HIPAA Privacy Guidelines
The HIPAA privacy guidelines were first introduced in 2002 with the aim of protecting the privacy of patient health information without obstructing the flow of information required to provide treatment and to give patients more control over their health information. The guidelines defined what data should be considered Protected Health Information (PHI), who should be allowed access to it, when it could be disclosed, and for what purposes.
The HIPAA privacy guidelines apply to covered entitles, their business associates and any subcontractors with whom PHI is shared. Covered entities are generally health plans, healthcare clearinghouses, and healthcare providers, while business associates and subcontractors can range in their activities from accountants and auditors to website designers and website hosting companies.
What is Protected Health Information?
The HIPAA privacy guidelines define PHI as any “individually identifiable health information” and any non-health information maintained with the health information that could reveal a patient´s identity. Not only does this definition cover such information as name, address, ZIP code, or telephone number (when maintained with health health information in the same data set), but also any information that could be used to identify a patient and relate to:
- the past, present or future physical or mental condition of a patient,
- the provision of any treatment or healthcare service to a patient, or
- the past, present, or future payment for treatment or healthcare services to a patient.
Consequently, car registration numbers, health plan coverage, and even examples of a patient´s handwriting can be PHI. Importantly, PHI can be in image and video format as well as when recorded in written or electronic format.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
HIPAA Journal Privacy Policy
Therefore, if a medical professional took a photograph of a patient´s eczema in order to collaborate on the patient´s condition with colleagues – and the identity of the patient could be determined by a distinguishing feature – the photograph would be considered to be PHI by the HIPAA privacy guidelines.
PHI: Who, When and for What?
There are three types of uses and disclosures – those that are required, those that are permitted, and those which require patient authorization – notwithstanding that a patient has the right to object to any permitted use or disclosure of their PHI and restrict who it is shared with. Additionally, patients can ensure their wishes have been adhered to by requesting an “accounting of disclosures” at any time.
The required uses and disclosures are when a patient requests access to their PHI (to check its accuracy, request errors and omissions are corrected, and/or transfer the PHI to another provider), and when HHS´ Office for Civil Rights conducts an audit, an investigation into a complaint or a reported HIPAA compliance violation, or a compliance review. All other uses and disclosures are permitted, but not required, or require patient authorization.
The permitted uses generally fall into two categories – “treatment, payment, and healthcare operations” (where healthcare operations include quality assessments, business planning, internal compliance reviews, etc.) and “public interest and benefit activities” such as alerting authorities to child abuse, health agencies to communicable diseases, and law enforcement agencies to unusual or unexplained injuries. Other permitted uses and disclosures (i.e., disclosing injuries in the completion of a workers´ comp claim) may be subject to state laws.
Strictly speaking, disclosing a patient´s PHI for directory or notification purposes is a permitted disclosure – although whenever possible, the patient should be given the opportunity to agree or object to these disclosures. Disclosures such as those to a life insurer for coverage purposes or to a prospective employer require the written authorization of the patient. Covered entities are not allowed to condition treatment, payment, or eligibility to benefits on whether or not a patient signs an authorization.
Fines for the Unauthorized Disclosure of PHI
Since 2005, covered entities have been liable for HIPAA violations and unauthorized disclosures of PHI. In 2009, a Breach Notification Rule was introduced that made it a requirement to notify individuals and HHS´ Office for Civil Rights when a breach of unsecured PHI occurs; and, in 2013, compliance and notification requirements were extended to business associates – who can be fined for violations of the Privacy and Breach Notification Rules as well as violations of the Security Rule.
Importantly, the Breach Notification Rule reversed the “burden of proof”. Whereas previously, covered entities and business associates did not have to report breaches of unsecured PHI unless there was a significant risk of harm to an individual´s reputation or finances, the revised criteria now made the failure to report a breach of unsecured PHI an offence unless it could be proven and documented that a low risk of harm existed.
With regards to fines for the unauthorized disclosure of PHI, these were increased significantly in 2009 from “up to $100” per violation with an annual maximum penalty of $25,000 to “up to $50,000” per violation (depending on the level of culpability) up to an annual maximum penalty of $1.5 million. In recent years, the minimum and maximum financial penalties for the unauthorized disclosure of PHI have increased to account for inflation, and the limits for 2024 are:
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $137 | $34,464 | $34,464 |
| Tier 2 | Reasonable Cause | $1,379 | $68,928 | $137,886 |
| Tier 3 | Willful Neglect – Corrected | $13,785 | $68,928 | $344,638 |
| Tier 4 | Willful Neglect – Not Corrected within 30 days | $68,928 | $68,928 | $2,067,813 |
Further Details about the HIPAA Privacy Guidelines
If you would like further details about the HIPAA privacy guidelines, and potential solutions for safeguarding the integrity of PHI, you are invited to download and read our “HIPAA Compliance Guide”. Our guide elaborates on the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule, as well as providing information about the seven elements of an effective compliance program.
HIPAA Privacy Guidelines FAQs
What data should be considered Protected Health Information?
Any information that relates to an individual’s health condition, treatment for the condition, or payment for treatment should be considered Protected Health Information. In addition, any information that could be used to identify the subject of the Protected Health Information assumes the same protections when it is maintained in the same “designated record set”.
Are car registration numbers protected health information?
Car registration numbers by themselves are not protected, but they become protected if they are included in a designated data set that includes health data and that, with that health data, could be used to identify an individual. Note: in this case, not only would the written version of the car registration be protected, but also any images of the car bearing the registration number.
If a medical professional took a photo of a patient´s condition to collaborate with colleagues, wouldn´t that count as a permitted disclosure?
Yes, it would. However, the image still counts as an identifier from which it would be possible to identify an individual and therefore the image should be classed as PHI. Furthermore, if the image is shared with a colleague who is not a member of the same covered entity´s workforce (i.e., a doctor in a different hospital), it may be necessary to sign a Business Associate Agreement before the image is shared to ensure the image remains protected while in another entity´s possession.
What is an accounting of disclosures?
Individuals have the right to know who their PHI has been shared with and why. Therefore, the Privacy Rule requires covered entities to maintain a record of disclosures made during the previous six years. However, not all disclosures have to be accounted for. For example, permitted disclosures for treatment, payment, and health care operations do not have to be disclosed, nor do disclosures that an individual has authorized or disclosures to law enforcement agencies. Further information about accounting of disclosures can be found in §164.528.
Why are some fines for the unauthorized disclosure of PHI higher than the annual penalty limit?
The annual penalty limit is “per violation”. Consequently, if a covered entity or business associate has failed to comply with multiple HIPAA standards (i.e., failure to train, failure to conduct a risk assessment, failure to implement safeguards, etc.), multiple fines could be imposed by the HHS´ Office for Civil Rights. However, this is a rare occurrence that only impacts the worst offenders. Most investigations into violations of the HIPAA privacy guidelines result in smaller financial penalties, technical assistance, and/or corrective action plans.
What are the HIPAA guidelines?
In the context of this article, the HIPAA guidelines are the Privacy, Security, Enforcement, and Breach Notification Rules published by the Department of Health and Human Services as a consequence of the passage of HIPAA. The HIPAA guidelines can also be referred to as provisions, standards, or regulations – and are sometimes referred to as safeguards due to the inclusion of Administrative, Physical, and Technical Safeguards in the Security Rule.
