The HIPAA Series: Lesson #2, The Privacy Rule

by Amber N. Yoo, M.B.A.

It’s time for our second HIPAA lesson!  First, let’s see how well you remember the first HIPAA lesson…

• What does HIPAA stand for?
• What are the two rules that set security standards and safeguards for health information?
• Who is required to follow HIPAA?

Have the answers? Great! Today, let’s focus on the Privacy Rule.

The Privacy Rule protects all protected health information (PHI) transmitted in any medium (electronic, paper or oral) by a covered entity or its business associates.

Do medical providers need my permission in order to share my health information?

The Privacy Rule carves out a wide path for covered entities to share your health information without your authorization. HIPAA calls these “permitted uses and disclosures of PHI.” In general, PHI may be shared for the purposes of treatment, payment, and health care operations or if required by the government. A few specific examples include:

• A primary care provider may send a copy of your medical record to a specialist who needs the information to treat you. 
• A health care provider may disclose PHI to a third-party billing company in order to submit a claim for payment to your insurance company.
• A surgeon may send PHI to an independent surgery facility in order to schedule a surgery appointment for you.

Your written authorization is required for any use or disclosure that is not permitted by the Privacy Rule. Learn more.

Why is my doctor office’s privacy policy so important?

The Privacy Rule requires covered entities to have a privacy policy. The privacy policy must include certain explanations:

• How we may use and disclose PHI.
• Our duties to protect your privacy, provide a notice of privacy practices, and abide by the terms of our policy.
• An explanation of your rights, including the right to complain to HHS and to us if you believe your privacy rights have been violated.
• Contact information for our Privacy Officer.

A copy of the privacy policy must be provided to you the first time medical service is provided (i.e. the first time you visit our office). We are required to get your signature, saying that you received a copy. We must also provide a copy to you upon request and the notice must be posted prominently in the facility.

How do I get a copy of my medical record?

The most important right HIPAA gives you is the right to access your PHI. Under the Privacy Rule, you have the right to review and obtain a copy of your medical record. As in our office, most doctors are moving to electronic medical records, which means you would be looking at a computer screen instead of the paper chart we are all familiar with. If you’d like, we will provide you with a printed copy for a minimal fee.

In this lesson, we covered what I consider the three most important parts of HIPAA’s Privacy Rule: uses and disclosures of PHI, notice, and access. Next time, we’ll talk about confidential communications requirements, personal representatives, and preemption.

In the meantime, if you have any HIPAA-related questions, leave them in a comment below!

​