Resources Resources

Privacy Standards

Mitigating risks and practical business practice

  • Addressing HIPAA privacy is a matter of mitigating risk and practical business practice.
  • Risk increases as an organization moves beyond core treatment/ payment/operations (TPO) that are outside the organization.

Privacy vs. Security


Key Definitions & Principles:


  • Privacy = rules for accessing information
  • Security = processes and mechanisms for protecting information

Biggest Myth:Good Security = Technology

  • Technical measures alone will be insufficient

Reality: a good security program requires a solid “Confidentiality Culture”

  • This takes time to develop, especially if current confidentiality awareness is low

In addition, HIPAA will require good documentation of practices


Intent of HIPAA Privacy and Security Standards:

Maintain reasonable and appropriate operational, technical and physical safeguards that:

  • Ensure confidentiality and integrity of information provided to authorized staff
  • Prevent unauthorized use or disclosures
  • Protect against external threats and physical hazards
  • Are intended to protect against both external and internal threats 

Privacy Scope of Impact

  • Covers Individually Identifiable Health information maintained or transmitted by covered entities in any form, includes electronic, paper and oral 
  • Applies only to the "covered entities" defined under HIPAA
  • Covered entities must have "reasonable and appropriate" administrative and technical safeguards


General Rules

  • Makes use and exchange of Protected Health Information (PHI) easy for health care purposes, difficult for non-health care purposes
  • Minimum necessary use or disclosure
  • Sphere of privacy protection extended to business associates
    • business associate includes but is not limited to one who either provides services on behalf of the covered entity or to the covered entity. Includes contractors, lawyers, auditors, consultants, other health care organizations and billing firms.



HIPAA has defined strong privacy and security requirements to protect Individually Identifiable Health Information. 

  • Individual consent
  • Business associate contract
  • Individual authorizations
  • Designated privacy official 
  • Permitted disclosures
  • Training of workforce members
  • Notice of privacy practices
  • Safeguards
  • Access by individuals to PHI
  • Complaints
  • Amendments and corrections to information
  • No individual right of action 
  • Accounting for disclosure
  • Access to PHI could be role – or class – based



Part 1


  • Patients can require an accounting of any individually identifiable health information uses and disclosures, except for treatment and payment
  • Patients have the right to see and copy their own health information, including documentation of who has had access to this information
  • Patients are given the right to request amendments or corrections to the health information if it’s incorrect or incomplete


Part 2

  • Application of privacy protections apply to all medical records and other individually identifiable health information held by a covered entity whether communicated electronically, on paper or orally.
  • Health plans and providers maintain administrative and physical safeguards; the security rules support the privacy rules.
  • Covered entities have contracts with their business associates that require the appropriate safeguarding of Protected Health Information (PHI).
  • Any inconsistent state or federal law offering more stringent protection and/or technological requirements must be followed.

Part 3

Health Plans and Providers must:

  • Designate a privacy official
  • Establish a documented privacy policy
  • Provide ongoing privacy training to staff
  • Establish and maintain a means for individuals to lodge complaints
  • Develop a system of sanctions for violations of privacy policy
  • Settle or resolve complaints
  • Implement safeguards to protect health information from any misuse

Question to Consider


Health Plans and Providers must:


  • Where is Protected Health Information (PHI) being used at your facility and by whom?
  • To whom is PHI being disclosed and how?
  • Have you created an inventory of all individuals and entities with which you share PHI?
  • Do you have a centralized release-of-information function to respond to all requests for PHI?
  • Do your staff members need to review PHI maintained at other organizations to perform their jobs?
  • Do you currently have a documented policy and/or procedure that addresses management of confidential health information?