The HIPAA Privacy Rules An Overview of the Basics

(This information is subject to frequent updates and modifications)

Portability and

Federal legislation enacted in 1996 to improve the efficiency and effectiveness of electronic information transfers used in the provision, management, and financing of health care in the U.S.

This legislation impacts anyone and everyone involved in clinical activities by virtue of new, strict rules for handling health information.

What is in the law?

  • Privacy rules
  • Security rules
  • Civil and criminal penalties

What is the goal of HIPAA legislation?

  • To protect health information
  • Ensure confidentiality and accuracy
  • Establish use and disclosure procedures
  • Ensure proper handling of data
  • Implement audit controls

Privacy and HIPAA

PRIVACY refers to WHAT is protected health information about an individual and the determination of who is permitted to use, disclose, or access the information. (This presentation addresses the privacy provisions of the regulations.)

SECURITY refers to HOW information is safeguarded --- ensuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss. Security is also regulated under HIPAA.

A future presentation will address the security provisions of the regulations.

Health Information is defined in section 1171 of the Act

It includes:

ANY INFORMATION, whether oral or recorded in any form or medium, that

- is CREATED OR RECEIVED by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and

- relates to the past, present, or future PHYSICAL or MENTAL HEALTH or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and


Examples of Health Information

  • Paper records and reports
  • Electronic records
  • Spoken communications
  • Patient radiographs
  • Patient photographs

HIPAA regulates how health care providers must deal with PROTECTED HEALTH INFORMATION (PHI)

What is PHI?

PHI is health information (defined as any information gathered by a health care provider, including non-health related data) that contains data that may be used to directly or indirectly identify the patient.

What data elements make health information Protected Health Information?

- Name
- Names of relatives
- Address
- Names of employers
- E-mail address
- Fax number
- Telephone number
- Birth date
- Finger or voice prints
- Photographic images/X-rays
- Social security number
- Internet address
- Vehicle/device serial number
- Medical record number
- Health plan number
- Account number
- Certificate/license number
- Web URL

HIPAA applies to any PHI, regardless of the data format

- a patient?s chart and medical record
- database or computer stored files
- email
- images or x-rays
- conversations
- word documents
- PDA stored information
- student logs
- academic curriculum
- laptop files
- personal databases of clinical material
- personal clinical experience logs

Bottom Line ? Virtually all of the information routinely used in the clinical setting is PHI and must be properly handled and protected.

What does the Privacy Rule MEAN?

1. It limits the Use and Disclosure of PHI

Use. Defined as the employment, application, utilization, examination, or analysis of information WITHIN an entity that holds the information
Disclosure. Defined as the release of PHI that is not related to treatment, payment, or health operations

2. It establishes Individual (Patient) rights to control access and use of PHI, including the:

  • right to inspect or copy PHI
  • right to amend incorrect information
  • right to receive an accounting of all disclosures made for reasons other than payment, treatment, or health care operations

3. It balances health information protection and individual rights against public health and safety needs.

4. It defines specific administrative requirements:

  • a privacy officer
  • patient notice of the privacy policy
  • training for ALL employees
  • sanctions for policy violations
  • documented Policies and Procedures for handling and protecting PHI

Privacy Regulation Requirements

Effective 4/14/03, YOU MUST...

  1. Clearly communicate information practices and honor privacy promises (e.g., the PRIVACY NOTICE)
  2. Get detailed patient authorization for each non-routine (research) use and disclosure
  3. Limit information use and disclosure to the MINIMUM NECESSARY
  4. Require business partners (by contract the BUSINESS ASSOCIATE AGREEMENT) to protect health information and hold them accountable
  5. Be able to provide an accounting of non-routine disclosures
  6. Adopt comprehensive privacy policies and procedures and train every employee
  7. Appoint a privacy officer
  8. Use effective controls (physical and technical) to avoid privacy breaches
  9. Impose discipline for breaches of privacy and mitigate any resulting harm
  10. Document what was done to protect patient privacy

Privacy Notice

This document must:

  • inform the patient of his/her rights
  • disclose the organization's privacy practices
  • explain the organization's responsibilities under the law
  • inform the patient about all the uses and disclosures of PHI required and allowed by law
  • outline the process for the patient to gain access to their medical record and to request amendments to this information
  • list the contact person within the practice who will receive complaints and/or be available for questions

Minimum Necessary

The minimum necessary refers to the concept that PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. As an example, the receptionist does not require access to the patient's entire medical record perhaps only the name, current address, and insurance information.

This concept does not apply (and does not limit) disclosures by a health care provider for treatment purposes, disclosures to the patient, and disclosures may pursuant to the patient's authorization.

Access to see or hear patient information

Not everyone needs to see or hear PHI. Before you look at or listen to health information, ask yourself, Do I need to know this to do my job or provide high quality care? If the answer is no, don't look or listen. If the answer is yes, look or listen only to the information you need and protect the confidentiality of that information.

Patients must be given a copy of the PRIVACY NOTICE and it must be documented that it was received

You must undergo specific HIPAA training and this training must be documented

Access to clinical records for research will become more cumbersome

Everyone must be much more attuned to the inadvertent disclosure of PHI.. do not talk about patients in the hallways, elevators, and cafeteria; only access PHI when necessary and then only to the extent necessary to do your job (the minimum necessary concept)

Dispose of PHI properly

  • place patient information in secure containers
  • shred the documents
  • erase/destroy diskettes
  • avoid improper disclosure

Avoid improper disclosures

  • verify FAX numbers and email addresses
  • do not leave detailed phone messages
  • turn computer screens away from passersby
  • use a screen saver

Guard against improper access

  • log off when finished
  • change your password often
  • do not share your password
  • password protect access to your PDA

The Privacy Rule DOES NOT mean that you...

  • cannot discuss patient care with colleagues
  • cannot talk to patients in public areas
  • cannot use sign-in sheets in the clinic
  • cannot use patient-based material for teaching, presentations, and projects
  • cannot do clinical research

Frequently Asked Questions

Can Health Care Providers (HCPs) use sign-in 
sheets or call out the names of patients in the 
waiting room?? YES

Can HCPs place medical charts at the bedside
or outside exam rooms? YES

Does a HCP need a patient's written authorization
to send a copy of the medical record to a specialist
or other HCP who will provide treatment?? NO

Can a physician's office FAX patient medical
info to another MD's office? YES 
(but the recipient fax should be in a secure location)

Does the Privacy Rule and minimum necessary
concept prohibit trainees from accessing PHI
in the course of their training? NO

Can a researcher abstract data from 30 charts for 
a review article?? ONLY AFTER approval from 
the IRB and Individual Authorizations by the 
patients or a waiver from the institutional privacy 

Individual Authorizations, signed by the 
patients, are required for the use and disclosure
of PHI for any purpose other than treatment,
payment, or health care operations or as otherwise
excepted by law.

Access to PHI for research purposes will require
individual authorization by the patient or a Waiver,
granted by the institutional privacy board.

Situations in which PHI may be released without Individual Authorization or Waiver

  • Reporting a communicable disease
  • FDA required reporting of information about medical devices that break or malfunction
  • Child abuse and neglect reporting laws
  • Criminal investigations
  • Court order
  • Suspicious deaths or injuries (e.g. gunshot wound)
  • Cause of death to a coroner or funeral director

Consequences of Noncompliance that may be levied by the Office of Civil Rights

  • Criminal Penalties
    • Fines up to $250,000
    • Prison time up to 10 years
  • Civil Penalties
    • $100 for each violation
    • Maximum of $25,000 per year per incidence

Penalties may apply to the individual violator and/or to the organization or its officers.

Consequences of Noncompliance that may be levied by the Institution or Practice

  • Verbal warning
  • Written warning
  • Suspension
  • Termination of employment

If you have questions about HIPAA, contact the Privacy Officer or send an email to

If you suspect an institution is not complying with HIPAA, a complaint can be filed with the Office for Civil Rights. A complaint must be filed within 180 days of the date the complainant knew about the possible violation of the law.

Useful Links