to supplemental content are provided, should you wish
to read more about a particular topic. This
extra material is optional. It is not covered on
the associated course quiz. The supplemental content
will usually be presented in a new browser window, which you
may close at any time.
For the recommended reading sequence for these materials,
see the HIPS Series Overview.
Approximate reading time for this course is 24 minutes (exclusive
of linked content). The quiz for this course is here.
• • • •
1. Why are you here?
We know your time is valuable. We want you to understand
why you have been directed to spend time reading these materials.
Privacy protections for health information are required by
federal laws such as HIPAA,
and by most states' statutes as well. Private organizations
that certify health care facilities, like JCAHO,
also require privacy protections. And almost all health
professions organizations have provisions about privacy in
As part of these protections, it is required
that health care organizations provide basic training in privacy laws
and regulations to their workers. That's why
you are here.
2. What's in it for you?
Unfortunately, even an overview of health privacy protections
in the US can be a bit complex. Do not despair.
We provide you with a lot of information in this and
subsequent courses in the privacy series, but we do not expect
that you will remember every detail. Retaining
the main points will be enough.
If at times it seems a bit abstract -- and, truth to
tell, more than a bit boring -- remember that we are
also discussing your privacy rights when
you are a patient. Everyone, sooner or later, is a patient
in a health care facility somewhere. Being knowledgeable
will help assure that you receive all the privacy protections to
which you (or someone you care about) are entitled.
Health information systems are more efficiently networked
together every day. Consequently, the privacy of each
person's health information depends on more people every day.
People just like you. The time-honored Golden
Rule applies here: Try to give the health information
under your control the same respect for privacy that you'd
like for your own.
3. "Privacy" vs. "security"
This course provides an introduction to federal and state
privacy requirements. Privacy has many
common meanings -- here it refers to the rules about
who can access health information, and under what circumstances.
(For more on the definitions of privacy, click here.)
In addition to this introductory course, you may also need
to take privacy courses that are specific to the kinds of
work you do, such as clinical care, fundraising, marketing,
research or participation in a training program. Many
of the limitations on use and disclosure of health data depend
on the purpose
of your access.
You will probably need to take some information security
courses as well. Those describe techniques for safe
use of information systems and devices. Without
good information security practices, the privacy rules are
just empty promises. (For more on the definitions of
security, click here.)
4. Privacy law protections
You probably have already heard or read about HIPAA,
the law that provides federal (national) protections
for health information. HIPAA's regulations cover every
person who receives care in a US health care facility.
States have long had laws and regulations addressing
the privacy of health information. HIPAA's regulations
add a floor (minimum level) of safeguards to existing state
laws. State health privacy protections that are
stringent than HIPAA's remain in effect.
Why were HIPAA's protections needed? Because
not all states have had adequate health privacy protections
in their laws. And even those with good laws sometimes
did a bad job of enforcing them.
5. Promoting an electronic world
Health care in the US is the most technologically advanced
on the planet. (That's why it's also the most expensive.)
So it may surprise you to learn that the US health sector
has been relatively slow to adopt electronic record-keeping.
It's true, however. Paper records are still common.
The computer-based records systems in use are typically un-standardized,
and so have trouble "talking" to each other. Not efficient.
And, in many cases, not very secure either.
HIPAA aims to remedy these problems. It has four
parts -- called "Rules" -- that set standards
for health information.
Two of the four Rules are focused on technical specifications:
and Code Sets (TCS) Rule mandates standard formats
and coding for health data; the Identifier
(ID) Rule sets standards for unique identifiers
for health plans, employers, health practitioners and patients.
We won't cover the TCS and ID rules in this series,
but instead concentrate on the other two, which focus on privacy
and security. (If you want to know more about the TCS and
ID rules, follow the links above.)
6. Protecting an electronic world
Increased use of standardized electronic information may
make things more efficient, but it also is cause for more
privacy worries. Computers allow faster, easier access
to health records -- but both for good purposes and
bad ones. So there is a need for stricter privacy rules
governing use and disclosure.
The stakes for information security are raised too.
Losing a batch of paper records doesn't compare to the risks
if a computer or network is compromised. Thousands of
persons' health information can be put at risk by a single
That's why HIPAA includes the set of national privacy regulations
we are discussing in this series -- called,
collectively, the Privacy
Rule. And why it also has a set of regulations devoted
to security issues -- a.k.a., the Security
Rule. (The latter Rule is discussed in the
security series courses.)
7. Who is covered by HIPAA?
Almost every organization that provides or pays for health
services, or exchanges health data of any kind, is within
the reach of HIPAA.
Health care providers (physicians, nurses, allied health
practitioners); health care facilities (hospitals, clinics);
health plans (HMOs, insurers); and health information clearinghouses
are what HIPAA calls covered
HIPAA extends rights to every patient whose information is
collected, used or disclosed by such covered entities.
It imposes duties on covered entities -- and, by extension,
persons who work in or for covered entities -- in
order to secure those rights.
HIPAA reaches even to the business
associates of health institutions -- that is, to
companies that handle health data on a covered entity's behalf.
8. What is covered by HIPAA?
Under HIPAA, any information that is, or reasonably could
be, linked to an individual is protected
health information -- in HIPAA-speak, simply "PHI."
HIPAA defines PHI very broadly: It is anything related
to the "past, present or future physical or mental health
condition" of a person. Only de-identified
health information is excluded -- where every explicit
identifier of a person has been removed, as well as data that
could potentially establish a link via statistical techniques.
HIPAA's privacy provisions apply to protected health information
in "any form or medium." That means everything
containing PHI: paper records as well as electronic ones,
faxes, emails, exchanges in telephone conversations, and even
just talking face-to-face.
If it's health data, and it's identifiable, it's covered.
9. Notification of privacy practices
HIPAA's most visible change comes from its requirement that
patients be given a Notice
of Privacy Practices. This Notice must describe,
in general terms, how the covered entity will protect health
information. And it must clearly specify the patient's
rights under the law -- both federal HIPAA rights and any
stricter state protections.
A copy of the Notice of Privacy Practices must be provided
the first time a patient sees a direct
treatment provider -- that is, any provider that directly
interacts with the patient -- and any time thereafter when
requested by the patient or when the Notice changes.
Health plans and insurers must also provide periodic Notices
to their customers.
(If you have received services from a health care provider
in the last few years, you'll usually have been given a
Notice as part of the registration process. Take a look
at it the next time you're stuck in a waiting room.
It covers the same territory as this course, although not
always in particularly clear language.)
10. Acknowledgement of Notice
Direct treatment providers must make a good faith effort
to obtain an acknowledgement
-- by the patient's signature -- confirming that a copy
of the Privacy Notice was received.
The signature does not affirm that the patient understands
what is in the Notice, or even that he/she has read it, just
receipt of it. In emergency situations, getting an acknowledgement
can be deferred.
In addition to affirming that a patient has been made aware
of his or her rights, this step is designed to provide an
opportunity for discussion of patients' privacy questions
and concerns. Covered entities are obligated to have
an adequate number of persons around who are knowledgeable
enough to provide answers.
11. Patients' general rights
Patients have a set of specific rights with respect to their
health records, which are listed in the following sections.
Beyond those, patients have a general right to appropriate
privacy and security practices by any covered entity that
uses or stores health information about them.
If patients believe that their privacy rights have been violated,
they may file a complaint with the facility's privacy
official -- a new position that HIPAA requires.
(Every covered entity, even the smallest clinic, must
have someone designated to fill this role.)
If unsatisfied with a local response, patients can also take
their complaints to the federal agency charged with administering
HIPAA: the US Department of Health and Human Services' Office
of Civil Rights. Usually there will also be a state-level
agency to which privacy complaints may be directed.
12. Records rights: access, amendment
HIPAA's specific protections with respect to patients'
health records include:
- A right to gain
access to and obtain a copy of all one's health records
(with some exceptions, such as psychotherapy
- A right to request
corrections of errors found in those records --
or, alternatively, to include a statement of disagreement
if the institution believes the information is correct
(called the "right of amendment").
Such rights of access and amendment had existed in many
if not most states, but are now national. (Unfortunately,
in many if not most states where such rights existed, patients
were not well informed about it.)
13. Records rights: disclosure accounting
Patients' records rights also include:
- A right to receive
an accounting of how one's health information has
been used -- that is, a list of the persons and institutions
to whom/which it has been disclosed.
This right is considerably less expansive than it might first
appear. Disclosures for the very broad categories of
care operations do not need to be part of the accounting.
(More on that below.) Neither do disclosures that the
patient has specifically authorized.
It should be noted that many states have also mandated
some form of disclosure accounting, and many of those do not
provide the same broad exceptions as HIPAA. As
with the other records rights, it is important to learn the
rules that apply to the jurisdiction in which your organization
operates if you have any responsibilities for preparing a
14. Records rights: limits on communications
Patients' records rights also include:
What is sensitive? Whatever the individual patient
Note that the first of these is only a right to ask.
Covered entities are not required to honor requests for additional
restrictions/protections -- though they must abide by any
extra provisions to which they agree.
By contrast, covered entities are bound to honor "reasonable
requests" for confidential communications.
15. Records rights: limits on "additional" uses
Finally, patients' records rights include:
Note that not all fundraising, marketing and research requires
authorization -- but much of it does. The particular
constraints on such additional uses are discussed extensively
in the privacy series courses for fundraisers, marketers
and researchers. If you do those things, you need to
take those courses.
16. HIPAA's information categories
It may help to clarify HIPAA's protections if you also understand
that it divides up health information uses and disclosures
into three major categories:
(1) Those that can occur without any specific permission
from the patient.
(2) Those that are allowed (or prohibited) simply on the
basis of an oral assent (or refusal).
(3) Those that require specific, written permission.
Each of these is discussed in the
17. Permission-less uses and disclosures
The first category is the largest one. HIPAA requires
no permission from the patient to use or disclose information
for "basic" functions, including treatment, payment,
and a broad range of other core health
Neither does HIPAA require specific permission for a broad
range of activities required by law, including
Be aware, however, that many states' laws do
require explicit consent from the patient for some of
these types of use or disclosure. (As noted above,
such "more restrictive" state laws remain in force.)
Where required by state law, the consent for information use
or disclosure is often paired with the consent to be
treated, and will include such details.
As noted repeatedly above, it is important to understand
the particular rules for the jurisdiction in which your organization
18. By-permission uses and disclosures
Even if you're not a data expert, you probably would have
recognized that the vast majority of uses and disclosures
fall into the first category.
The second category is a much smaller one: Inclusion
or exclusion from facility
directories, and uses and disclosures to friends and family
members involved in a person's care, can be permitted or limited
based on oral agreement.
Many organizations will still choose to get the patient to
sign something about this. But HIPAA requires only
that the patient be asked orally.
Finally, in the third category, HIPAA does require that patients
sign a specific authorization before information can be used
or disclosed for some kinds of research,
Health care institutions cannot condition treatment or payment
for health care services on receiving a patient's authorization
for things in this third category.
19. Who controls information decisions?
For those circumstances where the patient does retain control,
HIPAA's general rule is a simple one: If a person has
a right to make a health care decision, then he/she has a
right to control information associated with that decision.
Minor children and those who are incompetent may have their
health information decisions made by a personal
representative. Typically that will be a parent
in the case of a child. (But be advised that states'
rules for minors can be particularly complex. Consult
with a local expert if you have questions about a minor's
health information rights.)
As you have just read, however, the patient remains in control of
relatively few information uses and disclosures once
they have entered the health care system. What about
all the areas where no consent or authorization from
the patient is required?
It's the covered entity's responsibility to have policies
in place that comply with HIPAA's rules. And, of course,
to follow them. A patient's most important protection
is responsible, safe use of health information by the health
care professionals who have access to it. That was true
before HIPAA and remains so now.
20. Isn't some information special?
Although the HIPAA restrictions on health information access
depend primarily on the purposes for that access, the kind
of information itself can also be relevant.
Beyond any information for which the patient makes a special
confidentiality request, HIPAA currently extends extra protection
to one kind of information: psychotherapy
notes. Separate authorization for release is required,
and patients' access to this kind of information may sometimes
By contrast, states' laws commonly extend special protection
to many types of information -- e.g., data related to mental
health, AIDS/HIV, STDs, genetic tests, and substance abuse.
In such cases, separate authorization is usually required.
The complexities and variability of state law preclude any
summary here. (Once again, you will need to consult
a local expert for the details in your jurisdiction.)
21. Covered entities' obligations
The privacy obligations of covered entities are, unsurprisingly,
a mirror of patients' rights.
Privacy Notices must be created and distributed. Direct
treatment providers must attempt to obtain a signed acknowledgment
of receipt of the Notice.
One or more privacy officials must be appointed to answer
questions, handle complaints and administer all the paperwork
associated with access, correction, accounting, etc.
Most critically, privacy (and security) policies that reflect
federal and state laws must be put in place. The organization's
workers must be trained on those policies and procedures.
As noted, that's one reason you're here.
22. Health care workers' obligations
If you work in a covered entity -- or are, as a health
care provider, one yourself -- you have personal obligations
under the law.
The big three are these:
- Use or disclose protected health information (PHI) only
for work-related purposes.
- Limit uses and disclosures of PHI to the minimum necessary
to achieve the work purposes.
- Otherwise exercise reasonable and appropriate caution,
to protect all the PHI under your control.
Let's look at these three in a bit more depth before concluding
23. Work-related purposes
This isn't really difficult conceptually, but it does seem
to be a rule that many health care workers find difficult
to follow at all times.
Use or disclosure of health information must be reasonably
related to a legitimate work task. That means, for example,
that you cannot access health information to satisfy your
curiosity about a colleague or about that famous patient who
just checked in.
It's worth remembering that HIPAA provides severe
sanctions for deliberate misuse of health information,
particularly where there is an intent to harm others or achieve
personal financial gain. States' statutes also commonly provide
Loss of one's job at the health facility is also very likely,
even if the breach was simply to satisfy one's curiosity.
24. Minimum necessary
This is also just what it sounds like: Uses and disclosures
of health information should be what's reasonably required
to get the job done under the circumstances, and no more.
Does this minimum
necessary requirement mean you have to be perfect, and
always get exactly the minimum every time? No.
It means you need always to be careful, and exercise reasonable
restraint. Perfection isn't possible, and neither HIPAA
nor state statutes expect perfection.
It's understood that accidents happen -- or, to use
uses and disclosures happen. That's OK as long as
it wasn't intentional, or a result of failure to exercise
25. Reasonable caution
That last point is worth stating one more time: Reasonable
caution is required when you access health information.
Clear negligence will not be excused by the law. (And
did we mention it can result in loss of employment?)
We know you're not stupid, of course. But you will
look stupid if you don't take the time to learn the privacy
and security policies that apply to the job(s) you do.
You cannot follow rules that you do not know.
As noted at the outset, federal and state privacy laws
provide different restrictions depending on the purpose of
your access. That's why we have additional role-based
26. What to do if you find a problem
Fixing a privacy problem can be a simple as gently reminding
a colleague about the rules. If that doesn't do it,
most supervisors are eager to fix problems, and will welcome
Alternatively, you can contact your organization's privacy
official directly -- with a problem report, a complaint,
or just a question. But remember this: You
are obligated to report privacy problems that you cannot fix
HIPAA forbids intimidation
or retaliation against both patients and workers for reporting
a problem or filing a complaint. However, if you lack
confidence in your organization's ability or inclination to
prevent harm to you, report your concerns anonymously --
either to your local privacy official or to the government.
27. If you remember nothing else
Here are the key points:
(1) HIPAA provides a set of national "information rights"
to all patients: access, amendment, disclosure accounting,
restrictions requests, confidential communications and access
to local and federal "complaint" resources. It also requires
a Notice about those rights.
(2) HIPAA imposes a parallel set of "information duties" on
covered entities and the persons who work in/for them; everyone
who handles health information is obligated to understand
the specific rules that apply to their setting, and follow
them in daily practice.
(3) Three basic rules will take you a long way: use
or disclose health information only for legitimate, work-related
purposes; limit those uses and disclosures to the minimum
necessary to achieve those purposes; and exercise reasonable
caution, at all times, to protect the health information under
For some of you, the basics presented here will be enough.
But, as noted at the outset, if you're engaged in clinical
care, research, fundraising, marketing or a training program
that uses health information, you need to go on to the privacy
courses covering those activities.