HIPAA Privacy Rule

The HIPAA Privacy Rule is a federal floor of privacy standards that protect individual’s health information and other identifying information by limiting the permissible uses and disclosure of such information by “covered entities” and “business associates” without an individual’s authorization. The Rule also gives individuals the right to request copies of their information and request corrections when omissions or errors exist.

This guide to the HIPAA Privacy Rule explains why it exists, who it applies to, what it protects, and how to maintain compliance. It should be used in conjunction with our free easy-to-use HIPAA Privacy Rule Checklist PDF which can be ordered by using any form on this page.

What is the Privacy Rule in the Context of HIPAA?

In the context of HIPAA, the Privacy Rule is a subpart of the Administrative Simplifications Regulations (45 CFR Parts 160,162, and 164). However, the protections provided by the Privacy Rule to individually identifiable health information apply to other subparts of the Administrative Simplification Regulations and how the standards within those subparts are applied.

For this reason, it is important for entities that are not usually required to comply with the HIPAA Privacy Rule (i.e., data storage services and vendors of personal health devices) to understand what the Rule protects and how. It can also be useful for those whose information is protected by the Privacy Rule to understand how the Rule works to prevent misconceptions.

HIPAA Privacy Rule Fact Sheet

• The Privacy Rule was published in 2002. It is one of three sets of standards that evolved from HIPAA.
• It stipulates permissible uses and disclosures of Protected Health Information and individuals´ rights
• Most health plans, health care clearinghouses, and healthcare providers are required to comply with the Privacy Rule.
• Business Associates may also be required to comply with the Privacy Rule depending on the service being provided.
• The Privacy Rule defines Protected Health Information to include identifiers maintained in the same designated record set.
• All patients and plan members must be given a Notice of Privacy Practices on the first encounter or as soon as reasonable.
• The Notice of Privacy Practices must explain what Protected Health Information may be disclosed, to whom, and why.
• The Notice of Privacy Practices must also explain an individual´s right to access, amend, or transfer their Protected Health Information.
• If organizations violate the HIPAA Rules, individuals have the right to complain to the organization or HHS´ Office for Civil Rights.
• The Office for Civil Rights has the authority to impose corrective action plans or financial penalties on noncompliant organizations.

Who Falls Under the HIPAA Privacy Rule

Before discussing what information is protected by the HIPAA Privacy Rule and how the HIPAA Privacy Standards ensure individuals´ rights, it is important to understand who the HIPAA Rules apply to because some organizations are not required to comply with every HIPAA Rule or every part of every HIPAA Rule. It is also the case that exceptions can exist to the applicability of each Rule.

Generally, health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions listed in the Administrative Requirements are required to comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule that was introduced as part of the HITECH Act in 2009. Collectively, these organizations are referred to as “Covered Entities”.

Additionally, Business Associates are required to comply with the Security Rule and Breach Notification Rule, and – depending on the nature of the service provided for or on behalf of a Covered Entity – any relevant standards of the Administrative Requirements and HIPAA Privacy Rule. Some of the exceptions mentioned above include:

• Health care providers that bill clients directly are not Covered Entities.
• Neither are insurance issuers who offer health insurance as a secondary benefit.
• Neither are health plans for certain types of benefits that are offered separately.
• The HIPAA Rules may apply to employers who self-administer a group health plan.
• But not to employment records containing individually identifiable health information.
• Prescription drug card sponsors are only required to comply with the HIPAA Privacy Rule.
• Vendors of personal health devices may be required to comply with the Breach Notification Rule depending on the devices´ capabilities.

To further complicate who the HIPAA Rules apply to, some organizations can be hybrid entities when some of their activities are covered by HIPAA, while others are not; or temporarily subject to the HIPAA Rules – for example, when a healthcare provider who does not qualify as a Covered Entity provides a service for or on behalf of a Covered Entity as a Business Associate. In such cases, the healthcare provider has to comply with the HIPAA Rules for as long as they are providing the service.

Why Does the HIPAA Privacy Rule Exist?

With the advent of digital technologies, storing, accessing, and sharing health data became effortless. While this technological leap forward made healthcare more streamlined and personalized, it also introduced the risk of improper use and exploitation of sensitive health data. This led to the introduction of the HIPAA Privacy Rule.

The HIPAA Privacy Rule is part of the HIPAA Administrative Simplification Regulations – regulations developed following the passage of the Health Insurance Portability and Accountability Act which had the objective of “encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”.

To achieve this objective, the Secretary of Health and Human Services was instructed to promulgate Rules that would standardize transactions between healthcare providers and health plans (the Administrative Requirements), and that would ensure the integrity and confidentiality of health information, protect it from reasonably anticipated threats, and prevent unauthorized uses and disclosures (the Security Rule).

Additionally, the Secretary was instructed to make recommendations “with respect to the privacy of certain health information”. At a minimum, the recommendations had to include:

• The rights that an individual who is a subject of individually identifiable health information should have.
• The procedures that should be established for the exercise of such rights.
• The uses and disclosures of such information that should be authorized or required.

The instruction adds that, if Congress does not pass legislation to protect the privacy of individually identifiable health information within three years of the passage of HIPAA, the Secretary shall promulgate a further Rule addressing the minimum recommendations. Congress did not pass privacy legislation within three years and a proposed HIPAA Privacy Rule was published in 1999. After years of addressing stakeholders´ comments, the HIPPA Final Privacy Rule was published in 2002.

What Information is Protected by the HIPAA Privacy Rule?

Any individually identifiable health information relating to an individual´s past, present, or future physical or mental condition, treatment for the condition, or payment for the treatment is protected by the HIPAA Privacy Rule, along with individually identifiable non-health information maintained in the same “designated record set”.

Information maintained in a designated record set is known as Protected Health Information (PHI), even though elements of the set may not contain health information.

This definition of what information is protected by the HIPAA Privacy Rule can cause confusion because some sources claim that all information relating to an individual is protected – and that is not always the case. Individually identifiable health information and any other information that identifies – or that could be used to identify – the subject of the health information (known as an “identifier”) is protected only while it is maintained in a designated record set.

Whenever identifiers are maintained separately from individually identifiable health information, they are no longer Protected Health Information and the protections of the HIPAA Privacy Rule no longer apply. As an example, if a designated record set includes a patient´s diagnosis, their home telephone number, the name of their partner, and their healthcare payment details, all four elements of information are protected while they are maintained in the same designated record set.

However, if a separate record set is created containing a copy of the home telephone number and partner´s name (perhaps to provide the partner with an update on the patient´s health), these elements are not protected by the HIPAA Privacy Rule because there is no health information included in the record set. It is important to be aware that in such circumstances, although the HIPAA Rules do not apply, state privacy and security rules may.

How is Information Protected by the HIPAA Privacy Regulations?

The HIPAA Privacy Regulations – or “standards” – protect information by stipulating when uses and disclosures or Protected Health Information are required, permitted, or subject to an individual´s authorization. There are only two occasions when uses and disclosures are required – when an individual exercises their access rights and when access is required by HHS´ Office for Civil Rights for an investigation or compliance review. Both of these events are discussed in greater detail later.

Permissible uses and disclosures include those necessary to carry out treatment, payment, or health care operations, those required by law or for public health activities, and those necessary to avert a serious threat to health or safety. However, among the disclosures permitted by HIPAA, there are some that are required by state laws – for example, disclosures to report abuse, neglect, or domestic abuse. Some “permissible” disclosures may also be “required” during emergency incidents.

Other than the uses and disclosures required or permitted by the HIPAA Privacy Regulations – and some for which the individual should be given an opportunity to object when feasible – all other uses and disclosures of Protected Health Information are prohibited unless they are authorized by the individual who is the subject of the Protected Health Information or their personal representative. Such uses and disclosures include uses for marketing and disclosures of psychotherapy notes.

Authorizations have to be written in clear language and explain to the individual what Protected Health Information is being used or disclosed, who to, and what for. If the Covered Entity is receiving a remuneration for the use or disclosure, this has to be included in the authorization, as does a warning that the Covered Entity may have no control over further disclosures of the Protected Health Information if – for example – it is published on a social media platform.

How do the HIPAA Privacy Standards Ensure Individuals´ Rights?

The HIPAA Privacy Standards ensure individuals´ rights by first requiring covered health plans and healthcare providers to give a Notice of Privacy Practices to new patients or plan members on the “first encounter” whenever possible or as soon as reasonable afterwards.

The Notice must describe the ways in which the Covered Entity may use or disclose Protected Health Information and describe how individuals can exercise their rights to access copies of their Protected Health Information.

The right to access copies of Protected Health Information is the “required” disclosure mentioned above, but it is important for individuals to understand they are only able to access information maintained in a designated record set.

It is also important to understand that complying with an access request may take some time when multiple designated record sets are maintained per individual, or when Protected Health Information is in the possession of a Business Associate.

Once an individual has received a copy of their Protected Health Information the HIPAA Privacy Standards allows individuals to request corrections to the information if it is inaccurate or incomplete.

Individuals can also request information is transferred to another provider, or that specific information is withheld from certain organizations. For example, if a patient has paid for treatment privately, they have the right to request this information is withheld from their insurer.

Additionally, individuals have the right to request an accounting of disclosures. This document should contain a list of the times when Protected Health Information has been disclosed for reasons other than those permitted by the HIPAA Privacy Regulations or authorized by the individual themselves. Individuals have the right to query any entry on the accounting of disclosures and, if not satisfied with the response, make a complaint about their privacy rights being violated.

Who Enforces HIPAA Privacy Rules?

The Department of Health and Human Services’ Office for Civil Rights (OCR) is the enforcer of the HIPAA Privacy Rule. Noncompliance could lead to civil and criminal penalties, highlighting the importance of rigorous adherence.

What Happens if You Violate HIPAA Privacy Regulations?

The violation of privacy rights is one of the leading reasons for complaints to HHS´ Office for Civil Rights; and when a complaint is received by the agency, it has to be reviewed and investigated if it appears there has been a violation of HIPAA regulations.

When HHS´ Office for Civil Rights conducts an investigation, a Covered Entity must disclose whatever Protected Health Information is necessary – as mentioned previously in the section explaining how information is protected.

Most violations of HIPAA regulations are resolved by technical assistance or a corrective action plan. This means that the Covered Entity or Business Associate may have to develop and implement new policies and procedures to resolve the issue responsible for the violation of the HIPAA regulations. The organization may then have to train its workforce on the new policies and procedures and – depending on the scale of the violation(s) – undergo a period of compliance monitoring.

In cases where there has been a willful neglect of the HIPAA regulations, HHS´ Office for Civil Rights has the authority to impose civil monetary penalties on noncompliant organizations. Historically, financial settlements and civil monetary penalties have been reserved for the worst offenders following large-scale data breaches. However, in recent years, the agency has pursued a campaign to address violations of the HIPAA regulations that deny individuals their Privacy Rule rights.

As well as organizations being penalized for non-compliance, members of the workforce can be sanctioned as well. The degree of sanction will depend on the nature of the violation and the content of the organization´s sanctions policy. However, in the worst cases of knowing and wrongful disclosures for personal gain, cases can be referred to the Department of Justice – who can pursue custodial sentences of up to ten years and fines of up to $250,000.

HIPAA Privacy Rule Compliance Overview

To ensure HIPAA compliance the information in this article should be used in conjunction with our free easy-to-use HIPAA Privacy Rule Checklist PDF which can be ordered by using any form on this page.

Compliance with the HIPAA Privacy Rule necessitates organizational actions and technical precautions. Organizationally, covered entities and business associates must formulate and enforce privacy policies and procedures in line with the Privacy Rule.

A privacy official should be appointed to oversee the development and implementation of these policies. Regular training sessions must be held to familiarize workforce members with these guidelines.

Covered entities must also inform individuals about their privacy rights and the potential use of their information. A notice of privacy practices should be readily available for anyone requesting it.

Breaches of unsecured PHI must be reported to the individuals affected, the Secretary of Health and Human Services, and in certain circumstances, to the media.

Technically, covered entities and business associates must establish safeguards to deter unauthorized PHI access. This includes physical measures like alarm systems and locks, technical measures like access controls and encryption, and administrative measures like security management processes and designated security personnel.

For instances where PHI needs to be shared, covered entities should create contracts ensuring that business associates will protect the information. These contracts, known as Business Associate Agreements (BAAs), are a critical part of HIPAA compliance.

HIPAA Privacy Rule FAQs

What are the eighteen identifiers that determine whether health information should be protected?

There is sometimes a misconception that the eighteen “HIPAA identifiers” listed under §164.514 of the Privacy Rule are Protected Health Information at all times. This is not the case. These identifiers relate to the information that must be removed from a designated record set before any remaining health or payment information is considered de-identified under the safe harbor method.

As explained above, any identifier that is maintained in a designated record set along with health or payment information is protected while it is maintained in the same designated record set. However, when maintained in a database that does not contain health or payment information, identifiers are not protected by HIPAA – although state privacy and security laws may apply.

It is important to be aware that the list of eighteen HIPAA identifiers was compiled more than twenty years ago and has not been updated to reflect changes in how individuals can be identified. For example, if details of a patient´s emotional support animal are maintained in a designated record set, and the patient could be identified by the emotional support animal, these details also need to be removed from a designated record set before any remaining health information is de-identified.

What is the difference between health information, individually identifiable health information, and Protected Health Information?

In the context of the Privacy Rule, health (or payment) information does not include any information about who a health condition, treatment for the condition, or payment for the treatment relates to. “The patient has a broken leg” or “the patient’s treatment is being paid by Medicare” is health information for the purposes of complying with the HIPAA Privacy Rule.

As soon as any element of information is combined with health or payment information that could identify – or be used to identify – an individual, it becomes individually identifiable health information. If the identifying information is maintained by a Covered Entity or Business Associate in the same designated record set as the health information, it is Protected Health Information.

Within HIPAA, how does security differ from privacy?

The HIPAA Privacy Rule and the HIPAA Security Rule both have the same objectives with regards to protecting the confidentiality, integrity, and availability of Protected Health Information. The difference between them is that the Security Rule only applies to electronic Protected Health Information, while the Privacy Rule applies to Protected Health Information in any format.

Who enforces the HIPAA Privacy Rule?

Externally, the HIPAA Privacy Rule is enforced by the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR). OCR officers are most often made aware of Privacy Rule violations via public complaints, HIPAA audits, and Covered Entities complying with their obligation to notify OCR of data breaches. OCR also enforces the HIPAA Security Rule and Breach Notification Rule.

Internally, the HIPAA Privacy Rule is enforced by a Privacy Officer. The Privacy Officer has the responsibility of conducting risk assessments, developing policies and procedures to reduce risks to a reasonable level, training members of the workforce on the policies and procedures, and enforcing the HIPAA sanctions policy for violations of the organization’s policies and procedures.

Are there specific technologies that are HIPAA compliant?

No technology is HIPAA-compliant because it is how the technology is configured and used that determines compliance, not the capabilities of the technology itself. However, if a technology is implemented that has access to Protected Health Information, a Business Associate Agreement may have to be in place with the vendor for the technology to be HIPAA compliant.

What is the Minimum Necessary Standard?

The Minimum Necessary standard stipulates that uses and disclosures of Protected Health Information must be limited to the minimum necessary to accomplish the intended purpose of the use or disclosure. The standard applies to most uses and disclosures, but there are exceptions to this standard it is important to be aware of in order to avoid unnecessary complaints.

In what circumstances can an individual object to disclosures of Protected Health Information?

These generally relate to disclosing information via a facility directory or notifying an individual’s family when (for example) an individual is admitted to hospital. Individuals can consent to limited information being disclosed in these circumstances or – if the individual is incapable of providing consent – Covered Entities can determine whether the disclosure is in the best interests of the individual. The information that can be disclosed in such circumstances is listed in §164.510.

What is the difference between individual consent and individual authorization?

For any other uses or disclosures of Protected Health Information other than those required or permitted by the Privacy Rule, an individual has to give their consent or authorization. Consent – which can be verbal – is only allowed for the uses and disclosures included in §164.510. All other uses and disclosures require a written authorization signed by the individual.

What happens if you disclose Protected Health Information without an authorization?

If you disclose Protected Health Information impermissibly, it is a violation of HIPAA. The consequences of any HIPAA violation depend on various factors such as the nature of the violation, the harm to the individual, the organization´s sanctions policy, and the previous compliance history of both the person responsible for the violation and the organization they work for.

The impermissible disclosure of Protected Health Information may qualify as a data breach – in which case both the individual and HHS´ Office of Civil Rights need to be notified of the event. If the disclosure does not qualify as a data breach, the individual can still complain to HHS´ Office for Civil Rights, who may decide to investigate the organization depending on its compliance history.

What are the 3 Rules of HIPAA?

The three Rules of HIPAA that Covered Entities are required to comply with are the Privacy Rule, the Security Rule, and the Breach Notification Rule which was introduced via the HITECH Act of 2009. There are two other Rules associated with HIPAA – the Enforcement Rule, which describes the process for compliance investigations, and the Omnibus Final Rule which, in 2013, updated the Privacy Rule and Security Rule with other measures introduce by the HITECH Act.

What is the purpose of the Privacy Rule?

The purpose of the Privacy Rule is to set a federal floor of privacy protections for individuals´ individually identifiable health information. The Privacy Rule also gives individuals an opportunity to better control how their health information is used and disclosed, to take a more active role in their healthcare, and choose the best healthcare provider for their requirements.

Who is not covered by the HIPAA Privacy Rule?

Any organization that does not qualify as a Covered Entity or that does not provide a service for or on behalf of a Covered Entity as a Business Associate is not covered by the HIPAA Privacy Rule. It is important to be aware that Business Associates are only required to comply with the Privacy Rule “where provided”, and this is usually established in a Business Associate Agreement. Additionally, some Business Associates may not be covered by the HIPAA Privacy Rule depending on the service provided and only required to comply with the Security and Breach Notification Rules.

When does the Privacy Rule not apply to health information?

The Privacy Rule does not apply to health information in a number of circumstances. These include when an organization is not a Covered Entity or Business Associate, when the health information belongs to a student and is covered by FERPA, when other – more stringent – Rules than HIPAA apply, and when an individual has authorized a use or disclosure which may be subject to further uses and disclosures that a Covered Entity has no control over (i.e., when it is published on social media).

Why is the Privacy Rule important?

Research suggests when patients believe their health information is protected, they are more willing to discuss intimate details with healthcare providers. With more information, healthcare providers can make more accurate diagnoses and prescribe more effective courses of treatment, leading to better patient outcomes, higher morale in the workplace, and increased hospital satisfaction scores.

What are HIPAA Rules and why are they different?

The HIPAA Rules are the standards within the Administrative Simplification Regulations that govern how Covered Entities must protect the privacy of Protected Health Information, how electronic Protected Health Information should be safeguarded to ensure its confidentiality, integrity, and availability, and how Covered Entities should respond in the event of an impermissible use or disclosure or a data breach.

The reason they may be considered “different” is that they are a baseline of privacy and security standards. In many states, more stringent privacy and/or security standards – or regulations providing individuals with greater access rights – preempt parts or all of HIPAA. Some states also have privacy and security standards that cross borders – protecting the individually identifiable health information of state residents wherever they are in the United States.