HIPAA PRIVACY RULE: MECHANISMS FOR PERSONAL HEALTH INFORMATION PROTECTION

The Privacy Rule is one of the core rules of HIPAA which governs the conditions, timing, and circumstances under which protected health information (PHI) may be used or disclosed. It establishes standards that grant patients rights over their health data, enhancing their control over its use and disclosure. The rule restricts the use or sharing of patient information without prior patient authorization. It also ensures that patients or their representatives can access copies of their health records and request corrections to inaccuracies. This can be considered the most essential rule of HIPAA and a basis for the remaining rules.

Scope

The Privacy Rule applies directly to covered entities, such as health plans, healthcare clearinghouses, and healthcare providers, and focuses on safeguarding individually identifiable health information.

This information, known as PHI, includes data that (a) identifies an individual (or could reasonably be used to do so) and (b) pertains to (i) the individual’s past, present, or future physical or mental health or condition; (ii) the healthcare services provided to the individual; or (iii) the past, present, or future payment for those services.[1]

PHI encompasses any such information, in any format or medium, that is held or transmitted by a covered entity or its business associate. Common identifiers like names, addresses, birthdates, and Social Security Numbers are considered PHI when linked to an individual.

The Privacy Rule does not apply to health information that has been properly de-identified according to the Privacy Rule’s standards, nor does it cover health information in employment records held by a covered entity acting as an employer or education records protected under the Family Educational Rights and Privacy Act.[2]

 Uses and Disclosures

• • General rule

Under the Privacy Rules, a covered entity may only use or disclose PHI as allowed or required by the Privacy Rule, or with written authorization from the individual or their personal representative.[3]

• Required disclosures

A covered entity must disclose PHI in two cases: (1) when individuals or their representatives request access to or an accounting of their PHI disclosures, and (2) to the HHS during compliance investigations, reviews, or enforcement actions.[4]

• Permitted uses and disclosures

A covered entity may, but is not obligated to, use or disclose PHI without an individual’s authorization in these cases:[5]

• to the individual who is the subject of the information;
• for treatment, payment, or health care operations;
• when the individual has the opportunity to agree or object. Informal permission can be obtained by directly asking the person or through situations that clearly allow them to agree, consent, or object;
• as part of an otherwise permitted use or disclosure. A covered entity may use or disclose PHI as a result of, or “incident to,” an otherwise allowed use or disclosure, provided the entity has implemented reasonable safeguards as mandated by the Privacy Rule and restricts the shared information to the “minimum necessary.”;[6]
• for public interest or benefit activities, such as when required by law or for public health activities, v.v.; and
• as a limited data set for research, public health, or health care operations.

Covered entities can use professional ethics and best judgment to decide when to make these optional disclosures.

• Authorized Uses and Disclosures

A covered entity must secure written authorization from an individual for any use or disclosure of PHI that isn’t for treatment, payment, health care operations, or otherwise permitted or required by the Privacy Rule.[7] A covered entity cannot make treatment, payment, enrollment, or eligibility for benefits contingent on an individual providing this authorization, except in specific cases.[8]

The authorization must be detailed and specific. It may permit the covered entity seeking it, or a third party, to use or disclose the PHI. All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.

Minimization

A core element of the Privacy Rule is the “minimum necessary” principle regarding use and disclosure. A covered entity must strive to use, disclose, or request only the smallest amount of PHI necessary to achieve the intended purpose.[9] It must establish and follow policies and procedures to ensure that uses and disclosures are limited to this minimum necessary standard. When this standard applies, a covered entity cannot use, disclose, or request a complete medical record for a specific purpose unless it can clearly justify that the entire record is reasonably required for that purpose.

The minimum necessary standard does not apply in these situations: (a) disclosures to or requests by a health care provider for treatment purposes; (b) disclosures to the individual whose information is involved or their personal representative; (c) uses or disclosures authorized by the individual; (d) disclosures to the HHS for investigations, compliance reviews, or enforcement actions; (e) uses or disclosures mandated by law; or (f) uses or disclosures needed to comply with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.[10]

Rights of Patients

• • Right to Notice[11]

Unless exempted, every covered entity must provide a notice of its privacy practices, as required by the Privacy Rule, which includes specific elements. The notice must outline how the covered entity may use and disclose PHI and detail its obligations to safeguard privacy, provide the notice, and follow its current terms. It must also inform individuals of their rights, such as the ability to file complaints with the HHS or the covered entity if they believe their privacy rights have been violated. Additionally, the notice must provide a contact point for further information and for submitting complaints to the covered entity. Covered entities are required to comply with their notices. The Privacy Rule also sets specific distribution requirements for direct treatment providers, other health care providers, and health plans.

• Right to Access[12]

Unless specific exceptions apply, individuals have the right to inspect and obtain a copy of their PHI in a covered entity’s designated record set, which includes records used to make decisions about the individual, such as a provider’s medical and billing records or a health plan’s enrollment, payment, claims, or case management records. Exceptions to this right include psychotherapy notes, information prepared for legal proceedings, lab results restricted by the Clinical Laboratory Improvement Act (CLIA), and data held by certain research labs. A covered entity may deny access in certain cases, like when a health professional believes it could harm the individual or others, but the individual can request a review of the denial by another licensed health professional. Reasonable, cost-based fees for copying and postage may be charged.

• Right to Amend[13]

Individuals can request corrections to inaccurate or incomplete PHI in a designated record set. If the covered entity approves the amendment, it must reasonably attempt to share the corrected information with relevant persons identified by the individual or those who might rely on the inaccurate data to the individual’s detriment. If the request is denied, the entity must provide a written explanation and allow the individual to submit a statement of disagreement to be included in the record.

• Right to Accounting of Disclosure[14]

Individuals are entitled to an accounting of disclosures of their PHI by a covered entity or its business associates, covering the six years prior to the request, excluding disclosures before the Privacy Rule compliance date. No accounting is required for disclosures related to treatment, payment, or health care operations; to the individual or their representative; for notifications, disaster relief, or facility directories; pursuant to an authorization; of limited data sets; for national security or intelligence; to correctional or law enforcement officials for specific purposes; or incidental to permitted uses.

• Right to Restrict[15]

Individuals may request restrictions on the use or disclosure of their PHI for treatment, payment, or health care operations, or to individuals involved in their care, payment, or notifications about their condition, location, or death. Covered entities are not required to agree to these requests but must adhere to any restrictions they accept, except in medical emergencies where the PHI is needed for treatment.

• Right to Confidential Communications[16]

Covered health care providers and health plans must allow individuals to request alternative methods or locations for receiving PHI communications, such as a specific address or phone number, or a sealed envelope instead of a postcard. Health plans must comply with reasonable requests if the individual states that standard disclosures could endanger them, without questioning the claim. Covered entities may require individuals to provide an alternative contact method and explain payment arrangements as a condition for honoring such requests.

Administrative Requirements

The HIPAA Privacy Rule allows covered entities, ranging from small providers to large health plans, to tailor compliance based on their size, resources, and business nature, ensuring flexibility and scalability.

Key Requirements:

• Privacy Policies and Procedures: Covered entities must create and implement written privacy policies aligned with the Privacy Rule.[17]
• Privacy Personnel: Entities must appoint a privacy official to oversee policy implementation and a contact person/office to handle complaints and provide privacy practice information.[18]
• Workforce Training and Management: All workforce members (employees, volunteers, trainees, etc.) must be trained on privacy policies, and entities must enforce sanctions for violations.[19]
• Mitigation: Entities must address and minimize harm from any improper use or disclosure of PHI by their workforce or business associates.[20]
• Data Safeguards: Reasonable administrative, technical, and physical measures (e.g., shredding documents, securing records) must be in place to prevent unauthorized PHI use or disclosure and limit incidental disclosures.[21]
• Complaints: Entities must establish complaint procedures, detailed in their privacy practices notice, identifying where complaints can be filed (internally and with HHS).[22]
• Retaliation and Waiver: Entities cannot retaliate against individuals exercising Privacy Rule rights or require waiver of these rights for treatment, payment, or benefits.[23]
• Documentation and Retention: Privacy policies, notices, complaint resolutions, and other required records must be retained for six years from creation or last effective date.[24]
• Fully-Insured Group Health Plan Exception: These plans, with limited PHI access, only need to comply with non-retaliation, non-waiver rules, and documentation requirements if plan documents are amended to allow PHI disclosure to the plan sponsor.[25]

[1] 45 C.F.R. § 160.103

[2] Willkie Compliance, ‘Scope of the HIPAA Privacy Rule’ <https://complianceconcourse.willkie.com/resources/privacy-and-cybersecurity-us-scope-of-the-hipaa-privacy-rule/>

[3] 45 C.F.R. § 164.502(a).

[4]  45 C.F.R. § 164.502(a)(2).

[5] 45 C.F.R. § 164.502(a)(1).

[6] 45 C.F.R. §§ 164.502(a)(1)(iii).

[7] 45 C.F.R. § 164.508.

[8] 45 C.F.R. 508(b)(4).

[9] 45 C.F.R. §§ 164.502(b) and 164.514 (d).

[10] Kirsten Peremore, ‘Exceptions to the Minimum Necessary Standard’ (Paubox, 02 October 2023) <https://www.paubox.com/blog/exceptions-to-the-minimum-necessary-standard>

[11] 45 CFR § 164.520.

[12] 45 CFR § 164.524.

[13] 45 C.F.R. § 164.526.

[14] 45 C.F.R. § 164.528.

[15] 45 C.F.R. § 164.522(a).

[16] 45 C.F.R. § 164.522(b).

[17] 45 C.F.R. § 164.530(i).

[18] 45 C.F.R. § 164.530(a).

[19] 45 C.F.R. §160.103.

[20] 45 C.F.R. § 164.530(f).

[21] 45 C.F.R. § 164.530(c).

[22] 45 C.F.R. § 164.530(d).

[23] 45 C.F.R. § 164.530(g).

[24] 45 C.F.R. § 164.530(j).

[25] 45 C.F.R. § 164.530(k).