FAQs on ALL Privacy Rule Topics
General Overview of the HIPAA Privacy Rule
- What is the HIPAA Privacy Rule? The HIPAA Privacy Rule establishes national standards to protect patients’ medical records and other personal health information (PHI). It applies to health plans, healthcare clearinghouses, and healthcare providers who conduct healthcare transactions electronically.
- Who must comply with the Privacy Rule? Covered entities, including healthcare providers, health plans, and healthcare clearinghouses, must comply. Business associates, who handle PHI on behalf of covered entities, are also required to comply under Business Associate Agreements (BAAs).
- What information is protected under the Privacy Rule? The Privacy Rule protects “individually identifiable health information” or PHI, which includes information that can identify an individual and relates to their health condition, healthcare provision, or payment for healthcare.
Uses and Disclosures of PHI
- When can PHI be used or disclosed without patient authorization? PHI can be used or disclosed without patient authorization for treatment, payment, and healthcare operations. It can also be shared in situations required by law, for public health activities, law enforcement purposes, and to prevent a serious threat to health or safety.
- What are examples of when PHI may require patient authorization for disclosure? Patient authorization is typically required for the use of PHI for marketing purposes, sale of PHI, or most uses of psychotherapy notes.
- How can a patient give authorization to use their PHI? A written authorization must be obtained, clearly stating what information will be used or disclosed, who will receive it, and for what purpose. The authorization must be specific to the situation.
Patient Rights
- What are a patient’s rights under the Privacy Rule?
- Right to Access: Patients have the right to access and obtain a copy of their PHI.
- Right to Amend: Patients can request corrections or amendments to their health records.
- Right to an Accounting of Disclosures: Patients can request a list of disclosures of their PHI.
- Right to Restrict Disclosures: Patients can request limitations on the use or disclosure of their information.
- Right to Confidential Communications: Patients can request communications through alternative means or at alternative locations.
- How can a patient request access to their medical records? Patients must submit a written request to their healthcare provider or health plan. Providers have 30 days to respond, with a possible one-time extension of 30 days.
- Can a provider deny a patient access to their PHI? In certain cases, such as when access might endanger the life or safety of the patient or another person, access can be denied. If denied, patients have the right to request a review of the decision.
Business Associates
- What is a Business Associate? A Business Associate is any person or entity that performs activities on behalf of a covered entity involving the use or disclosure of PHI. Examples include billing companies, cloud storage providers, or legal consultants.
- What is required in a Business Associate Agreement (BAA)? A BAA outlines the responsibilities of the Business Associate regarding the use, disclosure, and protection of PHI, and specifies safeguards to ensure the PHI remains secure.
- What happens if a Business Associate violates HIPAA? Business Associates are directly liable for HIPAA violations and may be subject to civil and criminal penalties.
Security and Safeguards
- What safeguards must be in place to protect PHI? Covered entities and Business Associates must implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI. This includes things like secure storage, encryption, and restricted access to PHI.
- Can healthcare providers send PHI through email or other electronic means? Yes, PHI can be sent via email or electronically as long as appropriate safeguards are in place, such as encryption, to ensure that the information is protected from unauthorized access.
Minimum Necessary Rule
- What is the Minimum Necessary Rule? The Minimum Necessary Rule requires covered entities and Business Associates to limit the use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, except for certain exceptions like treatment purposes.
- When does the Minimum Necessary Rule not apply? The Minimum Necessary Rule does not apply in cases of disclosure to the individual, for treatment purposes, or when required by law.
Research and PHI
- Can PHI be used for research without patient authorization? PHI can be used for research without authorization if a waiver is obtained from an Institutional Review Board (IRB) or Privacy Board, or if the data is de-identified.
- What is de-identified health information? De-identified information is health data that has had all personally identifiable information removed, such as names, dates, or geographic identifiers. Once de-identified, the data is no longer subject to HIPAA regulations.
Public Health and Law Enforcement
- When can PHI be disclosed for public health purposes? PHI can be disclosed without patient authorization for public health activities, such as controlling disease outbreaks, reporting adverse events to the FDA, or preventing or controlling injury or disability.
- Can PHI be disclosed to law enforcement? Yes, PHI can be disclosed to law enforcement in certain circumstances, such as responding to a court order, subpoena, or to identify a suspect or victim, among other permitted disclosures.
Parents and Minors
- What rights do parents have to their child’s medical records? In general, parents or guardians have the right to access their minor child’s medical records, except in situations where the law allows the minor to obtain certain medical care without parental consent, such as reproductive health services.
- Can a minor access their own medical records? In some cases, minors can access their medical records when they have consented to their treatment or when a court has granted them the rights of an adult.
Marketing and Fundraising
- Can healthcare providers use PHI for marketing purposes? PHI cannot be used for marketing without patient authorization, except for limited cases such as providing information about health-related services offered by the provider.
- Can PHI be used for fundraising activities? Yes, but only limited PHI can be used for fundraising, such as demographic information and dates of care, and patients must be given an opportunity to opt out of receiving fundraising communications.
Breach Notification
- What constitutes a breach of PHI? A breach is any unauthorized access, use, or disclosure of PHI that compromises the security or privacy of the information. Exceptions include unintentional access by employees acting in good faith within the scope of their authority.
- What must happen if a breach occurs? If a breach occurs, covered entities must notify the affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media, if the breach involves more than 500 individuals.
HIPAA Violations and Penalties
- What are the penalties for HIPAA violations? HIPAA violations can result in civil penalties ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million. Criminal penalties, including imprisonment, apply for willful violations.
- How does HHS enforce the Privacy Rule? The HHS Office for Civil Rights (OCR) investigates complaints, performs compliance reviews, and may impose civil and criminal penalties for non-compliance with the Privacy Rule.