HIPAA Privacy Rule Requirements
The HIPAA Privacy Rule establishes standards for protecting the privacy of Protected Health Information (PHI). While the Security Rule focuses on electronic safeguards, the Privacy Rule governs how PHI can be used and disclosed, and establishes patient rights.
For technology companies operating as business associates, understanding the Privacy Rule helps you handle PHI appropriately and meet your contractual obligations.
Key Takeaways
| Aspect | Details |
|---|---|
| Purpose | Establish standards for PHI use, disclosure, and patient rights |
| Applies to | All forms of PHI (paper, electronic, oral) |
| Core principle | Minimum necessary: use only the PHI needed |
| Patient rights | Access, amendment, accounting of disclosures, restrictions |
| Business associates | Must use PHI only as permitted by BAA |
Quick Answer: The Privacy Rule defines when and how PHI can be used or shared. For business associates, the key requirements are: only use PHI as permitted by your Business Associate Agreement, apply the minimum necessary standard, help covered entities respond to patient rights requests, and report unauthorized uses or disclosures.
Privacy Rule Overview
The Privacy Rule establishes:
- When PHI can be used and disclosed
- Patient rights regarding their PHI
- Administrative requirements for covered entities
- Requirements for business associates
What PHI Does the Privacy Rule Cover?
The Privacy Rule protects PHI in any form:
- Paper records
- Electronic records (also covered by Security Rule)
- Oral communications
The Security Rule specifically addresses electronic PHI (ePHI), while the Privacy Rule covers all PHI regardless of format.
Permitted Uses and Disclosures
The Privacy Rule defines when PHI can be used (internal operations) or disclosed (shared externally).
Uses and Disclosures Without Authorization
PHI can be used or disclosed without patient authorization for:
| Purpose | Description |
|---|---|
| Treatment | Providing, coordinating, or managing healthcare |
| Payment | Billing, claims management, collection activities |
| Healthcare Operations | Quality assessment, training, business management |
| As required by law | Court orders, law enforcement, public health reporting |
| Public health activities | Disease prevention, FDA reporting |
| Abuse, neglect, domestic violence | Reporting to appropriate authorities |
| Health oversight activities | Audits, investigations, inspections |
| Judicial and administrative proceedings | Court orders, subpoenas |
| Law enforcement purposes | Specific law enforcement requests |
| Research | With appropriate approvals or waivers |
| Serious threat to health or safety | Preventing or lessening serious threats |
| Essential government functions | Military, national security, protective services |
| Workers' compensation | As authorized by workers' compensation laws |
Uses and Disclosures Requiring Authorization
Patient authorization is required for:
- Marketing communications
- Sale of PHI
- Psychotherapy notes (with exceptions)
- Uses not listed above
The Minimum Necessary Standard
A core Privacy Rule principle: use or disclose only the minimum PHI necessary to accomplish the intended purpose.
This means:
- Limit PHI access to workforce members who need it
- Develop policies identifying who needs access to what
- Limit PHI in requests to what's necessary
- Limit PHI in disclosures to what's requested and needed
Exceptions to minimum necessary:
- Disclosures to healthcare providers for treatment
- Disclosures to the individual
- Uses or disclosures authorized by the individual
- Disclosures required by law
- Disclosures to HHS for compliance investigations
What This Means for Business Associates
As a business associate, you:
- Can only use PHI as permitted by your BAA
- Must apply minimum necessary to your operations
- Cannot use PHI for purposes beyond the BAA scope
- Must return or destroy PHI when the BAA terminates (if feasible)
Patient Rights Under the Privacy Rule
The Privacy Rule establishes six patient rights. Covered entities must honor these rights, and business associates may need to support covered entities in responding.
1. Right to Access
Patients have the right to access and obtain copies of their PHI.
| Requirement | Details |
|---|---|
| Timeline | 30 days (one 30-day extension permitted) |
| Format | Electronic copy if maintained electronically and patient requests it |
| Fees | Limited to cost of copying (labor, supplies, postage) |
| Denials | Limited circumstances; must provide written denial and appeal process |
Business associate implications:
- May need to provide PHI to covered entity to fulfill access requests
- Should have processes to respond to access requests quickly
- Consider APIs or export features for covered entities
2. Right to Amendment
Patients can request amendments to their PHI.
| Requirement | Details |
|---|---|
| Timeline | 60 days (one 30-day extension permitted) |
| Denial permitted | If PHI is accurate/complete, not created by you, or not accessible to patient |
| If denied | Must allow patient to submit statement of disagreement |
Business associate implications:
- May need to amend PHI at covered entity's direction
- Maintain audit trails of amendments
- Propagate amendments to those who received the original
3. Right to Accounting of Disclosures
Patients can request an accounting of disclosures of their PHI.
| Requirement | Details |
|---|---|
| Period | Disclosures in the 6 years prior to request |
| Exceptions | Treatment, payment, healthcare operations, and others |
| Contents | Date, recipient, description, purpose |
Business associate implications:
- Track disclosures you make (outside treatment, payment, operations)
- Provide disclosure information to covered entity upon request
- Maintain records for 6 years
4. Right to Request Restrictions
Patients can request restrictions on uses and disclosures.
| Requirement | Details |
|---|---|
| Covered entity obligation | Not required to agree (with one exception) |
| Exception | Must agree to restrict disclosures to health plan for services paid out-of-pocket in full |
| If agreed | Must honor the restriction |
Business associate implications:
- Honor restrictions communicated by covered entity
- Implement mechanisms to flag restricted PHI
5. Right to Confidential Communications
Patients can request communications through alternative means or at alternative locations.
| Requirement | Details |
|---|---|
| Example | Send appointment reminders to work email instead of home |
| Covered entity obligation | Must accommodate reasonable requests |
Business associate implications:
- Support communication preferences in your platform
- Allow covered entities to configure communication channels
6. Right to Receive Breach Notification
Patients have the right to be notified of breaches affecting their PHI.
| Requirement | Details |
|---|---|
| Timeline | Within 60 days of breach discovery |
| Contents | Description of breach, types of PHI involved, steps to protect, what you're doing |
| Format | First-class mail (or email if patient agreed) |
Business associate implications:
- Report breaches to covered entity promptly
- Provide information needed for notification
- Potentially assist with notification logistics
Business Associate Privacy Requirements
As a business associate, the Privacy Rule requires you to:
1. Use PHI Only as Permitted by BAA
Your Business Associate Agreement defines how you can use PHI. Typical permitted uses include:
- Performing services specified in the underlying service agreement
- Proper management and administration of your organization
- Fulfilling legal responsibilities
- Providing data aggregation services (if specified)
2. Implement Appropriate Safeguards
You must implement safeguards to prevent uses or disclosures not permitted by your BAA. This includes:
- Technical safeguards (access controls, encryption)
- Administrative safeguards (policies, training)
- Physical safeguards (facility security)
The Security Rule provides detailed requirements for ePHI.
3. Report Unauthorized Uses or Disclosures
You must report to the covered entity:
- Any use or disclosure not permitted by the BAA
- Any security incident (successful or unsuccessful attacks)
- Any breach of unsecured PHI
4. Ensure Subcontractors Comply
If you use subcontractors who access PHI:
- Obtain BAAs with each subcontractor
- Ensure subcontractors implement appropriate safeguards
- You remain responsible for subcontractor compliance
5. Make PHI Available for Patient Rights
Support covered entities in fulfilling patient rights:
- Provide PHI for access requests
- Amend PHI as directed
- Provide disclosure accounting information
6. Return or Destroy PHI at Termination
When the BAA ends:
- Return PHI to covered entity, or
- Destroy PHI, or
- If neither is feasible, retain with continued protections
Privacy Rule vs Security Rule
| Aspect | Privacy Rule | Security Rule |
|---|---|---|
| Scope | All PHI (paper, electronic, oral) | Electronic PHI only |
| Focus | How PHI can be used and disclosed | How ePHI must be protected |
| Patient rights | Establishes patient rights | Does not address patient rights |
| Safeguards | Requires "appropriate" safeguards | Specifies administrative, physical, technical safeguards |
| Flexibility | Provides flexibility in implementation | More detailed specifications |
Both rules apply to ePHI. The Privacy Rule governs use and disclosure; the Security Rule governs protection.
Common Privacy Rule Scenarios
Scenario 1: Customer Requests Feature Using PHI
Question: A healthcare customer asks you to use PHI in your platform to build a new analytics feature.
Privacy Rule answer: Check your BAA. You can only use PHI for purposes permitted by the BAA. If analytics is not covered:
- Amend the BAA to include the new use, or
- Obtain patient authorizations, or
- De-identify the data (remove all 18 identifiers)
Scenario 2: Subcontractor Needs PHI Access
Question: You want to use a third-party tool that would process PHI.
Privacy Rule answer: You must:
- Execute a BAA with the subcontractor
- Ensure they implement appropriate safeguards
- Limit their access to minimum necessary
Scenario 3: Law Enforcement Request
Question: Law enforcement requests PHI about a specific patient.
Privacy Rule answer: You should not respond directly. Refer the request to the covered entity, who can evaluate whether disclosure is permitted. Document the request.
Scenario 4: Employee Accesses PHI Inappropriately
Question: An employee accessed PHI without a legitimate work reason.
Privacy Rule answer: This is an unauthorized access:
- Investigate the scope
- Determine if it's a reportable breach
- Report to covered entity
- Apply sanctions per your sanction policy
Implementing Privacy Rule Requirements
Step 1: Map Your PHI
Document:
- What PHI you receive
- How it flows through your systems
- Who has access
- What you do with it
- How long you retain it
Step 2: Review Your BAA
Ensure your BAA clearly defines:
- Permitted uses and disclosures
- Your obligations
- Subcontractor requirements
- Breach notification requirements
- Termination procedures
Step 3: Implement Minimum Necessary
- Implement role-based access control
- Limit access to workforce members who need it
- Log and monitor PHI access
- Regular access reviews
Step 4: Support Patient Rights
Build capabilities to support covered entities:
- Data export functionality
- Amendment tracking
- Disclosure logging
- Access request workflows
Step 5: Train Your Workforce
Ensure all workforce members understand:
- What PHI is
- Permitted and prohibited uses
- Minimum necessary principle
- How to handle PHI appropriately
- How to report concerns
Privacy Rule Checklist for Business Associates
- BAA in place with all covered entities
- PHI use limited to BAA-permitted purposes
- Minimum necessary implemented
- Subcontractor BAAs in place
- Unauthorized disclosure reporting process
- Breach notification process
- Patient rights support capabilities
- Workforce training completed
- PHI return/destruction process for BAA termination
- Documentation maintained
How Bastion Helps
Bastion helps technology companies meet Privacy Rule requirements:
- BAA review and development: Ensure your agreements include required provisions
- Privacy program development: Policies and procedures for PHI handling
- Minimum necessary implementation: Access control and data handling guidance
- Workforce training: Privacy awareness training for your team
- Patient rights support: Guidance on supporting covered entity obligations
Ready to discuss your Privacy Rule compliance? Talk to our team
Sources
- HIPAA Privacy Rule - Official HHS Privacy Rule guidance
- Privacy Rule Summary - HHS Privacy Rule summary
- Business Associates - HHS guidance on business associate requirements