The HIPAA Privacy Standards went into effect April 14, 2003. As that date loomed ever closer, many larger health care companies had their HIPAA Privacy Standards implementation plans well under way. However, some companies, even with the effective date upon them, are just gearing up for compliance, with a long road ahead of them. This article is intended as a HIPAA Privacy Standards primer principally for health care providers, but with applicability to health plans and health care clearinghouses.

Protected Health Information (PHI)
The term "PHI," or "protected health information," is at the basis of the HIPAA Privacy Standards. PHI is defined very broadly under the HIPAA Privacy Standards as "individually identifiable health information" that is transmitted by electronic media, maintained as electronic media, or transmitted or maintained in any other form or medium. "Individually identifiable health information" includes information created or received by a health care provider, health plan, employer, or health care clearinghouse which relates to (1) the past, present, or future physical or mental health or condition of an individual; (2) the provision of health care to an individual; or (3) the past, present, or future payment for the provision of health care to an individual.

Individually identifiable health information either identifies the individual or there is a reasonable basis to believe that the information can be used to identify the individual. In plain terms, individually identifiable health information is medical or payment information that includes any number of patient identifiers, such as name, address, social security number, patient ID number, or medical record number.

PHI includes health information that is kept, received, or sent in any form. The definition of PHI is designed to encompass all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. The only exceptions pertain to certain educational, employment, and postsecondary school records.

The HIPAA privacy standards establish a national threshold of privacy protection for PHI, including new rights for individuals and new obligations for health care providers and third parties like consultants who assist health care providers in the provision of health care or in the management of their operations. The details of these new rights and obligations are discussed below.

Business Associates
The HIPAA Privacy Rule contains guidelines governing what a covered entity can and cannot do with PHI, both in its internal uses of PHI and in its disclosures of PHI to third parties. One element of these guidelines addresses disclosing PHI to "business associates," third parties who access a covered entity's PHI in order to perform a "function or activity" on the covered entity's behalf.

The HIPAA Privacy Rule applies only to covered entities, i.e., health plans, health care clearinghouses, and certain health care providers. However, health care providers and health plans typically require assistance from a variety of contractors and other businesses to conduct their health care activities. In allowing covered entities to disclose PHI to these business associates, the Privacy Rule conditions such disclosures on the covered entity obtaining, by written agreement, satisfactory assurances that the business associate will use the PHI only for the purposes for which it is engaged by the covered entity, safeguard the PHI from misuse, and help the covered entity comply with the covered entity's duties to provide individuals access to their health information. The HIPAA Privacy Rule contains specifications for these and other required assurances.

A business associate is an entity with which a health care provider contracts to perform functions on behalf of the provider and which, during the course of performing those functions, uses, discloses, creates, or obtains PHI maintained by the health care provider.

Members of the health care provider's, health plan's, or other covered entity's workforce, including not only W-2 employees, but contractual employees and volunteers as well, are not business associates under the Privacy Rule.
A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.
The rule includes exceptions. For example, the business associate requirements do not apply to situations in which PHI is disclosed to health care providers for treatment purposes-for example, information exchanges between a hospital and physicians with admitting privileges.

The Privacy Rule gives examples of services or functions that, if provided by an entity other than the health care provider, would likely give rise to a business associate relationship, including claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; billing; benefit management; management; accreditation; and financial or legal services. A covered entity may be providing these services (acting as a business associate of another covered entity) or engaging a third party to perform these services (using the services of a business associate).

The HIPAA Privacy Standards require that certain provisions be included in an agreement with a business associate. The business associate agreement must state the purposes for which the business associate may use and disclose PHI, and must indicate generally the reasons and types of persons to whom the business associate may make further disclosures. "For example, attorneys often need to provide information to potential witnesses, opposing counsel, and others in the course of their representation of a client. The business associate agreement pursuant to which PHI is provided to a covered entity's attorney may include a general statement permitting the attorney to disclose PHI to these types of people, within the scope of the attorney's representation of the covered entity." Standards for Privacy of Individual Identifiable Health Information, 65 Fed. Reg. 82,462, 82,505 (Dec. 28, 2000) (to be codified at 45 C.F.R. pts. 160 and 164).

The deadline for having written business associate agreements in place was originally April 14, 2002, but the Privacy Rule was amended in August 2002 to allow a transition period for certain business associate arrangements that were established, in writing, before October 15, 2002. Such written arrangements may have up to an additional year to become compliant. Covered entities should review the contracts they have in place with business associates to determine when the contracts must be modified for compliance with HIPAA's business associate agreement provisions.

A health care provider, health plan, or other covered entity is not liable for a business associate's privacy violations. Covered entities are not required to actively monitor or oversee the means by which their business associates implement safeguards or the business associate's compliance with the agreement. However, as discussed above, the covered entity must obtain assurances in the business associate agreement that the business associate will safeguard PHI. Only if the covered entity fails to obtain such assurances would it be considered to be out of compliance with the rule's requirements.

Limiting the Use or Disclosure of PHI to the Minimum Necessary
The "minimum necessary" standard under the HIPAA Privacy Rule requires that, when using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit the amount of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

In general, the minimum necessary standard applies to all uses or disclosures of PHI or any request for PHI from another covered entity. However, there are a number of important exceptions. The minimum necessary standard need not be applied to:

Disclosures to, or requests by, a health care provider for treatment purposes.
Disclosures made to the individual whose PHI is at issue.
Uses or disclosures made pursuant to a written authorization by the individual permitting the use or disclosure.
Disclosures made to HHS related to HIPAA compliance and enforcement.
Uses and disclosures required by law.

Covered entities would be well-advised to develop policies and procedures that ensure consistent determinations about the minimum amount of PHI necessary for any particular use or disclosure. For example, standard protocols, policies, and procedures for specific routine or recurring requests or disclosures would establish the minimum necessary PHI to be disclosed or requested to achieve the purpose of those disclosures or requests. Such protocols would allow routine disclosures and requests to be made without case-by-case reviews.

Additional policies and procedures for nonroutine disclosures would establish criteria to limit the disclosure of PHI to the information reasonably necessary to accomplish the purpose for which the disclosure is sought. Nonroutine disclosures would be reviewed on an individual basis in accordance with established criteria.

With respect to certain parties that request PHI, covered entities may rely on the judgment of these parties as to the minimum amount of information that is needed. For example, a covered entity will be permitted to reasonably rely on the requesting party's judgment when:

The covered entity is making disclosures to a public health official authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability if the official represents that the information requested is the minimum necessary;
The information is requested by another covered entity;
The information is requested by a professional (such as an attorney or an accountant) who is a member of the covered entity's work force or is a business associate of the covered entity for the purpose of providing professional services, if the professional represents that the information requested is the minimum necessary for the stated purpose(s).

The rules for requesting information from other covered entities mirror the rules for using PHI or for providing PHI to third parties. Requests for PHI from other covered entities must be limited to that which is reasonably necessary to accomplish the purpose for which the request is made. With that in mind, a covered entity's policies and procedures establishing "minimum necessary" standards should also address requests for PHI from other covered entities, including routine, recurring, and no-nroutine requests.

Covered entities will not be subject to the minimum necessary standards when they are requesting PHI in their role as a health care provider — when the disclosure is for treatment purposes. For most other purposes, however, a covered entity generally will not be able to use, disclose, or request an entire medical record, except when the entire medical record is specifically justified as the amount reasonably necessary to accomplish the purpose of the use, disclosure, or request.

Use and Disclosure
In general, a covered entity may use or disclose PHI for treatment, payment, or health care operations (TPO). A use means the sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such information. A disclosure means the release or transfer of, provision of, access to, or divulging of in any other manner, information outside the entity holding the information.

The Privacy Standards provide for required disclosures and permitted uses and disclosures of PHI. For instance, a covered entity is required to disclose PHI to the individual who is the subject of the information upon request or to HHS to determine compliance with the Privacy Standards. A covered entity is permitted, in general, to use and disclose PHI for TPO purposes or pursuant to an authorization signed by the individual who is the subject of the information.

Treatment, Payment, or Health Care Operations
Relative to health care providers, TPO includes the following: "Treatment" means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with an insurer; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

"Payment" means the activities undertaken by a health care provider to obtain reimbursement for the provision of health care, including billing, claims management, and collection activities.

"Health care operations" means any of the following activities of a health care provider: (1) conducting quality assessment and improvement activities; (2) reviewing the qualifications of health care professionals; (3) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (4) business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity; (5) business management and general administrative activities, including management activities related to the implementation of and compliance with HIPAA.

Requests for Restrictions on Use or Disclosure
A health care provider must have policies in place that permit an individual to request a restriction on the use or disclosure of PHI. The health care provider, however, is not required to agree to the individual's request. If the health care provider does agree to the request, the provider must honor that request in all future uses or disclosures.

Business Associate Agreements
Business associate agreements are not required for every disclosure of PHI for TPO. The general rule requires a covered entity to obtain a business associate agreement when disclosing PHI to an entity that performs health care activities on its behalf. As noted above, however, when a health care provider discloses an individual's PHI to another health care provider concerning the treatment of that individual, no business associate agreement is required.

Notice of Privacy Practices
An individual's rights under HIPAA include the right to adequate notice of the uses and disclosures of PHI that may be made by a covered entity, the individual's rights, and the covered entity's legal duties with respect to PHI. This notice is called the "Notice of Privacy Practices."

The covered entity must provide a notice that is written in plain language and that contains the following elements:

Mandatory Statement:The notice must contain the following statement verbatim as a header or otherwise prominently displayed:
This Notice Describes How Medical Information About You May Be Used And Disclosed And How You Can Get Access To This Information. Please Review It Carefully.
Uses and Disclosures: The notice must include:
- A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted to make for TPO purposes.
- A description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual's written authorization. (No example is required for these purposes.)
- If a use or disclosure for any TPO purpose is prohibited or materially limited by another applicable law, the description of such use or disclosure must reflect the more stringent state law.
- For each purpose, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required under HIPAA or a more stringent state law.
- A statement that the other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization in writing, except to the extent that the covered entity has taken action in reliance on the authorization.
Separate Statements for Certain Uses or Disclosures: If a health care provider intends to engage in the following activities, the notice must include a separate statement that the health care provider may contact the individual in regard to such activities:
- Providing appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual; or
- Raising funds for the health care provider.
Individual Rights: The notice must contain a statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise these rights, as follows:
- The right to request restrictions on certain uses and disclosures of PHI as provided by § 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction;
- The right to receive confidential communications of PHI as provided by § 164.522(b);
- The right to inspect and copy PHI as provided by § 164.524;
- The right to amend PHI as provided by § 164.526;
- The right to receive an accounting of disclosures of PHI as provided by § 164.528; and
- The right of an individual to receive a paper copy of the Notice of Privacy Practices, even if the individual has agreed to receive the notice electronically.
Covered Entity's Duties: The notice must contain a statement of the covered entity's duties, as follows:
- That the covered entity is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI;
- That the covered entity is required to abide by the terms of the notice currently in effect; and
- That the covered entity reserves the right to change the terms of its Notice of Privacy Practices and to make the new notice provisions effective for all PHI that it maintains. The statement must also indicate how the covered entity will provide individuals with a revised notice.
Complaints: The notice must contain a statement that individuals may complain to the covered entity and to HHS if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.
Contact: The notice must contain the name, or title, and telephone number of a person or office to contact for further information.
Effective Date: The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.

Section 164.520(c) details implementation specifications for the provision of notice, including the following specific requirements for a covered entity that has a direct treatment relationship with an individual:

Timing: Provide the notice no later than the date of the first service delivery, including service delivered electronically (i.e., telemedicine services), to such individual after April 14, 2003, or, in an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
Written Receipt Acknowledgement: Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason the acknowledgment was not obtained.
Copies and Posting: If the covered health care provider has a physical service delivery site:
- Have the notice available at the service delivery site for individuals to request to take with them; and
- Post the notice in a clear and prominent location where it is reasonable to expect that individuals will be able to read it.
Revisions to the Notice: Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision.

Giving the Individual the Opportunity to Agree or Object to Uses or Disclosures
Although a covered entity can use or disclose an individual's PHI for TPO, there are circumstances when, in order to use or disclose PHI, a covered entity must inform the individual in advance of the use or disclosure and give the individual the opportunity to agree or object to the use or disclosure of PHI. (Such agreement or objection may be either oral or in writing.)

There are two such situations:

(1) Uses and disclosures to individuals involved in a patient's care; and

(2) Use or disclosure for a facility directory.

A covered entity may disclose to an individual's family member, other relative, or close personal friend, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment related to the individual's health care. A covered entity may use or disclose the individual's location, general condition, or death to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual.

A covered entity may use or disclose an individual's location, general condition, or death to a public or private entity authorized by law or by its charter to assist in disaster relief efforts for the purpose of coordinating with such entities notification of a family member, a personal representative of the individual, or another person responsible for the care of the individual.

If the individual is present for, or otherwise available prior to, a use or disclosure for care or notification purposes and has the capacity to make health care decisions, then the covered entity may use or disclose the PHI if it obtains the individual's agreement, provides the individual with the opportunity to object to the disclosure (and the individual does not object), or reasonably infers from the circumstances (based on professional judgment) that the individual does not object to the disclosure.

If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the PHI that is directly relevant to the person's involvement with the individual's health care. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, or other similar forms of PHI.

Hospitals, nursing homes, and other health care providers often maintain facility directories to provide general information about their patients. Under HIPAA, a health care provider must inform an individual of the PHI that may be included in a directory and the persons to whom such information may be disclosed (including disclosures to clergy of information regarding religious affiliation) and provide the individual the opportunity to restrict or prohibit the following:

Use in a directory of the individual's name, location in the facility, condition described in general terms that does not identify specific medical information about the individual, and religious affiliation.
Disclosure of such information to members of the clergy or, except for religious affiliation, to any other persons who ask for the individual by name.

In an emergency situation or when the individual is incapacitated, a health care provider may use or disclose some or all of the PHI described above (name, location, condition, and religious affiliation) for the facility directory if such disclosure is consistent with the individual's prior expressed preference, as known to the health care provider, and is in the individual's best interest as determined by the health care provider in the exercise of the provider's professional judgment. The health care provider must inform the individual and provide an opportunity to object to the use and disclosure for directory purposes when it becomes practicable to do so.

Authorizations
An authorization is required for any use or disclosure of PHI that is not otherwise permitted under the Privacy Rule, e.g., a use or disclosure that is not made (1) for TPO purposes, (2) to the individual who is the subject of the information (at his/her request), (3) in situations described above requiring the opportunity to agree or object, (4) to HHS to determine compliance with the Privacy Standards, (5) as required by law; or (6) as permitted by law as provided in § 164.512. Outside of the permitted circumstances, the covered entity must obtain a signed authorization from the individual outlining the purpose of the use or disclosure.

A health care provider may not refuse to treat a patient if a patient refuses to sign an authorization. However, in limited circumstances, a health care provider may refuse to treat without an authorization for:

The provision of research-related treatment, or
The provision of health care when it is solely for the purpose of creating PHI for disclosure to a third party.

A valid authorization must contain certain elements and statements detailed in § 164.508(c). First, the authorization must be in plain English and understandable to the individual. In addition, it must include the following core elements:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
The name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure;
The name or other specific identification of the person(s) or class to whom the covered entity may make the requested use or disclosure;
A description of each purpose of the requested use or disclosure (e.g., "at the request of the individual" is sufficient when the individual requests the disclosure without stating the purpose);
An expiration date or expiration event that relates to the individual or the purpose of the use or disclosure (e.g., "end of the research study" is sufficient if the use or disclosure is for research); and
The signature of the individual and date of the authorization (if a personal representative of the individual signs the authorization, then a description of such person's authority to sign must be included).

In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of:

The individual's right to revoke the authorization in writing (noting any exceptions to that right to revoke) and
The requirement that the covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on the authorization except in the limited circumstances noted above.

Covered entities may include additional, nonrequired elements so long as those elements are not inconsistent with the above required elements and statements. (It is important to know that the Privacy Rule has specific provisions regarding the treatment of certain authorizations pertaining to psychotherapy notes and marketing.)

The authorization is valid until the expiration date or expiration event that is stated in the authorization. If any material information in the authorization is known by the covered entity to be false, such authorization is no longer valid. Additionally, if an individual revokes an authorization, the authorization terminates effective with the revocation (unless the covered entity has acted in reliance upon such authorization).

Personal Representatives
An individual's rights under HIPAA, as discussed above, may be exercised by the personal representative of the individual with the exception of situations involving abuse, neglect, and domestic violence addressed in § 164.512(c).

Pursuant to § 164.502(g), certain persons have the authority to act as personal representatives under the Privacy Rule, including the following:

Adults or Emancipated Minors: If a person has the ability under state or other law to act on behalf of an adult or an emancipated minor in making decisions related to health care, then a covered entity must treat that person as a personal representative under the HIPAA Privacy Rule. An "emancipated minor" is defined under state law.
Minors — Authority of a Personal Representative to Exercise the Minor's Rights: If under state or other law, a parent, guardian, or another person who acts in loco parentis (referred to here as "parent" for ease of reference) has the ability to act on behalf of a minor in making decisions related to health care, a covered entity must treat that person as a personal representative under the HIPAA Privacy Rule. However, the minor retains his/her rights under the HIPAA Privacy Rule and a parent or guardian may not act as the minor's personal representative in the following situations:
- The minor consents to the health care service; no other consent to the health care service is required by law; and he/she has not requested that the other person is to be treated as a personal representative;
- The minor may lawfully obtain such health care service without the consent of a parent or guardian, and the minor, a court, or another person authorized by law consents to such health care service; or
- If a parent or guardian assents to a confidentiality agreement between a covered health care provider and the minor with respect to such health care services.
Minors — Access by a Parent or Guardian Under State or Other Law: State or other laws that address access to health information will govern whether or not a parent or guardian may have access to a minor's PHI. In cases where a parent or guardian does not meet the definition of a personal representative and there is no law that specifically addresses access to health information, a covered entity may choose to provide or deny access so long as that decision is consistent with other applicable law and is made by a licensed health care professional.
Executor or Administrator: If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or the individual's estate, a covered entity must treat that person as a personal representative with respect to the PHI that is relevant to the executor, administrator, or other person's representation.

A covered entity may elect not to treat a person as the personal representative of an individual if:

The covered entity has a reasonable belief that (a) the individual has been or may be subjected to domestic violence, abuse, or neglect by that person; or (b) treating such person as the personal representative could endanger the individual; and
The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.