The HIPAA Privacy Rule – What is Often Confusing About Some of the Requirements?

A great deal of attention is given to protecting electronic health records. The HIPAA Security Rule defines all the administrative, technical and physical safeguards that must be in place in order to be compliant. But, what about paper documents containing protected health information (PHI), required verbal conversations that need to take place in a healthcare practice and marketing?

These topics are all covered in the HIPAA Privacy Rule. The rule clearly defines the “what” of protected health information in terms of health care providers’ responsibilities, when it comes to patient privacy.  Although the Privacy Rule includes what is covered in terms of electronic transfers of PHI, the rule is also very extensive about the handling of PHI. Let me address a couple important sections of the Privacy Rule where many providers struggle in understanding what is and is not required.

When it comes to uses and disclosures of protected health information, in general, a health care provider does not need patient authorization to:

• Use or disclose PHI for treatment, payment or health care operations.

• Use or disclose PHI for the treatment activities of another health care provider.
• Disclose PHI to another covered entity or health care provider for the payment of the entity that receives the information. 

• Disclose PHI to another covered entity for health care operations activities of the entity that receives the information, if both entities have a relationship with the individual and the disclosure is for the purpose of conducting quality assessment and improvement activities, reviewing the competence or qualifications of health care professionals or for fraud and abuse detection or compliance. 

However, the heath care provider must still provide the patient with its Notice of Privacy Practices (NPP) and make a good faith effort to obtain written acknowledgement that the patient received the NPP.

A health care practice must always be aware of the minimum necessary standard. The standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound, current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires health care providers to evaluate their practices and enhance safeguards, as needed, to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule’s requirements for the minimum necessary standard are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity. 

Another confusing area of the HIPAA Privacy Rule concerns marketing. The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the health care provider first obtains an individual’s authorization.

The Privacy Rule exceptions to the definition of marketing fall into three categories:

1. A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:

• The entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and
• Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.

This exception to the marketing definition permits communications by a health care provider’s own products or services.

1. A communication is not “marketing” if it is made for treatment of the individual.
2. A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual.

For a detailed summary of the HIPAA Privacy Rule, here is a link to the HHS Office for Civil Rights Privacy Brief.