As a general matter, the HIPAA Privacy Rule requires covered entities to maintain appropriate safeguards to protect the privacy of protected health information (PHI), sets limits and conditions on the uses and disclosures that may be made of PHI, and gives patients certain rights over their health information. As covered entities develop strategies and plans to comply with HIPAA, they must keep the following top of mind:
- Proper Uses and Disclosures of PHI. The general principle of the Privacy Rule is that a covered entity may not use or disclose PHI, except (1) when required by the Privacy Rule (e.g., to the individual or to HHS as a part of an investigation or enforcement action); (2) when permitted, but not required, for certain enumerated purposes or situations (e.g., for treatment, payment, or healthcare operations); or (3) upon the written authorization of the individual, provided that the authorization is written in plain language and includes specific terms about the use or disclosure. Covered entities may disclose information to service providers or vendors only pursuant to a business associate agreement.1
- Data Minimization. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish its intended purpose. In other words, a covered entity may not use, disclose, or request the entire medical record, unless it can specifically justify the whole record as the amount reasonably needed for the purpose. There are six circumstances, such as disclosures to a healthcare provider for treatment, to which the minimum necessary requirement does not apply. A covered entity must also develop and implement policies and procedures to reasonably limit uses, disclosures, and requests for disclosures to the minimum necessary, as well as to limit internal access and uses to only those roles, duties, and conditions for which PHI is needed.2
- Notice and Other Individual Rights. Each covered entity, subject to certain exceptions, must provide a notice of its privacy practices, and must act in accordance with its notice. The Privacy Rule requires the notice to contain certain elements, such as the ways in which the covered entity may use and disclose PHI, information regarding individuals’ rights, and the contact information individuals can use to obtain further information or lodge complaints. The Privacy Rule also contains specific distribution requirements for certain healthcare providers and health plans. Additionally, except in certain circumstances, individuals have the right to: (a) review and obtain a copy of their PHI; (b) have covered entities amend their PHI when inaccurate or incomplete; (c) have an accounting of the disclosures of their PHI by a covered entity or its business associates; (d) request that a covered entity restrict certain uses or disclosures of PHI; and (e) request an alternative means or location for receiving communications of PHI.3
- Administrative Requirements. HHS recognizes that covered entities vary in size and resources, and the Privacy Rule is intended to be flexible and scalable. However, there are several administrative elements that every covered entity is required to include in its privacy program, including, among others, (a) privacy policies and procedures consistent with the Privacy Rule; (b) a designated privacy official responsible for developing and implementing these privacy policies and procedures; (c) appropriate employee privacy training; (d) reasonable and appropriate safeguards to prevent impermissible uses or disclosures of PHI; (e) complaint procedures; and (f) all required documentation and records for the previous six years.4
1 45 CFR § 164.502(a).
3 Id. §§ 164.500-534.
4 Id. § 164.530.