January 25, 2017

Navigating the Regulatory Environment for Doctors Part 4 – HIPAA Privacy

In our recent posts we have looked at several regulatory systems that affect doctors: the disciplinary process, regulations related to the handling of prescription drugs, and OSHA regulations.  In the next three posts, we will look at a regulatory framework that has had a major impact on medical and dental practices, both in Arizona and throughout the country, over the last ten years: the Health Insurance Portability and Accountability Act (HIPAA).  We will explain some of the most important components of HIPAA and walk you through the rules you must comply with to protect your patients’ privacy.

HIPAA is a constant source of concern and discussion in the realm of dental and medical practice management.  As technology continues to evolve and the security of sensitive information becomes more and more critical, an understanding of your duties under HIPAA is vital to protect your patients’ information.

Four HIPAA rules are particularly important to healthcare professionals: the Privacy Rule,[1] the Security Rule,[2] the Breach Notification Rule,[3] and the Enforcement Rule.[4]  In this first post we will take a look at the most prominent and significant of these rules: the Privacy Rule.

The Privacy Rule

One of the main goals of HIPAA when it was initially enacted was to provide assurances to individuals that their personal health care information would be kept private.   Therefore, the Privacy Rule, which sets the national standards for the protection of individuals’ medical records and other personal health information, is one of the most important and one of the most rigorously enforced.  The Privacy Rule requires dentists, physicians, and other healthcare practice owners to establish appropriate safeguards to protect the privacy of their patients’ personal health information, and sets limits and conditions on how that information may be used or disclosed without patient authorization.  It also provides patients with specific rights over their health information.

Covered Entities and Protected Health Information

Health care providers who electronically transmit health information in connection with standard transactions[5] are “covered entities” under HIPAA.  Within covered entities, the Privacy Rule protects all individually identifiable health information held or transferred by the entity.  “Protected Health Information” (PHI) is individually identifiable health information, including demographic data, that relates to:

  • The individual’s past, present, or future physical or mental health condition;
  • The provision of health care to the individual; or,
  • The past, present, or future payment for the provision of health care to the individual.

In order for such information to be individually identifiable, it must either identify the individual or there must be a reasonable basis to believe it can be used to identify the individual.[6]


One of the fundamental principles of the Privacy Rule is that PHI may not be used or disclosed except as, (1) the Privacy Rule either permits or requires; or, (2) as the person who is the subject of the information (or their representative) authorizes in writing.[7]

There are only two situations in which a health care provider is required to disclose PHI: (1) to an individual when they request access to their own PHI; and, (2) to the Department of Health and Human Services (HHS) when it is undertaking a compliance investigation.[8]  The HIPAA Privacy Rule permits you to use and disclose PHI for the following purposes without an individual’s authorization:

  1. To the individual;
  2. For treatment, payment, and health care operations;
  3. Uses and disclosures with opportunity to agree or object by the individual;
  4. Incident to an otherwise permitted use and disclosure;
  5. For public interest and benefit activities;
  6. Providing a limited data set for the purposes of research, public health, or health care operations.[9]

For any other purpose, you must obtain a patient’s written authorization.  You cannot condition treatment or payment on a patient granting an authorization. The authorization must be in plain language and contain specific information regarding the information to be disclosed, the persons disclosing and receiving the information, expiration of the authorization, and the right to revoke in writing.[10]

Minimum Necessary

With any use or disclosure of PHI under HIPAA, one of the bedrock principles of the Privacy Rule is the concept of “minimum necessary.”  As the phrase suggests, you must make reasonable efforts to disclose only as much information as is necessary to accomplish the intended purpose.[11]  In conjunction with this principle, you are required to develop and implement policies to limit uses and disclosures to the minimum necessary.

However, the “minimum necessary” principle does not apply when it involves:

  1. Disclosure to or a request by a health care provider for treatment;
  2. Disclosure to the person who is the subject of the information, or their representative;
  3. Use or disclosure made pursuant to an authorization;
  4. Disclosure to HHS for complaint investigations;
  5. Use or disclosure as required by law (for example, pursuant to a subpoena); or,
  6. Use or disclosure required for compliance with HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.

In the same vein, you are also required to create policies and procedures that limit access to PHI based on the specific roles of your staff.  You should identify the persons on your staff who need access to PHI, the categories of PHI they need access to, and the conditions under which they need access to it.

Notice of Privacy

Another extremely important provision of the Privacy Rule is the notice provision.  If you have a direct treatment relationship with a patient, you are required to provide notice of your privacy practices no later than your first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service), or by prompt mailing (for telephonic service).  You must also supply notice to anyone upon request.[12]

Additional Regulations

This post covers the main topics of the Privacy Rule and is designed to give you an overview of the basic principles and most important requirements you and your practice must comply with.  However, in order to ensure that you are fully compliant with the HIPAA’s Privacy Rule, we recommend that you review the rule in its entirety.  The Department of Health and Human Services provides a helpful guide to HIPAA’s requirements for professionals under the Privacy Rule.

If you have any questions regarding whether you are in compliance with HIPAA, you should consult with an experienced healthcare attorney because, as we will address in a later post, the consequences of violating HIPAA’s privacy rules can be substantial.

[1] 45 CFR Part 160; Part 164(A)-(E)

[2] 45 CFR Part 160(C)-(E)

[3] 45 CFR Part 160; 45 CFR Part 164(A) & (C)

[4] 45 CFR §§ 164.400-414

[5] This includes healthcare eligibility benefit inquiry and response, health care claim status request and response, health care services review, health care claim payment/advice, health care claims, payroll deducted and other group premium payment for insurance products, and benefit enrollment and maintenance.  45 C.F.R. §§ 160.102, 160.103; 45 C.F.R. Part 162.

[6] Name, address, birth date, and Social Security Number are common identifiers.

[7] 45 C.F.R. § 164.502(a)

[8] 45 C.F.R. § 164.502(a)(2)

[9] 45 C.F.R. § 164.502(a)(1)

[10] 45 CFR § 164.532

[11] 45 C.F.R. §§ 164.502(b) and 164.514 (d).

[12] 45 C.F.R. § 164.520(c)