HIPAA Privacy Rule Explained: Minimum Necessary, Uses/Disclosures & Rights

Privacy Rule Overview

The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards for protecting individually identifiable health information. It applies to PHI in any form - paper, electronic, or verbal.

What is PHI?

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity. It includes:

• Information created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse
• Information that relates to past, present, or future health condition, healthcare provision, or payment
• Information that identifies the individual or could reasonably be used to identify them

The 18 Identifiers

PHI includes data linked to any of these 18 identifiers:

1. Names
2. Geographic data smaller than state
3. Dates (except year) related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers
13. Device identifiers
14. Web URLs
15. IP addresses
16. Biometric identifiers
17. Full-face photographs
18. Any other unique identifying number

The Minimum Necessary Standard

One of the Privacy Rule's core principles is that you should only use, disclose, or request the minimum amount of PHI needed to accomplish the intended purpose.

When Minimum Necessary Applies

• Disclosures to other covered entities for payment or healthcare operations
• Requests for PHI from other covered entities
• Uses of PHI within the organization
• Disclosures to business associates

Exceptions (Minimum Necessary Doesn't Apply)

• Disclosures to or requests by healthcare providers for treatment
• Disclosures to the individual who is the subject of the PHI
• Uses or disclosures authorized by the individual
• Disclosures to HHS for enforcement
• Uses or disclosures required by law
• Uses or disclosures required for HIPAA compliance

Implementing Minimum Necessary

Organizations must:

• Identify persons or classes who need PHI access
• Define categories of PHI each role needs
• Define conditions under which access is appropriate
• Review requests on a case-by-case basis or develop standard protocols

Uses and Disclosures of PHI

The Privacy Rule distinguishes between "uses" (internal) and "disclosures" (external) of PHI.

Permitted Uses and Disclosures (No Authorization Required)

Treatment, Payment, and Healthcare Operations (TPO)

The most common permitted uses:

• Treatment: Providing, coordinating, or managing healthcare
• Payment: Billing, claims, collections, eligibility verification
• Healthcare Operations: Quality assessment, training, business planning, credentialing

Other Permitted Disclosures

When Authorization is Required

For uses and disclosures not covered by TPO or other permitted categories, you must obtain the individual's written authorization.

Authorization Always Required For

• Marketing communications (with exceptions)
• Sale of PHI
• Most uses of psychotherapy notes
• Uses not otherwise permitted by the Privacy Rule

Valid Authorization Must Include

• Description of PHI to be used/disclosed
• Name of person/entity authorized to make the disclosure
• Name of person/entity receiving the PHI
• Purpose of use/disclosure
• Expiration date or event
• Individual's signature and date
• Statement about right to revoke
• Statement that information may be re-disclosed

Individual (Patient) Rights

The Privacy Rule grants individuals several rights regarding their PHI:

Right to Access

• Individuals can request copies of their PHI
• Must respond within 30 days (one 30-day extension allowed)
• Can provide in requested format if readily producible
• Can charge reasonable cost-based fees
• Very limited grounds for denial

Right to Amendment

• Individuals can request amendments to their records
• Must respond within 60 days
• Can deny if record is accurate and complete
• Must append the request and denial to the record

Right to Accounting of Disclosures

• Individuals can request list of disclosures made
• Excludes TPO, disclosures to individual, and some other categories
• Covers 6 years prior to request
• Must respond within 60 days

Right to Request Restrictions

• Individuals can request restrictions on uses/disclosures
• Covered entity not required to agree (except for self-pay)
• If agreed, must comply with the restriction

Right to Confidential Communications

• Individuals can request alternative means of communication
• Must accommodate reasonable requests
• Example: Send mail to work address instead of home

Right to Receive Notice

• Individuals must receive Notice of Privacy Practices
• Must receive notification of breaches

Notice of Privacy Practices (NPP)

Covered entities must provide individuals with a Notice of Privacy Practices that explains how their PHI may be used and their rights.

NPP Must Include

• How PHI may be used and disclosed
• Individual's rights under the Privacy Rule
• Covered entity's duties to protect PHI
• How to file complaints with the covered entity or HHS
• Contact information for more information
• Effective date

Distribution Requirements

• Health Plans: At enrollment and upon request
• Healthcare Providers: At first service delivery and upon request; must make good faith effort to obtain acknowledgment
• All: Must post prominently and make available on request

The Privacy Rule is fundamentally about giving individuals control over their health information while enabling necessary healthcare activities. Understanding uses, disclosures, and patient rights is essential for compliance.