Hyperlinks to supplemental content are provided, should you wish to read more about a particular topic.  This extra material is optional.  It is not covered on the associated course quiz.  The supplemental content will usually be presented in a new browser window, which you may close at any time.

For the recommended reading sequence for these materials, see the HIPS Series Overview.

Approximate reading time for this course is 24 minutes (exclusive of linked content). The quiz for this course is here.

•  •  •  •  •

We know your time is valuable.  We want you to understand why you have been directed to spend time reading these materials.

Privacy protections for health information are required by federal laws such as HIPAA, and by most states' statutes as well.  Private organizations that certify health care facilities, like JCAHO, also require privacy protections.  And almost all health professions organizations have provisions about privacy in their codes of ethics.

As part of these protections, it is required that health care organizations provide basic training in privacy laws and regulations to their workers.  That's why you are here. 

Unfortunately, even an overview of health privacy protections in the US can be a bit complex.  Do not despair.  We provide you with a lot of information in this and subsequent courses in the privacy series, but we do not expect that you will remember every detail.  Retaining the main points will be enough.

If at times it seems a bit abstract -- and, truth to tell, more than a bit boring -- remember that we are also discussing your privacy rights when you are a patient.  Everyone, sooner or later, is a patient in a health care facility somewhere.  Being knowledgeable will help assure that you receive all the privacy protections to which you (or someone you care about) are entitled.

Health information systems are more efficiently networked together every day.  Consequently, the privacy of each person's health information depends on more people every day.  People just like you.  The time-honored Golden Rule applies here:  Try to give the health information under your control the same respect for privacy that you'd like for your own.

This course provides an introduction to federal and state privacy requirements.  Privacy has many common meanings -- here it refers to the rules about who can access health information, and under what circumstances.  (For more on the definitions of privacy, click here.)

In addition to this introductory course, you may also need to take privacy courses that are specific to the kinds of work you do, such as clinical care, fundraising, marketing, research or participation in a training program.  Many of the limitations on use and disclosure of health data depend on the purpose of your access.

You will probably need to take some information security courses as well.  Those describe techniques for safe use of information systems and devices.   Without good information security practices, the privacy rules are just empty promises.  (For more on the definitions of security, click here.)

You probably have already heard or read about HIPAA, the law that provides federal (national) protections for health information.  HIPAA's regulations cover every person who receives care in a US health care facility.

States have long had laws and regulations addressing the privacy of health information.  HIPAA's regulations add a floor (minimum level) of safeguards to existing state laws.  State health privacy protections that are more stringent than HIPAA's remain in effect.

Why were HIPAA's protections needed?  Because not all states have had adequate health privacy protections in their laws.  And even those with good laws sometimes did a bad job of enforcing them.

Health care in the US is the most technologically advanced on the planet.  (That's why it's also the most expensive.)  So it may surprise you to learn that the US health sector has been relatively slow to adopt electronic record-keeping. 

It's true, however.  Paper records are still common.  The computer-based records systems in use are typically un-standardized, and so have trouble "talking" to each other.  Not efficient.  And, in many cases, not very secure either.

HIPAA aims to remedy these problems.  It has four parts -- called "Rules" -- that set standards for health information.  

Two of the four Rules are focused on technical specifications:  the Transactions and Code Sets (TCS) Rule mandates standard formats and coding for health data; the Identifier (ID) Rule sets standards for unique identifiers for health plans, employers, health practitioners and patients. 

We won't cover the TCS and ID rules in this series, but instead concentrate on the other two, which focus on privacy and security. (If you want to know more about the TCS and ID rules, follow the links above.)

Increased use of standardized electronic information may make things more efficient, but it also is cause for more privacy worries.  Computers allow faster, easier access to health records -- but both for good purposes and bad ones.  So there is a need for stricter privacy rules governing use and disclosure. 

The stakes for information security are raised too.  Losing a batch of paper records doesn't compare to the risks if a computer or network is compromised.  Thousands of persons' health information can be put at risk by a single electronic breach.

That's why HIPAA includes the set of national privacy regulations we are discussing in this series -- called, collectively, the Privacy Rule.  And why it also has a set of regulations devoted to security issues -- a.k.a., the Security Rule.   (The latter Rule is discussed in the security series courses.)

Almost every organization that provides or pays for health services, or exchanges health data of any kind, is within the reach of HIPAA. 

Health care providers (physicians, nurses, allied health practitioners); health care facilities (hospitals, clinics); health plans (HMOs, insurers); and health information clearinghouses are what HIPAA calls covered entities.

HIPAA extends rights to every patient whose information is collected, used or disclosed by such covered entities.  It imposes duties on covered entities -- and, by extension, on all persons who work in or for covered entities -- in order to secure those rights.

HIPAA reaches even to the business associates of health institutions -- that is, to companies that handle health data on a covered entity's behalf.

Under HIPAA, any information that is, or reasonably could be, linked to an individual is protected health information -- in HIPAA-speak, simply "PHI."  

HIPAA defines PHI very broadly:  It is anything related to the "past, present or future physical or mental health condition" of a person.  Only de-identified health information is excluded -- where every explicit identifier of a person has been removed, as well as data that could potentially establish a link via statistical techniques.

HIPAA's privacy provisions apply to protected health information in "any form or medium."  That means everything containing PHI: paper records as well as electronic ones, faxes, emails, exchanges in telephone conversations, and even just talking face-to-face. 

If it's health data, and it's identifiable, it's covered.

HIPAA's most visible change comes from its requirement that patients be given a Notice of Privacy Practices.  This Notice must describe, in general terms, how the covered entity will protect health information.  And it must clearly specify the patient's rights under the law -- both federal HIPAA rights and any stricter state protections.

A copy of the Notice of Privacy Practices must be provided the first time a patient sees a direct treatment provider -- that is, any provider that directly interacts with the patient -- and any time thereafter when requested by the patient or when the Notice changes.

Health plans and insurers must also provide periodic Notices to their customers. 

(If you have received services from a health care provider in the last few years, you'll usually have been given a Notice as part of the registration process.  Take a look at it the next time you're stuck in a waiting room.  It covers the same territory as this course, although not always in particularly clear language.)

Direct treatment providers must make a good faith effort to obtain an acknowledgement -- by the patient's signature -- confirming that a copy of the Privacy Notice was received. 

The signature does not affirm that the patient understands what is in the Notice, or even that he/she has read it, just receipt of it.  In emergency situations, getting an acknowledgement can be deferred.

In addition to affirming that a patient has been made aware of his or her rights, this step is designed to provide an opportunity for discussion of patients' privacy questions and concerns.  Covered entities are obligated to have an adequate number of persons around who are knowledgeable enough to provide answers.

Patients have a set of specific rights with respect to their health records, which are listed in the following sections.  Beyond those, patients have a general right to appropriate privacy and security practices by any covered entity that uses or stores health information about them.

If patients believe that their privacy rights have been violated, they may file a complaint with the facility's privacy official -- a new position that HIPAA requires.  (Every covered entity, even the smallest clinic, must have someone designated to fill this role.) 

If unsatisfied with a local response, patients can also take their complaints to the federal agency charged with administering HIPAA: the US Department of Health and Human Services' Office of Civil Rights.  Usually there will also be a state-level agency to which privacy complaints may be directed.

HIPAA's specific protections with respect to patients'  health records include:

• A right to gain access to and obtain a copy of all one's health records (with some exceptions, such as psychotherapy notes).
   
• A right to request corrections of errors found in those records -- or, alternatively, to include a statement of disagreement if the institution believes the information is correct (called the "right of amendment").

Such rights of access and amendment had existed in many if not most states, but are now national.  (Unfortunately, in many if not most states where such rights existed, patients were not well informed about it.)

Patients' records rights also include:

• A right to receive an accounting of how one's health information has been used -- that is, a list of the persons and institutions to whom/which it has been disclosed.

This right is considerably less expansive than it might first appear.  Disclosures for the very broad categories of treatment, payment and health care operations do not need to be part of the accounting.  (More on that below.)  Neither do disclosures that the patient has specifically authorized.

It should be noted that many states have also mandated some form of disclosure accounting, and many of those do not provide the same broad exceptions as HIPAA.   As with the other records rights, it is important to learn the rules that apply to the jurisdiction in which your organization operates if you have any responsibilities for preparing a disclosure accounting.

Patients' records rights also include:

• A right to request restrictions on access to, and additional protections for, particularly sensitive information.
   
• A right to request confidential communications (by alternative means or at alternative locations) of particularly sensitive information.

What is sensitive?  Whatever the individual patient considers so. 

Note that the first of these is only a right to ask.  Covered entities are not required to honor requests for additional restrictions/protections -- though they must abide by any extra provisions to which they agree.

By contrast, covered entities are bound to honor "reasonable requests" for confidential communications.

Finally, patients' records rights include:

• A right to prevent certain "additional" types of use and disclosure -- such as fundraising, marketing and research -- unless specific authorization is granted. 

Note that not all fundraising, marketing and research requires authorization -- but much of it does.  The particular constraints on such additional uses are discussed extensively in the privacy series courses for fundraisers, marketers and researchers.  If you do those things, you need to take those courses.

It may help to clarify HIPAA's protections if you also understand that it divides up health information uses and disclosures into three major categories: 

(1) Those that can occur without any specific permission from the patient.

(2) Those that are allowed (or prohibited) simply on the basis of an oral assent (or refusal).

(3) Those that require specific, written permission.

Each of these is discussed in the following sections.

The first category is the largest one.  HIPAA requires no permission from the patient to use or disclose information for "basic" functions, including treatment, payment, and a broad range of other core health care operations.

Neither does HIPAA require specific permission for a broad range of activities required by law, including

• public health and health system oversight activities;
   
• reporting about victims of abuse, neglect or domestic violence;
   
• judicial and administrative proceedings;
   
• certain "specialized government functions" like national security, military and veterans activities, and corrections;
   
• law enforcement;
  
• or to avert a serious, imminent threat to public safety. 

Be aware, however, that many states' laws do require explicit consent from the patient for some of these types of use or disclosure.   (As noted above, such "more restrictive" state laws remain in force.)   Where required by state law, the consent for information use or disclosure is often paired with the consent to be treated, and will include such details.

As noted repeatedly above, it is important to understand the particular rules for the jurisdiction in which your organization operates.

Even if you're not a data expert, you probably would have recognized that the vast majority of uses and disclosures fall into the first category.

The second category is a much smaller one:  Inclusion or exclusion from facility directories, and uses and disclosures to friends and family members involved in a person's care, can be permitted or limited based on oral agreement. 

Many organizations will still choose to get the patient to sign something about this.  But HIPAA requires only that the patient be asked orally.

Finally, in the third category, HIPAA does require that patients sign a specific authorization before information can be used or disclosed for some kinds of research, marketing and fundraising. 

Health care institutions cannot condition treatment or payment for health care services on receiving a patient's authorization for things in this third category.

For those circumstances where the patient does retain control, HIPAA's general rule is a simple one:  If a person has a right to make a health care decision, then he/she has a right to control information associated with that decision.

Minor children and those who are incompetent may have their health information decisions made by a personal representative.  Typically that will be a parent in the case of a child.  (But be advised that states' rules for minors can be particularly complex.  Consult with a local expert if you have questions about a minor's health information rights.)

As you have just read, however, the patient remains in control of relatively few information uses and disclosures once they have entered the health care system.  What about all the areas where no consent or authorization from the patient is required? 

It's the covered entity's responsibility to have policies in place that comply with HIPAA's rules.  And, of course, to follow them.  A patient's most important protection is responsible, safe use of health information by the health care professionals who have access to it.  That was true before HIPAA and remains so now.

Although the HIPAA restrictions on health information access depend primarily on the purposes for that access, the kind of information itself can also be relevant.

Beyond any information for which the patient makes a special confidentiality request, HIPAA currently extends extra protection to one kind of information: psychotherapy notes.  Separate authorization for release is required, and patients' access to this kind of information may sometimes be restricted.

By contrast, states' laws commonly extend special protection to many types of information -- e.g., data related to mental health, AIDS/HIV, STDs, genetic tests, and substance abuse.  In such cases, separate authorization is usually required.

The complexities and variability of state law preclude any summary here.   (Once again, you will need to consult a local expert for the details in your jurisdiction.)

The privacy obligations of covered entities are, unsurprisingly, a mirror of patients' rights. 

Privacy Notices must be created and distributed.  Direct treatment providers must attempt to obtain a signed acknowledgment of receipt of the Notice.

One or more privacy officials must be appointed to answer questions, handle complaints and administer all the paperwork associated with access, correction, accounting, etc. 

Most critically, privacy (and security) policies that reflect federal and state laws must be put in place.  The organization's workers must be trained on those policies and procedures.  As noted, that's one reason you're here.

If you work in a covered entity -- or are, as a health care provider, one yourself -- you have personal obligations under the law. 

The big three are these:

• Use or disclose protected health information (PHI) only for work-related purposes.
   
• Limit uses and disclosures of PHI to the minimum necessary to achieve the work purposes.
   
• Otherwise exercise reasonable and appropriate caution, to protect all the PHI under your control.

Let's look at these three in a bit more depth before concluding the course....

This isn't really difficult conceptually, but it does seem to be a rule that many health care workers find difficult to follow at all times.

Use or disclosure of health information must be reasonably related to a legitimate work task.  That means, for example, that you cannot access health information to satisfy your curiosity about a colleague or about that famous patient who just checked in.

It's worth remembering that HIPAA provides severe sanctions for deliberate misuse of health information, particularly where there is an intent to harm others or achieve personal financial gain. States' statutes also commonly provide for penalties. 

Loss of one's job at the health facility is also very likely, even if the breach was simply to satisfy one's curiosity.

This is also just what it sounds like:  Uses and disclosures of health information should be what's reasonably required to get the job done under the circumstances, and no more.

Does this minimum necessary requirement mean you have to be perfect, and always get exactly the minimum every time?  No.  It means you need always to be careful, and exercise reasonable restraint.  Perfection isn't possible, and neither HIPAA nor state statutes expect perfection. 

It's understood that accidents happen -- or, to use HIPAA-speak, incidental uses and disclosures happen.  That's OK as long as it wasn't intentional, or a result of failure to exercise reasonable caution.

That last point is worth stating one more time:  Reasonable caution is required when you access health information.  Clear negligence will not be excused by the law.  (And did we mention it can result in loss of employment?)

We know you're not stupid, of course.  But you will look stupid if you don't take the time to learn the privacy and security policies that apply to the job(s) you do.  You cannot follow rules that you do not know. 

As noted at the outset, federal and state privacy laws provide different restrictions depending on the purpose of your access.  That's why we have additional role-based privacy courses.

Fixing a privacy problem can be a simple as gently reminding a colleague about the rules.  If that doesn't do it, most supervisors are eager to fix problems, and will welcome your report. 

Alternatively, you can contact your organization's privacy official directly -- with a problem report, a complaint, or just a question.  But remember this:  You are obligated to report privacy problems that you cannot fix yourself.

HIPAA forbids intimidation or retaliation against both patients and workers for reporting a problem or filing a complaint.  However, if you lack confidence in your organization's ability or inclination to prevent harm to you, report your concerns anonymously -- either to your local privacy official or to the government.

Here are the key points: 

(1) HIPAA provides a set of national "information rights" to all patients: access, amendment, disclosure accounting, restrictions requests, confidential communications and access to local and federal "complaint" resources. It also requires a Notice about those rights.

(2) HIPAA imposes a parallel set of "information duties" on covered entities and the persons who work in/for them; everyone who handles health information is obligated to understand the specific rules that apply to their setting, and follow them in daily practice.

(3) Three basic rules will take you a long way:  use or disclose health information only for legitimate, work-related purposes; limit those uses and disclosures to the minimum necessary to achieve those purposes; and exercise reasonable caution, at all times, to protect the health information under your control.

For some of you, the basics presented here will be enough.  But, as noted at the outset, if you're engaged in clinical care, research, fundraising, marketing or a training program that uses health information, you need to go on to the privacy courses covering those activities.

• Other courses in the HIPS series
• Copyright
• Disclaimer

  Last modified: 19-Jun-2006 [RC]