HIPAA Privacy Standard Background

This topic provides a basic reference to the Privacy Standard provisions that HIPAA Guard addresses. It assumes the user is familiar with the HIPAA provisions that are applicable to his or her job. This section does not provide legal guidance or advice. For details or questions, refer directly to the Standard, or consult a legal professional. The relevant sections of the standard are indicated in parentheses below.

Use and Disclosure Requiring Authorization (164.508)

  1. A covered entity may not use or disclose protected health information without a valid authorization, except where otherwise permitted for treatment, payment and operations (refer to Standard 164.506 and 164.508).

  2. A valid authorization must contain the following core elements:

  1. A description of the information to be used or disclosed,

  2. The identification of the person authorized to make the use or disclosure,

  3. The identification of the person or class of persons to whom the covered entity may make the use or disclosure,

  4. A description of the purpose of the use or disclosure,

  5. An expiration date or event that relates to the individual or purpose of the use or disclosure, and

  6. The signature of the individual (or individual's representative) and date.

  1. A valid authorization must contain the following required statements:

  1. The individual's right to revoke the authorization in writing, including exceptions to the right to revoke and a description of how to revoke,

  2. The ability or inability of the covered entity to condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization,

  3. The potential for disclosed information to be subject to redisclosure by the recipient and no longer be protected by the regulations of the Privacy Standard, and

  4. If the authorization is for marketing purposes and the marketing involves direct or indirect remuneration to the covered entity, that such remuneration is involved.

  5. If the covered entity seeks an authorization from an individual (as opposed to the individual initiating the authorization), the covered entity must provide the individual with a copy of the signed authorization.

Use and Disclosure for Treatment, Payment or Operations (164.506), and Notice of Privacy Practices (164.520)

The following text outlines the general content and procedures provided by the HIPAA Privacy Standard with regard to Consents , Privacy Notices and documenting the patient's Acknowledgement of having been given a Privacy Notice.

  1. A covered entity may use and disclose information for treatment, payment or health care operations, except with respect to certain specific types of content or purposes (psychotherapy notes or marketing - refer to Standard 164.508, (a)(2) and (3)). Specifically, a covered entity may:

  1. Use or disclose protected health information for its own treatment, payment or health care operations,

  2. Disclose protected health information for treatment activities of another health care provider,

  3. Disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information, and

  4. Disclose protected health information to another covered entity for health care operations activities of the entity that receives the information.

  1. A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment or health care operations.

  2. Obtaining a consent is not effective to permit use or disclosure of protected health information for purposes that require an authorization.

  3. An individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, the individual's rights and the covered entity's legal duties with respect to protected health information.

  4. A covered entity must make this notice on request to any person, and to the individual under certain specific circumstances (refer to Standard 164.520). In particular, a covered entity who is a health care provider with a direct treatment relationship must:

  1. Provide the notice no later than the date of the first service delivery, have the notice available for individuals to take with them, and post the notice in a prominent place;

  2. Make a good faith effort to obtain a written acknowledgment of receipt of the notice, and if a receipt is not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; and

  3. In an emergency treatment situation, must provide the notice as soon as reasonably practicable.

Right to Request Restriction on Uses and Disclosures (164.522)

  1. A covered entity must permit an individual to request that the entity restrict uses and disclosures of protected health information to carry out treatment, payment or health care operations, and uses and disclosures that require an individual be provided with the opportunity to object (refer to Standard 164.510).

  2. The covered entity is not required to agree to a requested restriction.

  3. If the covered entity agrees to a requested restriction, it may not use or disclose protected health information in violation of the agreed upon restriction, except in the event that the restricted information is required for treatment of the individual in the event of an emergency.

  4. If such an emergency forces disclosure of restricted information, the covered entity must request that the health care provider to whom the information was disclosed not further use or disclose the restricted information.

  5. The covered entity may terminate its agreement to a restriction, if:

    1. Requested or agreed to by the individual in writing,

    2. The individual orally agrees to termination and the oral agreement is documented, or

    3. The covered entity informs the individual that it is terminating the agreement.

  6. When a restriction is terminated by the covered entity of its own accord, such termination is effective only with respect to protected health information created or received after it has informed the individual of the termination.

  7. When a covered entity agrees to a restriction, it must document that restriction.

Right to Access to Protected Health Information (164.524)

  1. Except under specific circumstances (refer to the Standard), an individual has a right of access to inspect and obtain a copy of protected health information about that individual, for as long as the protected health information is maintained in the entity's designated record set. The covered entity may require the individual to submit such a request in writing, provided the covered entity informs the individual of this requirement.

  2. The covered entity may deny an individual's request for access under certain specific circumstances (refer to the Standard). Certain denials can be made without recourse for review, and certain denials can be made for which the individual has the right to request a review (refer to the Standard). If access is denied on grounds for which an individual has a right to review, the individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity to act as a reviewing official.

  3. The covered entity must act upon an individual's request for access no later than 30 days after receipt of such a request (or 60 days if the information is not maintained on site). If unable to take action within that time period, the covered entity may extend the time period by 30 days, provided it informs the individual of the reasons for the delay in writing within the original time period.

  4. If the covered entity accepts the request for access:

    1. The covered entity must provide the access requested by the individual, including inspection or obtaining a copy, or both.

    2. The covered entity must provide the access in the form and format requested by the individual, if readily producible. Otherwise, the two may agree on a workable form and format. If agreed by the individual, the covered entity may provide a summary or explanation for a fee. If the individual requests a copy of the protected health information, the covered entity may charge a reasonable, cost basis fee for copying and/or postage.

  1. If the covered entity denies the access request, in whole or in part:

    1. The covered entity must provide access to any other information after excluding the information for which the covered entity has grounds for denial.

    2. The covered entity must provide the individual with a timely, written denial, including:

        1. the basis for the denial,

        2. the individual's right to have the information reviewed, if applicable, and how to exercise those rights, and

        3. the procedure by which the individual may complain to the covered entity.

  2. If the covered entity does not maintain the requested information subject to the individual's request, the covered entity must inform the individual where to direct the request if it knows where that information is maintained.

  3. If the individual has requested a review of a denial based on reviewable grounds, the covered entity must promptly refer this request to the designated reviewing official, and after such review, must promptly provide written notice to the individual of the determination of the reviewing official, and take the appropriate action to carry out that determination.

  4. The covered entity must document the designated record sets that are subject to access, and the person's title who receives and processes the access request.

Right to Amend Records (164.526)

  1. An individual has the right to request a covered entity to amend protected health information or other records about that individual, for as long as the protected health information is maintained in the entity's designated record set. The covered entity may require the individual to submit such a request in writing, and to provide a reason for the request, provided the entity informs the individual of this requirement.

  2. The covered entity may deny an individual's request for amendment under certain specific circumstances (refer to the Standard).

  3. The covered entity must act upon an individual's request no later than 60 days after receipt of such a request. If unable to take action within that time period, the covered entity may extend the time period by 30 days, provided it informs the individual of the reasons for the delay in writing within the original time period.

  4. If the covered entity accepts the request for amendment:

  1. The covered entity must make the appropriate amendment to the protected health information or record(s) subject to the request, at the minimum by appending or linking the amendment to the affected record(s).

  2. The covered entity must inform the individual in a timely manner that the amendment is accepted and obtain the individual's identification of and agreement to notify relevant persons with whom this amendment needs to be shared

  3. The covered entity must make reasonable efforts to inform and provide a notice of amendment to those persons identified by the individual, as well as anyone else whom the covered entity knows possesses the protected health information subject to the amendment.

  4. If the covered entity denies the amendment request, in whole or in part:

  1. The covered entity must provide the individual with a timely, written denial, including:

i. the basis for the denial,

ii. the individual's right to submit a written statement disagreeing with the denial, and how to file such a statement,

iii. a statement that the individual may request that a copy of the amendment request and its denial be included with any future disclosures of the information subject to the amendment request, and

iv. the procedure by which the individual may complain to the covered entity.

  1. The covered entity must permit the individual to submit a written statement disagreeing with the denial.

  2. The covered entity may prepare a written rebuttal statement. If the covered entity does so, it must provide a copy of the rebuttal to the individual who submitted the statement of disagreement.

  3. The covered entity must, at a minimum, append or link to the appropriate record(s) the individual's request for amendment, denial of the request, statement of disagreement (if any), and rebuttal statement (if any).

  4. If a statement of disagreement has been made, the covered entity must provide all of this information with any future disclosures of the protected health information to which the disagreement relates.

  5. If a statement of disagreement has not been made, but the individual has so requested, the covered entity must provide all of the information about the amendment request and its denial with any future disclosures.

  6. If the covered entity receives a notice of amendment from another covered entity, the covered entity must amend the protected health information in its own record(s), in the same manner as if it had accepted the amendment request directly from the individual.

  7. The covered entity must document the amendment request and the person's title who receives and processes the amendment request.

Right to An Accounting of Disclosures of Protected Health Information (164.528)

  1. An individual has a right to receive an accounting of the disclosures made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:

  1. To carry out treatment, payment and health care operations

  2. To the individuals about themselves

  3. Of specifically permitted information as specified in 164.502

  4. Pursuant to an authorization

  5. For the facility's directory

  6. For national security

  7. To correctional institutions law enforcement officials

  8. As part of a limited data set (containing de-identified information) as specified in 164.514 (e)

  9. That occurred prior to the compliance date (April 2003)

  1. The covered entity must act on the individual's request for an accounting no later than 60 days after receipt of such a request. If unable to provide within that time frame, the covered entity may extend the time frame by no more than 30 days, provided it provides the individual with a written statement of the reasons for the delay and the date by which it will comply.

  2. The first accounting within a twelve month period must be provided without charge. The covered entity may charge a reasonable cost basis fee for subsequent accountings within the same twelve month period.

  3. Certain restrictions apply to the process of providing an individual with an accounting of disclosures to law enforcement officials and health oversight organizations (refer to Standard 164.528 (a)(2)).

  4. The accounting of disclosures to an individual must include for each disclosure:

  1. The date of the disclosure,

  2. The name of the person or entity who received the protected health information, and the address if known,

  3. A brief description of the protected health information disclosed,

  4. A brief description of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or else a copy of a written request for that disclosure.

  1. In the event of multiple disclosures to the same entity for the same purpose, or disclosures of information about multiple individuals for research purposes, certain other types of information may be required (refer to Standard 165.528 (d)(3) and (4)).

  2. Some disclosures require the covered entity to provide the individual with an opportunity to agree or object in advance (refer to Standard 164.510).

  3. Some disclosures do not require prior authorization or the opportunity to agree or object (refer to Standard 164.512).

  4. Certain restrictions apply with respect to the "minimum necessary" rule for information allowed and "limited data set" rule for disclosure of de-identified data (refer to Standard 164.514).