The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that standardizes the electronic exchange of administrative and financial data related to health care (HIPAA, 1996). To achieve its primary purpose-administrative simplification of electronic health care transactions-Congress authorized the U.S. Department of Health and Human Services (DHHS) to write standards to protect the privacy of individually identifiable health information, so-called protected health information (PHI).
The standards are found in the U.S. Code of Federal Regulations (CFR) and collectively are called the Standards for Privacy of Individually Identifiable Health Information-in short, the "Privacy Rule." DHHS explained that whereas "[p]rivacy is a fundamental right…[i]ndividuals' right to privacy in information about themselves is not absolute" (Federal Register, 2000, p. 82464). As a result, HIPAA's Privacy Rule balances patients' desire for medical privacy with the legitimate needs of health care providers, employers, researchers, public health officials, and law enforcement officials.
The purpose of this article is to aid clinicians by answering questions about the Privacy Rule requirements and describing when clinicians should obtain authorizations and/or maintain an accounting of disclosures. Clinicians should receive HIPAA education from their employers, and should consult with their institution's Privacy Officer if they have specific questions.
To understand the law as it applies to communication among health care providers, it is important to understand how HIPAA defines "covered entity," "health care provider," and "health care."
First, HIPAA applies only to "covered entities." With few exceptions, you are a covered entity if you are (or are employed by) a health plan, a health care clearinghouse, or a health care provider that transmits any health information electronically. Second, you are a "health care provider" if you provide health services, or you are "any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." Third, "health care" means "care, services, or supplies related to the health of an individual" and includes "preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body" (45 CFR 160.103).
In short, if you are (or are employed by) a covered entity, HIPAA's Privacy Rule applies to you.
Protected Health Information
The Privacy Rule is intended to prevent covered health care providers from using or disclosing health information without patients' authorization or other legal authority. Under HIPAA's Privacy Rule, individually identifiable health information is PHI that is transmitted or maintained in any form or medium. Individually identifiable health information is PHI whether you create it or receive it (45 CFR 164.501). PHI is information about an individual, including demographic information, that relates to the individual's past, present, or future health or condition, the care provided, or the payment history of the individual (45 CFR 160.103).
Individual identifiers are: names; geographic identifiers smaller than a state (e.g., street address, city, zip code); dates related to an individual (e.g., birth date, admission date); telephone numbers; FAX numbers; e-mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers, serial numbers, license plates; device identifiers and serial numbers; Web universal resource locators (URLs); Internet protocol (IP) address numbers; biometric identifiers, including fingerprints and voiceprints; full-face photographic images; or any other unique identifying number, characteristic, or code (45 CFR 164.514[b]).
HIPAA is a federal law that applies to both private and public "covered entities." HIPAA supersedes state law governing privacy of individually identifiable health information (45 CFR 160.203), with the following exception: if state law is more stringent than HIPAA, then practitioners must observe the more stringent state law standard, in addition to the HIPAA rules (45 CFR 160.203[b]).
The Minimum Necessary Standard
The law stipulates that communications should adhere to the "minimum necessary" standard. This means simply that communication by you about a patient-either within your employment setting or with outside consultants-should be "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request" (45 CFR 164.502[b]).
The minimum necessary requirement does not apply to all uses/disclosures of PHI. For example, it is permissible to use or disclose PHI if the use or disclosure is: for treatment, payment, and health care operations purposes; made to the individual patient; done with the patient's authorization; made to DHHS; required by law; or required for compliance purposes (45 CFR 164.502[b], 164.502[a], 164.508, 164.512[a]). The sidebar above addresses typical questions that arise in clinical practice.
Even though the minimum necessary rule does not apply if the use or disclosure of PHI pertains to treatment payment and health care operations, when in doubt, follow the minimum necessary rule. Lastly, if all identifiers are removed, the information no longer qualifies as PHI and therefore, PHI restrictions do not apply (45 CFR 164.514[a]).
Notice and Permitted Disclosures
The Privacy Rule requires that all patients receive a standard Notice of Privacy Practices that must include "the types and uses and disclosures that the covered entity is permitted…to make for each of the following purposes: treatment, payment, and health care operations" (45 CFR 164.520[b][ii][A]). Importantly, as a health care provider, you are explicitly permitted to use or disclose PHI for "treatment, payment, or health care operations" (45 CFR 164.502[a]). When the use or disclosure is for treatment, the health care provider may, but is not required, to obtain consent (authorization) for each disclosure (45 CFR 164.506[b]).
Authorizations for Disclosures Outside a Covered Entity
When PHI is disclosed (released) to organizations outside of a "covered entity," health care providers must adhere to the Privacy Rule's requirements regarding authorizations, disclosures, and accounting for disclosures. As a covered entity, a health care provider need not obtain patients' authorization for disclosures of PHI for treatment purposes, or when disclosures are authorized by law for public health or law enforcement purposes. However, an accounting of such disclosures may be required, depending on the situation.
An authorization, a disclosure, and an accounting for disclosures are interrelated in the Privacy Rule, and the Privacy Rule specifies different requirements for each of these functions in different situations. In other words, if you release or disclose PHI-orally or in writing-to someone outside your covered entity, you may need to obtain authorization, and account for these disclosures-depending on what you disclose, to whom, and why. The Table (see Authorizations and Accounting for Disclosures [PDF format]) outlines common types of disclosures to illustrate when patient authorization (consent) is required, and whether the covered entity must account for the disclosure.
At first glance, HIPAA appears to be a complicated and daunting set of rules for both clinicians and researchers.
Understanding HIPAA requires an appreciation of Congress's intent, namely, to streamline the administration of health care in the age of electronic technology, while protecting patients' legitimate privacy interests.