HIPAA Privacy Rules

by

The purpose of the HIPAA Privacy Rules is to protect the confidentiality of patient healthcare and payment data to prevent abuse and fraud. Published by the Department of Health and Human Services as the “Standards for Privacy of Individually Identifiable Health Information”, the HIPAA Privacy Rules stipulate the permissible uses and disclosures of protected health information (“PHI”) gives individuals rights over their HIPAA PHI.

All health plans (with the exception of some employer health plans) and healthcare clearinghouses are required to comply with the HIPAA Privacy Rules, as are most healthcare providers and any Business Associates with whom PHI is shared. Failure to comply with the HIPAA Privacy Rules can incur significant civil monetary penalties – even if no unauthorized disclosure of PHI has occurred – and criminal penalties if the violation is knowing, under false pretenses, or for personal gain.

What Information is Covered by the HIPAA Privacy Rules?

Before discussing how the HIPAA Privacy Rules safeguard Protected Health Information (PHI), it is important to understand what information is covered by the HIPAA Privacy Rules to ensure Covered Entities (health plans, healthcare clearinghouses, and qualifying healthcare providers) and Business Associates protect the right information and avoid protecting information unnecessarily.

The Department of Health & Human Services (HHS) defines HIPAA PHI as individually identifiable health information that relates to:

  • An individual´s past, present, or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual.

The HHS does not define which elements of individually identifiable health information should be protected (i.e., name, address, date of birth, etc.), and many compliance experts rely on the safe harbor standard for the de-identification of PHI (§164.514) to determine the eighteen elements (or “identifiers”) that should be protected from impermissible uses and disclosures. A list of the eighteen identifiers is included in the FAQs section at the end of this article.

It is important to note that the HIPAA Privacy Rules not only cover information relating to an individual, but also those that could identify a relative, employer, or household member when the identifiers are maintained in the same record set. Therefore, PHI might not only consist of the name, address, and date and birth of a patient, but also the telephone number of their employer or the license plate number of a partner´s car if the data is maintained in the same record set.

It is also important to note that, although other health information might not be consider protected under HIPAA, this is only the case when it is isolated from any other protected health information.  For example, a data set of vital signs by themselves does not constitute PHI. However, if the vital signs data set includes names, identifying numbers, or images that could reasonably identify an individual, the entire data set is considered PHI and must be protected.

How the HIPAA Privacy Rules Safeguard PHI

The HIPAA Privacy Rules specify the required and permissible circumstances when PHI can be disclosed to a third party without the authorization of the individual to whom the information relates. There are only two circumstances in which the disclosure of PHI is required – when requested by a patient or their personal representative, or when requested by a representative of HHS who is undertaking an audit, compliance investigation, or enforcement action.

By contrast, there are many circumstances in which the use or disclosure of PHI is permitted – but not required – by the HIPAA Privacy Rules. These include for treatment, payment, or health care operations, when a disclosure is for public health or benefit activities (i.e., law enforcement, reports of neglect or abuse, health oversight activities, etc.), to comply with workers´ compensation laws, or when the disclosure is in response to a subpoena or other lawful process.

All other uses and disclosures of PHI must be consented to by the patient – either through informal permission for uses such as inclusion in a hospital directory or formal written authorization if PHI is disclosed to (for example) an employer, a pharmaceutical company, or a marketing firm. If a patient or their legal representative is unable to provide their consent, a Covered Entity can use professional judgement to determine whether the disclosure is in the patient´s best interests.

Additionally, the Privacy Rule´s Administrative Requirements (§164.530) require Covered Entities to “reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of [the HIPAA Privacy Rules]”. The Administrative Requirements do not offer any guidance on how Covered Entities should “reasonably safeguard” PHI other than implementing “appropriate administrative, technical, and physical safeguards to protect the privacy of PHI”.

Individuals´ Rights over HIPAA PHI

HIPAA gives individuals rights to request copies of PHI maintained by Covered Entities and (importantly) Business Associates, correct erroneous entries in their medical or insurance records, and restrict who has access to it beyond required disclosures to HHS representatives. Individuals also have the right to transfer their PHI to another provider and to request a “disclosure of accounting” – which should not only contain details of who PHI has been shared with, but why.

The failure to comply with Individuals´ rights (often referred to as patients´ rights) is one of the leading causes of complaints to the HHS´ Office for Civil Rights; and although the complaints are simple to resolve, the Office for Civil Rights has started imposing civil monetary penalties on healthcare providers who do not comply with this particular area of the HIPAA Privacy Rules. In 2021, more than a dozen HIPAA settlements related to violations of individuals´ rights – the largest settlement being for $200,000.

Compliance with the HIPAA Privacy Rules is Not HIPAA Compliance

Compliance with the HIPAA Privacy Rules alone does not make a Covered Entity or Business Associate HIPAA compliant. Covered Entities and Business Associates also have to comply with the HIPAA Security and Breach Notification Rules in order to comply with HIPAA.

The HIPAA Security Rules are a subset of the HIPAA Privacy Rules and have been developed to safeguard PHI when it is created, used, stored, or transmitted electronically. The Rules stipulate administrative, physical, and technical safeguards must be put in place to protect electronic PHI (ePHI) when in transit and at rest.

The Breach Notification Rules require Covered Entities to report breaches of unsecured ePHI to the individual(s) whose PHI has been exposed (or potentially exposed) and to the HHS´ Office for Civil Rights. In certain circumstances, it is also necessary to inform the local media of the data breach. The failure to report a breach in a timely manner can attract sanctions for HIPAA violations.

It is also important for Covered Entities to comply with the Rules relating to Business Associate Agreements. These contracts must – among other things – establish the permitted uses and disclosures of PHI by the Business Associate, require the Business Associate to implement appropriate safeguards to prevent unauthorized uses and disclosures of PHI, and require the Business Associate to report any uses or disclosures not provided for by the contract.

Possible Enforcement Actions for Breaches of HIPAA

It was mentioned above that the failure to comply with the HIPAA Privacy Rules can incur civil and criminal penalties. Although the HHS´ Office for Civil Rights prefers to resolve violations of HIPAA with technical assistance and corrective action plans, there are many examples of Covered Entities agreeing to multi-million dollar civil settlements and employees being sentenced to prison for knowingly taking PHI under false pretenses or for personal gain.

When civil monetary penalties are imposed, the amount of the penalty depends on the level of culpability:

  • Tier 1: A violation that a Covered Entity or Business Associate was unaware of and could not have reasonably been avoided had an appropriate amount of care had been taken.
  • Tier 2: A violation that a Covered Entity or Business Associate should have been aware of but could not have avoided even with an appropriate reasonable amount of care.
  • Tier 3: A violation suffered as a direct result of “willful neglect”, where a Covered Entity or Business Associate has made an attempt made to correct the violation.
  • Tier 4: A violation of HIPAA law attributable to willful neglect, where no attempt has been made to correct the violation by a Covered Entity or Business Associate.

Minimum and maximum penalties for each Tier were originally determined by the “General Penalty for Failure to Comply with Requirements and Standards” provision included in the original text of HIPAA. However, the amount of the penalty (up to $100 per violation to a maximum of $25,000 per year) were not a sufficient deterrent to non-compliant organizations, so the minimum and maximum penalties were increased significantly in the HITECH Act 2009 and have since been adjusted for inflation. The 2024 minimum and maximum penalties for breaches of the HIPAA Privacy Rules are:

Penalty Tier Level of Culpability Min. Penalty per Violation Max. Penalty per Violation Annual Penalty Limit
Tier 1 Lack of Knowledge $137 $34,464 $34,464
Tier 2 Reasonable Cause $1,379 $68,928 $137,886
Tier 3 Willful Neglect $13,785 $68,928 $344,638
Tier 4 Willful Neglect not Corrected within 30 days $68,928 $68,928 $2,067,813

In addition to the civil monetary penalties that can be imposed by HHS´ Office for Civil Rights, State Attorneys General also have the authority to pursue enforcement action for breaches of the HIPAA Privacy Rules when the breach impacts a resident of the state. With regards to criminal proceedings, these are pursued by the Department of Justice if there is evidence to suggest PHI was “knowingly” disclosed without authorization under false pretenses or for personal gain.

Why Additional Training on the HIPAA Privacy Rules is Important

The HIPAA Privacy Rule requires Covered Entities to “train all members of the workforce on the policies and procedures in respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”. No training requirements others than the implementation of a security and awareness training program exist for Business Associates.

Often, complying with the minimum requirements to train members on the workforce on just the policies and procedures relevant to their functions is insufficient to prevent violations of the HIPAA Privacy Rules due to the many ways in which personnel (maintenance teams, environmental services teams, marketing teams, etc.) can encounter PHI outside their usual functions.

Additional training on the HIPAA Privacy Rules can therefore prevent inadvertent and avoidable violations of HIPAA attributable to a lack of knowledge – especially for employees of Business Associates who may have to respond to requests by individuals for copies of their PHI or requests to amend erroneous information in their insurance or medical records.

Because Covered Entities and Business Associates differ in what they do and how they do it, there is no “one-size-fits-all” training on the HIPAA Privacy Rules. However, on our HIPAA training requirements page, we have suggested several training modules that are appropriate for members of the workforce to better understand the HIPAA Privacy Rules and how to comply with them.

HIPAA Privacy Rules FAQs

Which healthcare providers are not required to comply with the HIPAA Privacy Rules?

Although most healthcare providers do qualify as Covered Entities, those who do not transmit transactions electronically are usually exempt from complying with the HIPAA Privacy Rules, as are educational institutions that only provide healthcare services to students (as these records are protected by FERPA) and some employers that administer their own self-funded health plans.

Why might penalties be imposed if no unauthorized disclosure of PHI has occurred?

The HIPAA Privacy Rules not only safeguard the privacy of PHI, but they also give individuals rights over their HIPAA PHI. If a Covered Entity fails to comply with (for example) a request for a copy of an individual´s HIPAA PHI, the Covered Entity is in violation of the HIPAA Privacy Rules and could be fined is the violation is considered serious by HHS´ Office for Civil Rights.

What are the eighteen identifiers that should be protected from impermissible uses and disclosures?

As mentioned above, the eighteen identifiers generally regarded to require protection from impermissible uses and disclosures are taken from the “safe harbor” method of de-identification. This list is not sanctioned by HHS, and Covered Entities are advised to consider whether all individually identifiable health information should be protected from impermissible uses and disclosures. The eighteen “safe harbor” identifiers are:

  1. Names
  2. All geographic subdivisions smaller than a State
  3. All elements of dates (except year) for dates directly related to an individual.
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail (email) addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

Why did a Covered Entity get fined $200,000 following a right of access complaint?

In some cases, HHS´ Office for Civil Rights may impose significantly higher fines if the Covered Entity has a history of non-compliance. In this case, the Covered Entity – Arizona-based Banner Health – had previously experienced a cyber-attack exposing the unsecured ePHI of 3.7 million patients. An investigation into the breach identified non-compliance with multiple Security Rule standards.

When have employees been sentenced to prison for violating the HIPAA Privacy Rules?

The most recent occasion was in 2020, when a former medical clinic worker from Florida used her authorized access to healthcare systems to steal patients´ PHI and sell it to identity thieves for cash. The former employee was apprehended during an undercover operation, charged with aggravated identity theft and wire fraud, and sentenced to 48 months in federal prison.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]