The HIPAA Privacy Rule

Issued by HHS under HIPAA of 1996, the HIPAA privacy rule is a set of federal standards that creates privacy protections for individuals' PHI maintained or transmitted in any form or medium. Most healthcare providers and other designated "covered entities" (e.g., health plans, hospitals, nursing facilities, physicians, healthcare providers that conduct certain healthcare transactions electronically and their business associates, healthcare clearinghouses) must comply with the rule's provisions. The rule gives individuals certain privacy rights, including the right to know the covered entities' privacy practices, to examine and obtain a copy of their health records, and to request corrections. The HIPAA omnibus final rule of 2013 added new provisions that apply to psychotherapy notes, research, marketing, and the sale of PHI. These are further discussed in Special Considerations for Uses and Disclosures of PHIelsewhere in this guidance article.

PHI is defined broadly as "individually identifiable health information," whether oral or recorded in any form or medium, including electronic, that relates to the individual's past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual. Further, the information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual (45 CFR § 160.103). A covered entity must obtain an individual's valid HIPAA authorization to use or disclose PHI for purposes other than treatment, payment, or healthcare operations, except for specific purposes otherwise established by the rule.

Covered entities must limit use, disclosure, and requests for PHI to the "minimum necessary" to accomplish the intended purpose of the use, disclosure, or request. However, the rule does not apply to providers who use, disclose, or request PHI for treatment purposes. Nor does it apply to disclosures and uses required by law or to comply with the HIPAA administration simplification provisions, or to disclosures made pursuant to a HIPAA written authorization.

The covered entity's workforce is broadly defined to include employees, volunteers, trainees, and other persons whose conduct in working for a covered entity or business associate is under the direct control of the covered entity or business associate. The workforce must be trained to comply with the covered entity's HIPAA privacy policy, and covered entities must develop and implement a workforce policy that provides for sanctions for noncompliance (45 CFR § 164.530).

Covered entities are required to designate a HIPAA privacy officer...