heath information may be used or
    disclosed by covered entities. A covered entity may not use or disclose protected
    health information, except either: (1) as the Privacy Rule permits or requires; or (2) as
    the individual who is the subject of the information (or the individual’s personal
    representative) authorizes in writing.16
    Required Disclosures. A covered entity must disclose protected health information
    in only two situations: (a) to individuals (or their personal representatives)
    specifically when they request access to, or an accounting of disclosures of, their
    protected health information; and (b) to HHS when it is undertaking a compliance
    investigation or review or enforcement action.17 See OCR “Government Access”
    Permitted Uses
    and Disclosures
    Permitted Uses and Disclosures. A covered entity is permitted, but not required, to
    use and disclose protected health information, without an individual’s authorization,
    for the following purposes or situations: (1) To the Individual (unless required for
    access or accounting of disclosures); (2) Treatment, Payment, and Health Care
    Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise
    permitted use and disclosure; (5) Public Interest and Benefit Activities; and(6)                                                                                                                                                                                                   Limited Data Set for the purposes of research, public health or health care
    operations.18 Covered entities may rely on professional ethics and best judgments in
    deciding which of these permissive uses and disclosures to make.
    (1) To the Individual. A covered entity may disclose protected health information to
    the individual who is the subject of the information.
    (2) Treatment, Payment, Health Care Operations. A covered entity may use and
    disclose protected health information for its own treatment, payment, and health care
    operations activities.19 A covered entity also may disclose protected health
    information for the treatment activities of any health care provider, the payment
    activities of another covered entity and of any health care provider, or the health care
    operations of another covered entity involving either quality or competency assurance
    activities or fraud and abuse detection and compliance activities, if both covered
    entities have or had a relationship with the individual and the protected health
    information pertains to the relationship. See OCR “Treatment, Payment, Health Care
    Operations” Guidance.
    Treatment is the provision, coordination, or management of health care and
    related services for an individual by one or more health care providers,
    including consultation between providers regarding a patient and referral of a
    patient by one provider to another.20
    Payment encompasses activities of a health plan to obtain premiums,
    determine or fulfill responsibilities for coverage and provision of benefits,
    and furnish or obtain reimbursement for health care delivered to an
    individual21 and activities of a health care provider to obtain payment or be
    reimbursed for the provision of health care to an individual.
    Health care operations are any of the following activities: (a) quality
    assessment and improvement activities, including case management and care
    coordination; (b) competency assurance activities, including provider or
    health plan performance evaluation, credentialing, and accreditation; (c)
    conducting or arranging for medical reviews, audits, or legal services,
    including fraud and abuse detection and compliance programs; (d) specified
    insurance functions, such as underwriting, risk rating, and reinsuring risk; (e)
    business planning, development, management, and administration; and (f)
    business management and general administrative activities of the entity,
    including but not limited to: de-identifying protected health information,
    creating a limited data set, and certain fundraising for the benefit of the
    covered entity.22
    Most uses and disclosures of psychotherapy notes for treatment, payment, and health
    care operations purposes require an authorization as described below.23
    Obtaining “consent” (written permission from individuals to use and disclose their
    protected health information for treatment, payment, and health care operations) is
    optional under the Privacy Rule for all covered entities.24 The content of a consent
    form, and the process for obtaining consent, are at the discretion of the covered entity
    electing to seek consent.(3) Uses and Disclosures with Opportunity to Agree or Object. Informal
    permission may be obtained by asking the individual outright, or by circumstances
    that clearly give the individual the opportunity to agree, acquiesce, or object. Where
    the individual is incapacitated, in an emergency situation, or not available, covered
    entities generally may make such uses and disclosures, if in the exercise of their
    professional judgment, the use or disclosure is determined to be in the best interests
    of the individual.
    Facility Directories. It is a common practice in many health care facilities,
    such as hospitals, to maintain a directory of patient contact information. A
    covered health care provider may rely on an individual’s informal permission
    to list in its facility directory the individual’s name, general condition,
    religious affiliation, and location in the provider’s facility.25 The provider
    may then disclose the individual’s condition and location in the facility to
    anyone asking for the individual by name, and also may disclose religious
    affiliation to clergy. Members of the clergy are not required to ask for the
    individual by name when inquiring about patient religious affiliation.
    For Notification and Other Purposes. A covered entity also may rely on an
    individual’s informal permission to disclose to the individual’s family,
    relatives, or friends, or to other persons whom the individual identifies,
    protected health information directly relevant to that person’s involvement in
    the individual’s care or payment for care. 26 This provision, for example,
    allows a pharmacist to dispense filled prescriptions to a person acting on
    behalf of the patient. Similarly, a covered entity may rely on an individual’s
    informal permission to use or disclose protected health information for the
    purpose of notifying (including identifying or locating) family members,
    personal representatives, or others responsible for the individual’s care of the
    individual’s location, general condition, or death. In addition, protected
    health information may be disclosed for notification purposes to public or
    private entities authorized by law or charter to assist in disaster relief efforts.
    (4) Incidental Use and Disclosure. The Privacy Rule does not require that every
    risk of an incidental use or disclosure of protected health information be eliminated.
    A use or disclosure of this information that occurs as a result of, or as “incident to,”
    an otherwise permitted use or disclosure is permitted as long as the covered entity has
    adopted reasonable safeguards as required by the Privacy Rule, and the information
    being shared was limited to the “minimum necessary,” as required by the Privacy
    Rule.27 See OCR “Incidental Uses and Disclosures” Guidance.
    (5) Public Interest and Benefit Activities. The Privacy Rule permits use and
    disclosure of protected health information, without an individual’s authorization or
    permission, for 12 national priority purposes.28 These disclosures are permitted,
    although not required, by the Rule in recognition of the important uses made of health
    information outside of the health care context. Specific conditions or limitations
    apply to each public interest purpose, striking the balance between the individual
    privacy interest and the public interest need for this information.
    Required by Law. Covered entities may use and disclose protected health
    information without individual authorization as required by law (including by
    statute, regulation, or court orders).29
    Public Health Activities. Covered entities may disclose protected health
    information to: (1) public health authorities authorized by law to collect or
    receive such information for preventing or controlling disease, injury, or
    disability and to public health or other government authorities authorized to
    receive reports of child abuse and neglect; (2) entities subject to FDA
    regulation regarding FDA regulated products or activities for purposes such
    as adverse event reporting, tracking of products, product recalls, and postmarketing
    surveillance; (3) individuals who may have contracted or been
    exposed to a communicable disease when notification is authorized by law;
    and (4) employers, regarding employees, when requested by employers, for
    information concerning a work-related illness or injury or workplace related
    medical surveillance, because such information is needed by the employer to
    comply with the Occupational Safety and Health Administration (OHSA),
    the Mine Safety and Health Administration (MHSA), or similar state law.30
    See OCR “Public Health” Guidance; CDC Public Health and HIPAA
    Victims of Abuse, Neglect or Domestic Violence. In certain circumstances,
    covered entities may disclose protected health information to appropriate
    government authorities regarding victims of abuse, neglect, or domestic
    Health Oversight Activities. Covered entities may disclose protected health
    information to health oversight agencies (as defined in the Rule) for purposes
    of legally authorized health oversight activities, such as audits and
    investigations necessary for oversight of the health care system and
    government benefit programs.32
    Judicial and Administrative Proceedings. Covered entities may disclose
    protected health information in a judicial or administrative proceeding if the
    request for the information is through an order from a court or administrative
    tribunal. Such information may also be disclosed in response to a subpoena
    or other lawful process if certain assurances regarding notice to the individual
    or a protective order are provided.33
    Law Enforcement Purposes. Covered entities may disclose protected health
    information to law enforcement officials for law enforcement purposes under
    the following six circumstances, and subject to specified conditions: (1) as
    required by law (including court orders, court-ordered warrants, subpoenas)
    and administrative requests; (2) to identify or locate a suspect, fugitive,
    material witness, or missing person; (3) in response to a law enforcement
    official’s request for information about a victim or suspected victim of a
    crime; (4) to alert law enforcement of a person’s death, if the covered entity
    suspects that criminal activity caused the death; (5) when a covered entity
    believes that protected health information is evidence of a crime that
    occurred on its premises; and (6) by a covered health care provider in a
    medical emergency not occurring on its premises, when necessary to inform
    law enforcement about the commission and nature of a crime, the location of
    the crime or crime victims, and the perpetrator of the crime.34Decedents.
  • Covered entities may disclose protected health information to
    funeral directors as needed, and to coroners or medical examiners to identify
    a deceased person, determine the cause of death, and perform other functions
    authorized by law.35
    Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or
    disclose protected health information to facilitate the donation and
    transplantation of cadaveric organs, eyes, and tissue.36
    Research. “Research” is any systematic investigation designed to develop or
    contribute to generalizable knowledge.37 The Privacy Rule permits a covered
    entity to use and disclose protected health information for research purposes,
    without an individual’s authorization, provided the covered entity obtains
    either: (1) documentation that an alteration or waiver of individuals’
    authorization for the use or disclosure of protected health information about
    them for research purposes has been approved by an Institutional Review
    Board or Privacy Board; (2) representations from the researcher that the use
    or disclosure of the protected health information is solely to prepare a
    research protocol or for similar purpose preparatory to research, that the
    researcher will not remove any protected health information from the covered
    entity, and that protected health information for which access is sought is
    necessary for the research; or (3) representations from the researcher that the
    use or disclosure sought is solely for research on the protected health
    information of decedents, that the protected health information sought is
    necessary for the research, and, at the request of the covered entity,
    documentation of the death of the individuals about whom information is
    sought.38 A covered entity also may use or disclose, without an individuals’
    authorization, a limited data set of protected health information for research
    purposes (see discussion below).39 See OCR “Research” Guidance; NIH
    Protecting PHI in Research.
    Serious Threat to Health or Safety. Covered entities may disclose protected
    health information that they believe is necessary to prevent or lessen a serious
    and imminent threat to a person or the public, when such disclosure is made
    to someone they believe can prevent or lessen the threat (including the target
    of the threat). Covered entities may also disclose to law enforcement if the
    information is needed to identify or apprehend an escapee or violent
    Essential Government Functions. An authorization is not required to use or
    disclose protected health information for certain essential government
    functions. Such functions include: assuring proper execution of a military
    mission, conducting intelligence and national security activities that are
    authorized by law, providing protective services to the President, making
    medical suitability determinations for U.S. State Department employees,
    protecting the health and safety of inmates or employees in a correctional
    institution, and determining eligibility for or conducting enrollment in certain
    government benefit programs.41Workers’ Compensation. Covered entities may disclose
    protected health information as authorized by, and to comply with, workers’ compensation
    laws and other similar programs providing benefits for work-related injuries
    or illnesses.42 See OCR “Workers’ Compensation” Guidance.
    (6) Limited Data Set. A limited data set is protected health information from which
    certain specified direct identifiers of individuals and their relatives, household
    members, and employers have been removed.43 A limited data set may be used and
    disclosed for research, health care operations, and public health purposes, provided
    the recipient enters into a data use agreement promising specified safeguards for the
    protected health information within the limited data set.
    Uses and
    Authorization. A covered entity must obtain the individual’s written authorization
    for any use or disclosure of protected health information that is not for treatment,
    payment or health care operations or otherwise permitted or required by the Privacy
    Rule.44 A covered entity may not condition treatment, payment, enrollment, or
    benefits eligibility on an individual granting an authorization, except in limited
    An authorization must be written in specific terms. It may allow use and disclosure
    of protected health information by the covered entity seeking the authorization, or by
    a third party. Examples of disclosures that would require an individual’s
    authorization include disclosures to a life insurer for coverage purposes, disclosures
    to an employer of the results of a pre-employment physical or lab test, or disclosures
    to a pharmaceutical firm for their own marketing purposes.
    All authorizations must be in plain language, and contain specific information
    regarding the information to be disclosed or used, the person(s) disclosing and
    receiving the information, expiration, right to revoke in writing, and other data. The
    Privacy Rule contains transition provisions applicable to authorizations and other
    express legal permissions obtained prior to April 14, 2003. 46
    Psychotherapy Notes47. A covered entity must obtain an individual’s authorization
    to use or disclose psychotherapy notes with the following exceptions48:
    • The covered entity who originated the notes may use them for treatment.
    • A covered entity may use or disclose, without an individual’s authorization,
    the psychotherapy notes, for its own training, and to defend itself in legal
    proceedings brought by the individual, for HHS to investigate or determine
    the covered entity’s compliance with the Privacy Rules, to avert a serious and
    imminent threat to public health or safety, to a health oversight agency for
    lawful oversight of the originator of the psychotherapy notes, for the lawful
    activities of a coroner or medical examiner or as required by law.
    Marketing. Marketing is any communication about a product or service that
    encourages recipients to purchase or use the product or service.49 The Privacy Rule
    carves out the following health-related activities from this definition of marketing:
    • Communications to describe health-related products or services, or payment for making
    the communication; them, provided by or included in a benefit plan of the covered entity
    • Communications about participating providers in a provider or health plan
    network, replacement of or enhancements to a health plan, and health-related
    products or services available only to a health plan’s enrollees that add value
    to, but are not part of, the benefits plan;
    • Communications for treatment of the individual; and
    • Communications for case management or care coordination for the
    individual, or to direct or recommend alternative treatments, therapies,
    health care providers, or care settings to the individual.
    Marketing also is an arrangement between a covered entity and any other entity
    whereby the covered entity discloses protected health information, in exchange for
    direct or indirect remuneration, for the other entity to communicate about its own
    products or services encouraging the use or purchase of those products or services.
    A covered entity must obtain an authorization to use or disclose protected health
    information for marketing, except for face-to-face marketing communications
    between a covered entity and an individual, and for a covered entity’s provision of
    promotional gifts of nominal value. No authorization is needed, however, to make a
    communication that falls within one of the exceptions to the marketing definition.
    An authorization for marketing that involves the covered entity’s receipt of direct or
    indirect remuneration from a third party must reveal that fact. See OCR “Marketing”
    Limiting Uses
    and Disclosures
    to the
    Minimum Necessary. A central aspect of the Privacy Rule is the principle of
    “minimum necessary” use and disclosure. A covered entity must make reasonable
    efforts to use, disclose, and request only the minimum amount of protected health
    information needed to accomplish the intended purpose of the use, disclosure, or
    request.50 A covered entity must develop and implement policies and procedures to
    reasonably limit uses and disclosures to the minimum necessary. When the minimum
    necessary standard applies to a use or disclosure, a covered entity may not use,
    disclose, or request the entire medical record for a particular purpose, unless it can
    specifically justify the whole record as the amount reasonably needed for the purpose.
    See OCR “Minimum Necessary” Guidance.
    The minimum necessary requirement is not imposed in any of the following
    circumstances: (a) disclosure to or a request by a health care provider for treatment;
    (b) disclosure to an individual who is the subject of the information, or the
    individual’s personal representative; (c) use or disclosure made pursuant to an
    authorization; (d) disclosure to HHS for complaint investigation, compliance review
    or enforcement; (e) use or disclosure that is required by law; or (f) use or disclosure
    required for compliance with the HIPAA Transactions Rule or other HIPAA
    Administrative Simplification Rules.
    Access and Uses. For internal uses, a covered entity must develop and implement
    policies and procedures that restrict access and uses of protected health information
    based on the specific roles of the members of their workforce. These policies and
    procedures must identify the persons, or classes of persons, in the workforce who
    need access to protected health information to carry out their duties, the categories of                                                                                                                                                                               protected health information to which access is needed, and any conditions under
    which they need the information to do their jobs.
    Disclosures and Requests for Disclosures. Covered entities must establish and
    implement policies and procedures (which may be standard protocols) for routine,
    recurring disclosures, or requests for disclosures, that limits the protected health
    information disclosed to that which is the minimum amount reasonably necessary to
    achieve the purpose of the disclosure. Individual review of each disclosure is not
    required. For non-routine, non-recurring disclosures, or requests for disclosures that
    it makes, covered entities must develop criteria designed to limit disclosures to the
    information reasonably necessary to accomplish the purpose of the disclosure and
    review each of these requests individually in accordance with the established criteria.
    Reasonable Reliance. If another covered entity makes a request for protected health
    information, a covered entity may rely, if reasonable under the circumstances, on the
    request as complying with this minimum necessary standard. Similarly, a covered
    entity may rely upon requests as being the minimum necessary protected health
    information from: (a) a public official, (b) a professional (such as an attorney or
    accountant) who is the covered entity’s business associate, seeking the information to
    provide services to or for the covered entity; or (c) a researcher who provides the
    documentation or representation required by the Privacy Rule for research.
    Notice and
    Privacy Practices Notice. Each covered entity, with certain exceptions, must
    provide a notice of its privacy practices.51 The Privacy Rule requires that the notice
    contain certain elements. The notice must describe the ways in which the covered
    entity may use and disclose protected health information. The notice must state the
    covered entity’s duties to protect privacy, provide a notice of privacy practices, and
    abide by the terms of the current notice. The notice must describe individuals’ rights,
    including the right to complain to HHS and to the covered entity if they believe their
    privacy rights have been violated. The notice must include a point of contact for
    further information and for making complaints to the covered entity. Covered entities
    must act in accordance with their notices. The Rule also contains specific
    distribution requirements for direct treatment providers, all other health care
    providers, and health plans. See OCR “Notice” Guidance.
    Notice Distribution. A covered health care provider with a direct treatment
    relationship with individuals must deliver a privacy practices notice to
    patients starting April 14, 2003 as follows:
    o Not later than the first service encounter by personal delivery (for
    patient visits), by automatic and contemporaneous electronic
    response (for electronic service delivery), and by prompt mailing (for
    telephonic service delivery);
    o By posting the notice at each service delivery site in a clear and
    prominent place where people seeking service may reasonably be
    expected to be able to read the notice; and
    o In emergency treatment situations, the provider must furnish its
    notice as soon as practicable after the emergency abates.Covered entities,
  • whether direct treatment providers or indirect treatment
    providers (such as laboratories) or health plans must supply notice to anyone
    on request.52 A covered entity must also make its notice electronically
    available on any web site it maintains for customer service or benefits
    The covered entities in an organized health care arrangement may use a joint
    privacy practices notice, as long as each agrees to abide by the notice content
    with respect to the protected health information created or received in
    connection with participation in the arrangement.53 Distribution of a joint
    notice by any covered entity participating in the organized health care
    arrangement at the first point that an OHCA member has an obligation to
    provide notice satisfies the distribution obligation of the other participants in
    the organized health care arrangement.
    A health plan must distribute its privacy practices notice to each of its
    enrollees by its Privacy Rule compliance date. Thereafter, the health plan
    must give its notice to each new enrollee at enrollment, and send a reminder
    to every enrollee at least once every three years that the notice is available
    upon request. A health plan satisfies its distribution obligation by furnishing
    the notice to the “named insured,” that is, the subscriber for coverage that
    also applies to spouses and dependents.
    Acknowledgement of Notice Receipt. A covered health care provider with
    a direct treatment relationship with individuals must make a good faith effort
    to obtain written acknowledgement from patients of receipt of the privacy
    practices notice.54 The Privacy Rule does not prescribe any particular content
    for the acknowledgement. The provider must document the reason for any
    failure to obtain the patient’s written acknowledgement. The provider is
    relieved of the need to request acknowledgement in an emergency treatment
    Access. Except in certain circumstances, individuals have the right to review and
    obtain a copy of their protected health information in a covered entity’s designated
    record set.55 The “designated record set” is that group of records maintained by or
    for a covered entity that is used, in whole or part, to make decisions about
    individuals, or that is a provider’s medical and billing records about individuals or a
    health plan’s enrollment, payment, claims adjudication, and case or medical
    management record systems.56 The Rule excepts from the right of access the
    following protected health information: psychotherapy notes, information compiled
    for legal proceedings, laboratory results to which the Clinical Laboratory
    Improvement Act (CLIA) prohibits access, or information held by certain research
    laboratories. For information included within the right of access, covered entities
    may deny an individual access in certain specified situations, such as when a health
    care professional believes access could cause harm to the individual or another. In
    such situations, the individual must be given the right to have such denials reviewed
    by a licensed health care professional for a second opinion.57 Covered entities may
    impose reasonable, cost-based fees for the cost of copying and postage.
    Amendment. The Rule gives individuals the right to have covered entities amend
    their protected health information in a designated record set when that information is
  • inaccurate or incomplete. 58 If a covered entity accepts an amendment request, it must
    make reasonable efforts to provide the amendment to persons that the individual has
    identified as needing it, and to persons that the covered entity knows might rely on
    the information to the individual’s detriment.59 If the request is denied, covered
    entities must provide the individual with a written denial and allow the individual to
    submit a statement of disagreement for inclusion in the record. The Rule specifies
    processes for requesting and responding to a request for amendment. A covered
    entity must amend protected health information in its designated record set upon
    receipt of notice to amend from another covered entity.
    Disclosure Accounting. Individuals have a right to an accounting of the disclosures
    of their protected health information by a covered entity or the covered entity’s
    business associates.60 The maximum disclosure accounting period is the six years
    immediately preceding the accounting request, except a covered entity is not
    obligated to account for any disclosure made before its Privacy Rule compliance date.
    The Privacy Rule does not require accounting for disclosures: (a) for treatment,
    payment, or health care operations; (b) to the individual or the individual’s personal
    representative; (c) for notification of or to persons involved in an individual’s health
    care or payment for health care, for disaster relief, or for facility directories; (d)
    pursuant to an authorization; (e) of a limited data set; (f) for national security or
    intelligence purposes; (g) to correctional institutions or law enforcement officials for
    certain purposes regarding inmates or individuals in lawful custody; or (h) incident to
    otherwise permitted or required uses or disclosures. Accounting for disclosures to
    health oversight agencies and law enforcement officials must be temporarily
    suspended on their written representation that an accounting would likely impede
    their activities.
    Restriction Request. Individuals have the right to request that a covered entity
    restrict use or disclosure of protected health information for treatment, payment or
    health care operations, disclosure to persons involved in the individual’s health care
    or payment for health care, or disclosure to notify family members or others about the
    individual’s general condition, location, or death.61 A covered entity is under no
    obligation to agree to requests for restrictions. A covered entity that does agree must
    comply with the agreed restrictions, except for purposes of treating the individual in a
    medical emergency.62
    Confidential Communications Requirements. Health plans and covered health
    care providers must permit individuals to request an alternative means or location for
    receiving communications of protected health information by means other than those
    that the covered entity typically employs.63 For example, an individual may request
    that the provider communicate with the individual through a designated address or
    phone number. Similarly, an individual may request that the provider send
    communications in a closed envelope rather than a post card.
    Health plans must accommodate reasonable requests if the individual indicates that
    the disclosure of all or part of the protected health information could endanger the
    individual. The health plan may not question the individual’s statement of
    endangerment. Any covered entity may condition compliance with a confidential
    communication request on the individual specifying an alternative address or method
    of contact and explaining how any payment will be handled.Administrative
    HHS recognizes that covered entities range from the smallest provider to the largest,
    multi-state health plan. Therefore the flexibility and scalability of the Rule are
    intended to allow covered entities to analyze their own needs and implement
    solutions appropriate for their own environment. What is appropriate for a particular
    covered entity will depend on the nature of the covered entity’s business, as well as
    the covered entity’s size and resources.
    Privacy Policies and Procedures. A covered entity must develop and implement
    written privacy policies and procedures that are consistent with the Privacy Rule.64
    Privacy Personnel. A covered entity must designate a privacy official responsible
    for developing and implementing its privacy policies and procedures, and a contact
    person or contact office responsible for receiving complaints and providing
    individuals with information on the covered entity’s privacy practices.65
    Workforce Training and Management. Workforce members include employees,
    volunteers, trainees, and may also include other persons whose conduct is under the
    direct control of the entity (whether or not they are paid by the entity).66 A covered
    entity must train all workforce members on its privacy policies and procedures, as
    necessary and appropriate for them to carry out their functions.67 A covered entity
    must have and apply appropriate sanctions against workforce members who violate
    its privacy policies and procedures or the Privacy Rule.68
    Mitigation. A covered entity must mitigate, to the extent practicable, any harmful
    effect it learns was caused by use or disclosure of protected health information by its
    workforce or its business associates in violation of its privacy policies and procedures
    or the Privacy Rule.69
    Data Safeguards. A covered entity must maintain reasonable and appropriate
    administrative, technical, and physical safeguards to prevent intentional or
    unintentional use or disclosure of protected health information in violation of the
    Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise
    permitted or required use or disclosure.70 For example, such safeguards might
    include shredding documents containing protected health information before
    discarding them, securing medical records with lock and key or pass code, and
    limiting access to keys or pass codes. See OCR “Incidental Uses and Disclosures”
    Complaints. A covered entity must have procedures for individuals to complain
    about its compliance with its privacy policies and procedures and the Privacy Rule.71
    The covered entity must explain those procedures in its privacy practices notice.72
    Among other things, the covered entity must identify to whom individuals can submit
    complaints to at the covered entity and advise that complaints also can be submitted
    to the Secretary of HHS.
    Retaliation and Waiver. A covered entity may not retaliate against a person for
    exercising rights provided by the Privacy Rule, for assisting in an investigation by
    HHS or another appropriate authority, or for opposing an act or practice that the
    person believes in good faith violates the Privacy Rule.73 A covered entity may not
  • require an individual to waive any right under the Privacy Rule as a condition for
    obtaining treatment, payment, and enrollment or benefits eligibility.74
    Documentation and Record Retention. A covered entity must maintain, until six
    years after the later of the date of their creation or last effective date, its privacy
    policies and procedures, its privacy practices notices, disposition of complaints, and
    other actions, activities, and designations that the Privacy Rule requires to be
    Fully-Insured Group Health Plan Exception. The only administrative obligations
    with which a fully-insured group health plan that has no more than enrollment data
    and summary health information is required to comply are the (1) ban on retaliatory
    acts and waiver of individual rights, and (2) documentation requirements with respect
    to plan documents if such documents are amended to provide for the disclosure of
    protected health information to the plan sponsor by a health insurance issuer or HMO
    that services the group health plan.76
    The Rule contains provisions that address a variety of organizational issues that may
    affect the operation of the privacy protections.
    Hybrid Entity. The Privacy Rule permits a covered entity that is a single legal entity
    and that conducts both covered and non-covered functions to elect to be a “hybrid
    entity.”77 (The activities that make a person or organization a covered entity are its
    “covered functions.”78) To be a hybrid entity, the covered entity must designate in
    writing its operations that perform covered functions as one or more “health care
    components.” After making this designation, most of the requirements of the Privacy
    Rule will apply only to the health care components. A covered entity that does not
    make this designation is subject in its entirety to the Privacy Rule.
    Affiliated Covered Entity. Legally separate covered entities that are affiliated by
    common ownership or control may designate themselves (including their health care
    components) as a single covered entity for Privacy Rule compliance.79 The
    designation must be in writing. An affiliated covered entity that performs multiple
    covered functions must operate its different covered functions in compliance with the
    Privacy Rule provisions applicable to those covered functions.
    Organized Health Care Arrangement. The Privacy Rule identifies relationships in
    which participating covered entities share protected health information to manage and
    benefit their common enterprise as “organized health care arrangements.”80 Covered
    entities in an organized health care arrangement can share protected health
    information with each other for the arrangement’s joint health care operations.81
    Covered Entities With Multiple Covered Functions. A covered entity that
    performs multiple covered functions must operate its different covered functions in
    compliance with the Privacy Rule provisions applicable to those covered functions.82
    The covered entity may not use or disclose the protected health information of an
    individual who receives services from one covered function (e.g., health care
    provider) for another covered function (e.g., health plan) if the individual is not
    involved with the other function.
  • Group Health Plan disclosures to Plan Sponsors. A group health plan and the
    health insurer or HMO offered by the plan may disclose the following protected
    health information to the “plan sponsor”—the employer, union, or other employee
    organization that sponsors and maintains the group health plan83:
    • Enrollment or disenrollment information with respect to the group health
    plan or a health insurer or HMO offered by the plan.
    • If requested by the plan sponsor, summary health information for the plan
    sponsor to use to obtain premium bids for providing health insurance
    coverage through the group health plan, or to modify, amend, or terminate
    the group health plan. “Summary health information” is information that
    summarizes claims history, claims expenses, or types of claims experience of
    the individuals for whom the plan sponsor has provided health benefits
    through the group health plan, and that is stripped of all individual identifiers
    other than five digit zip code (though it need not qualify as de-identified
    protected health information).
    • Protected health information of the group health plan’s enrollees for the plan
    sponsor to perform plan administration functions. The plan must receive
    certification from the plan sponsor that the group health plan document has
    been amended to impose restrictions on the plan sponsor’s use and disclosure
    of the protected health information. These restrictions must include the
    representation that the plan sponsor will not use or disclose the protected
    health information for any employment-related action or decision or in
    connection with any other benefit plan.
    and Minors
    Personal Representatives. The Privacy Rule requires a covered entity to treat a
    “personal representative” the same as the individual, with respect to uses and
    disclosures of the individual’s protected health information, as well as the
    individual’s rights under the Rule.84 A personal representative is a person legally
    authorized to make health care decisions on an individual’s behalf or to act for a
    deceased individual or the estate. The Privacy Rule permits an exception when a
    covered entity has a reasonable belief that the personal representative may be abusing
    or neglecting the individual, or that treating the person as the personal representative
    could otherwise endanger the individual.
    Special case: Minors. In most cases, parents are the personal representatives for
    their minor children. Therefore, in most cases, parents can exercise individual rights,
    such as access to the medical record, on behalf of their minor children. In certain
    exceptional cases, the parent is not considered the personal representative. In these
    situations, the Privacy Rule defers to State and other law to determine the rights of
    parents to access and control the protected health information of their minor children.
    If State and other law is silent concerning parental access to the minor’s protected
    health information, a covered entity has discretion to provide or deny a parent access
    to the minor’s health information, provided the decision is made by a licensed health
    care professional in the exercise of professional judgment. See OCR “Personal
    Representatives” Guidance.State Law
    Preemption. In general, State laws that are contrary to the Privacy Rule are
    preempted by the federal requirements, which means that the federal requirements
    will apply.85 “Contrary” means that it would be impossible for a covered entity to
    comply with both the State and federal requirements, or that the provision of State
    law is an obstacle to accomplishing the full purposes and objectives of the
    Administrative Simplification provisions of HIPAA.86 The Privacy Rule provides
    exceptions to the general rule of federal preemption for contrary State laws that (1)
    relate to the privacy of individually identifiable health information and provide
    greater privacy protections or privacy rights with respect to such information, (2)
    provide for the reporting of disease or injury, child abuse, birth, or death, or for
    public health surveillance, investigation, or intervention, or (3) require certain health
    plan reporting, such as for management or financial audits.
    Exception Determination. In addition, preemption of a contrary State law will not
    occur if HHS determines, in response to a request from a State or other entity or
    person, that the State law:
    • Is necessary to prevent fraud and abuse related to the provision of or payment
    for health care,
    • Is necessary to ensure appropriate State regulation of insurance and health
    plans to the extent expressly authorized by statute or regulation,
    • Is necessary for State reporting on health care delivery or costs,
    • Is necessary for purposes of serving a compelling public health, safety, or
    welfare need, and, if a Privacy Rule provision is at issue, if the Secretary
    determines that the intrusion into privacy is warranted when balanced against
    the need to be served; or
    • Has as its principal purpose the regulation of the manufacture, registration,
    distribution, dispensing, or other control of any controlled substances (as
    defined in 21 U.S.C. 802), or that is deemed a controlled substance by State
    and Penalties
    Compliance. Consistent with the principles for achieving compliance provided in
    the Rule, HHS will seek the cooperation of covered entities and may provide
    technical assistance to help them comply voluntarily with the Rule.87 The Rule
    provides processes for persons to file complaints with HHS, describes the
    responsibilities of covered entities to provide records and compliance reports and to
    cooperate with, and permit access to information for, investigations and compliance
    Civil Money Penalties. HHS may impose civil money penalties on a covered entity
    of $100 per failure to comply with a Privacy Rule requirement.88 That penalty may
    not exceed $25,000 per year for multiple violations of the identical Privacy Rule
    requirement in a calendar year. HHS may not impose a civil money penalty under
    specific circumstances, such as when a violation is due to reasonable cause and did
    not involve willful neglect and the covered entity corrected the violation within 30
    days of when it knew or should have known of the violation.
  • Criminal Penalties. A person who knowingly obtains or discloses individually
    identifiable health information in violation of HIPAA faces a fine of $50,000 and up
    to one-year imprisonment.89 The criminal penalties increase to $100,000 and up to
    five years imprisonment if the wrongful conduct involves false pretenses, and to
    $250,000 and up to ten years imprisonment if the wrongful conduct involves the
    intent to sell, transfer, or use individually identifiable health information for
    commercial advantage, personal gain, or malicious harm. Criminal sanctions will be
    enforced by the Department of Justice.
    Compliance Schedule. All covered entities, except “small health plans,” must be
    compliant with the Privacy Rule by April 14, 2003.90 Small health plans, however,
    have until April 14, 2004 to comply.
    Small Health Plans. A health plan with annual receipts of not more than $5 million
    is a small health plan.91 Health plans that file certain federal tax returns and report
    receipts on those returns should use the guidance provided by the Small Business
    Administration at 13 Code of Federal Regulations (CFR) 121.104 to calculate annual
    receipts. Health plans that do not report receipts to the Internal Revenue Service
    (IRS), for example, group health plans regulated by the Employee Retirement Income
    Security Act 1974 (ERISA) that are exempt from filing income tax returns, should
    use proxy measures to determine their annual receipts.92
    See What constitutes a small health plan?
    Copies of the
    Rule & Related
    The entire Privacy Rule, as well as guidance and additional materials, may be found  
  • on our website, http://www.hhs.gov/ocr/hipaa.