The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of individually identifiable health information. Learn more by clicking on the links to the below.
What does the Privacy Rule require?
The Privacy Rule prohibits the use or disclosure of “protected health information,” or PHI, unless the patient has signed a specific authorization. PHI is defined in the Privacy Rule as any health information created or received by a health care provider that: (1) identifies an individual; and (2) relates to that individual’s past, present, or future physical or mental health condition or to payment for health care. Protected health information includes information in any form or medium, from a paper medical record to a fax authorization or referral to a conversation between colleagues consulting on the care of a patient.
An authorization is not required for the following, provided the patient has acknowledged receipt of a Notice of Privacy Practices:
- To treat the patient
- To get paid for services
- To conduct health care operations (for example, quality assurance, credentialing, audits, compliance monitoring)
- Patient information also can be given to patient caregivers (for example, family members), but only if the patient expressly or impliedly consents.
- Certain disclosures also can be made by a health care provider without patient authorization to accomplish public policy objectives (for example, to report child or elder abuse).
Any other disclosure (such as for research, fundraising or marketing) may only be made if the patient specifically authorizes the disclosure in writing. An authorization is a customized document that requests permission from the patient to use protected health information for specific purposes and for a specific time period.
As a general rule, even if a disclosure is permitted under the Privacy Rule, it must be limited to the minimum amount of information necessary.
The HIPAA Privacy Rule also gives patients expanded rights to access their medical and billing records, request amendments to those records and obtain an accounting of disclosures of protected health information.
HIPAA Privacy Education Completion Reports
**Updated as of October 3, 2021**
USC HIPAA Guidance
Interested in learning more about the HIPAA Privacy Rule? Try these resources:
What is a Business Associate?
Notice of Privacy Practices- Why it is important
Minimum Security Standards for Electronic PHI
HIPAA Privacy rule and Sharing information related to Mental Health- Guidance from US Department of Health and Human Services, February 20th, 2014
When Federal Privacy Rules and Fundraising Desires Meet- An advisory on the use of Protected Health Information in Fundraising Communications