HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Privacy Guidelines

How the HIPAA Privacy Guidelines Protect Patient Confidentiality

The HIPAA privacy guidelines were first introduced in 2002 with the aim of protecting the privacy of patient health information without obstructing the flow of information required to provide treatment. The guidelines defined what data should be considered Protected Health Information (PHI), who should be allowed access to it, when it could be disclosed, and for what purposes.

The HIPAA privacy guidelines apply to covered entitles, their business associates and any subcontractors with whom PHI is shared. Covered entities are generally health plans, healthcare clearinghouses, and healthcare providers, while business associates and subcontractors can range in their activities from accountants and auditors to website designers and website hosting companies.

What is Protected Health Information?

The HIPAA privacy guidelines define PHI as any “individually identifiable health information” that individually or together could reveal a patient´s identity. Not only does this definition cover such information as name, address, ZIP code, or telephone number (when maintained with health data in the same data set), but also any information that could relate to:

  • the past, present or future physical or mental condition of a patient,
  • the provision of any treatment or healthcare service to a patient, or
  • the past, present, or future payment for treatment or healthcare services to a patient.

Consequently, car registration numbers, health plan coverage, and even examples of a patient´s handwriting can be PHI – importantly, PHI can be in image and video format as well as when recorded in written or electronic format.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Therefore, if a medical professional took a photograph of a patient´s eczema in order to collaborate on the patient´s condition with colleagues – and the identity of the patient could be determined by a distinguishing feature – the photograph would be considered to be PHI by the HIPAA privacy guidelines.

PHI: Who, When and for What?

There are three types of uses and disclosures – those that are required, those that are permitted, and those which require patient authorization – notwithstanding that a patient has the right to object to any permitted use or disclosure of their PHI and restrict who it is shared with. Additionally, patients can ensure their wishes have been adhered to by requesting an “accounting of disclosures” at any time.

The required uses and disclosures are when a patient requests access to their PHI (to check its accuracy, request errors and omissions are corrected, and/or transfer the PHI to another provider), and when HHS´ Office for Civil Rights conducts an audit, an investigation into a complaint or a reported HIPAA violation, or a compliance review. All other uses and disclosures are permitted, but not required, or require patient authorization.

The permitted uses generally fall into two categories – “treatment, payment, and healthcare operations” (where healthcare operations include quality assessments, business planning, internal compliance reviews, etc.) and “public interest and benefit activities” such as alerting authorities to child abuse, health agencies to communicable diseases, and law enforcement agencies to unusual or unexplained injuries. Other permitted uses and disclosures (i.e., disclosing injuries in the completion of a workers´ comp claim) may be subject to state laws.

Strictly speaking, disclosing a patient´s PHI for directory or notification purposes is a permitted disclosure – although whenever possible, the patient should be given the opportunity to agree or object to these disclosures. Disclosures such as those to a life insurer for coverage purposes or to a prospective employer require the written authorization of the patient. Covered entities are not allowed to condition treatment, payment, or eligibility to benefits on whether or not a patient signs an authorization.

Fines for the Unauthorized Disclosure of PHI

Since 2005, covered entities have been liable for HIPAA violations and unauthorized disclosures of PHI. In 2009, a Breach Notification Rule was introduced that made it a requirement to notify individuals and HHS´ Office for Civil Rights when a breach of unsecured PHI occurs; and, in 2013, compliance and notification requirements were extended to business associates – who can be fined for violations of the Privacy and Breach Notification Rules as well as violations of the Security Rule.

Importantly, the Breach Notification Rule reversed the “burden of proof”. Whereas previously, covered entities and business associates did not have to report breaches of unsecured PHI unless there was a significant risk of harm to an individual´s reputation or finances, the revised criteria now made the failure to report a breach of unsecured PHI an offence unless it could be proven and documented that a low risk of harm existed.

With regards to fines for the unauthorized disclosure of PHI, these were increased significantly in 2009 from “up to $100” per violation with an annual maximum penalty of $25,000 to “up to $50,000” per violation (depending on the level of culpability) up to an annual maximum penalty of $1.5 million. In recent years, the minimum and maximum financial penalties for the unauthorized disclosure of PHI have increased to account for inflation, and the limits for 2022 are:

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Tier 1 Lack of Knowledge $127 $63,973 $1,919,173
Tier 2 Reasonable Cause $1,280 $63,973 $1,919,173
Tier 3 Willful Neglect – Corrected $12,794 $63,973 $1,919,173
Tier 4 Willful Neglect – Not Corrected within 30 days $63,973 $1,919,173 $1,919,173

Further Details about the HIPAA Privacy Guidelines

If you would like further details about the HIPAA privacy guidelines, and potential solutions for safeguarding the integrity of PHI, you are invited to download and read our “HIPAA Compliance Guide”. Our guide elaborates on the requirements of the HIPAA privacy guidelines and the HIPAA Security Rule as well as providing information about secure messaging solutions – communication platforms for keeping PHI secure in transit.

The information about secure messaging solutions is supported by case studies from healthcare organizations that have implemented secure communication platforms to comply with the HIPAA privacy guidelines. These case studies demonstrate how secure messaging solutions are cost-effective mechanisms that help to streamline workflows and increase productivity within a healthcare environment.

HIPAA Privacy Guidelines FAQs

What data should be considered Protected Health Information?

HHS has not published any guidance as to what specific data should be – or should not be – considered Protected Health Information. However, many covered entities use the eighteen identifiers listed in the “Safe Harbor” method of de-identifying PHI as a guide. The eighteen identifiers are:

  • Names (including names of family members, household members, and employers)
  • All geographic subdivisions smaller than a state
  • All elements of dates (except year) that are directly related to an individual
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full-face photographs and any comparable images
  • Any other unique identifying number, characteristic, or code

Are car registration numbers protected health information?

Car registration numbers by themselves are not protected, but they become protected if they are included in a designated data set that includes health data and that, with that health data, could be used to identify an individual. Note: in this case, not only would the written version of the car registration be protected, but also any images of the car bearing the registration number.

If a medical professional took a photo of a patient´s condition to collaborate with colleagues, wouldn´t that count as a permitted disclosure?

Yes, it would. However, the image still counts as an identifier from which it would be possible to identify an individual and therefore the image should be classed as PHI. Furthermore, if the image is shared with a colleague who is not a member of the same covered entity´s workforce (i.e., a doctor in a different hospital), it may be necessary to sign a Business Associate Agreement before the image is shared to ensure the image remains protected while in another entity´s possession.

What is an accounting of disclosures?

Individuals have the right to know who their PHI has been shared with and why. Therefore, the Privacy Rule requires covered entities to maintain a record of disclosures made during the previous six years. However, not all disclosures have to be accounted for. For example, permitted disclosures for treatment, payment, and health care operations do not have to be disclosed, nor do disclosures that an individual has authorized or disclosures to law enforcement agencies. Further information about accounting of disclosures can be found in §164.528.

Why are some fines for the unauthorized disclosure of PHI higher than the annual penalty limit?

The annual penalty limit is “per violation”. Consequently, if a covered entity or business associate has failed to comply with multiple HIPAA standards (i.e., failure to train, failure to conduct a risk assessment, failure to implement safeguards, etc.), multiple fines could be imposed by the HHS´ Office for Civil Rights. However, this is a rare occurrence that only impacts the worst offenders. Most investigations into violations of the HIPAA privacy guidelines result in smaller financial penalties, technical assistance, and/or corrective action plans.