PracticeStudy GuidesBlogFlashcardsEspañol

3.1 HIPAA Privacy Rule

Key Takeaways

  • The HIPAA Privacy Rule protects individually identifiable health information (Protected Health Information — PHI) in any form: paper, electronic, or oral
  • PHI includes 18 identifiers: name, address, dates (birth, admission, discharge, death), phone/fax numbers, email, SSN, medical record number, and more
  • The Minimum Necessary Standard requires that only the minimum amount of PHI needed to accomplish the task should be used or disclosed
  • Treatment, Payment, and Operations (TPO) disclosures do NOT require patient authorization — this is the most important HIPAA exception for CMAAs
  • Non-TPO disclosures generally require a signed patient authorization before PHI can be released
  • Patients have the right to access their records, request amendments, request restrictions, receive an accounting of disclosures, and file complaints
  • The Notice of Privacy Practices (NPP) must be provided to every patient at their first visit and made available at all times
Last updated: March 2026

HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the cornerstone of patient privacy law in the United States. The Privacy Rule, which took effect in 2003, establishes national standards for protecting patient information. HIPAA knowledge is one of the most heavily tested areas on the CMAA exam.

What Is Protected Health Information (PHI)?

PHI is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity. PHI exists in three forms:

FormExamples
PaperMedical charts, lab reports, prescription pads, billing statements, superbills
Electronic (ePHI)EHR records, emailed lab results, digital images, electronic claims
OralConversations about patients, phone calls, voicemail messages

The 18 HIPAA Identifiers

If any of these identifiers are linked to health information, the information is PHI:

#Identifier#Identifier
1Name10Account numbers
2Address (street, city, county, zip)11Certificate/license numbers
3Dates (birth, admission, discharge, death)12Vehicle identifiers and serial numbers
4Telephone numbers13Device identifiers and serial numbers
5Fax numbers14Web URLs
6Email addresses15IP addresses
7Social Security numbers16Biometric identifiers
8Medical record numbers17Full-face photographs
9Health plan beneficiary numbers18Any other unique identifying number

Covered Entities and Business Associates

TermDefinitionExamples
Covered EntityHealthcare providers, health plans, and healthcare clearinghouses that transmit information electronicallyPhysician offices, hospitals, insurance companies
Business AssociateA person or organization that performs functions on behalf of a covered entity involving PHIBilling companies, IT contractors, transcription services, law firms
Business Associate Agreement (BAA)A required written contract between a covered entity and a business associate that establishes the permitted uses of PHIMust be in place before sharing any PHI with a business associate

The Minimum Necessary Standard

The Minimum Necessary Standard is a core HIPAA principle that requires covered entities to make reasonable efforts to limit PHI access, use, and disclosure to the minimum necessary to accomplish the intended purpose.

Applies ToExample
Internal accessA billing clerk should only have access to billing-related PHI, not clinical notes
Requests for informationWhen a specialist requests records, send only the relevant portion — not the entire chart
DisclosuresWhen responding to an insurance claim, include only the information needed for the claim

Exceptions to the Minimum Necessary Standard

The Minimum Necessary Standard does not apply to:

  • Disclosures to the patient (patients can access their full records)
  • Disclosures for treatment purposes between providers
  • Disclosures required by law
  • Disclosures to HHS for enforcement purposes

TPO Disclosures (No Authorization Required)

The most critical HIPAA concept for CMAAs is the Treatment, Payment, and Operations (TPO) exception. PHI can be used and disclosed for TPO purposes without patient authorization:

CategoryDefinitionExample
TreatmentProvision, coordination, or management of healthcareSending a patient's records to a specialist for a referral; discussing a patient's condition with another provider for a consultation
PaymentActivities related to obtaining payment for healthcareSubmitting a claim to an insurance company; verifying insurance eligibility; collecting copayments
OperationsActivities related to running the healthcare practiceQuality improvement, staff training, compliance audits, business management, peer review

When Authorization IS Required

A signed patient authorization is needed for disclosures that are not related to TPO, including:

Disclosure TypeExample
MarketingSending promotional materials about a new service
Sale of PHIAny exchange of PHI for payment
Psychotherapy notesNotes recorded by a mental health professional during a session
ResearchUsing PHI for clinical research purposes (unless IRB waiver granted)
Third-party requestsEmployer, attorney, or family member requesting records (without patient consent)
Media/pressAny release of information to the media

Disclosures That Do NOT Require Authorization (Beyond TPO)

Certain disclosures are permitted or required without patient authorization:

SituationDetails
Required by lawCourt orders, subpoenas, statutory reporting requirements
Public healthReporting communicable diseases, vital statistics, FDA adverse events
Abuse/neglectReporting suspected child abuse, elder abuse, or domestic violence
Health oversightGovernment audits, investigations, licensing
Law enforcementResponding to a court order, identifying a suspect, reporting a crime on premises
DecedentsReleasing information to coroners, medical examiners, funeral directors
Organ donationInformation for organ procurement organizations
Workers' compensationDisclosures required by workers' compensation laws
Imminent threatPreventing or lessening a serious and imminent threat to health or safety

Patient Rights Under HIPAA

RightDescription
AccessPatients can inspect and obtain a copy of their PHI (within 30 days of request; may charge reasonable copy fees)
AmendmentPatients can request corrections to their PHI (provider can deny but must document the denial)
RestrictionPatients can request restrictions on how their PHI is used or disclosed (provider is not required to agree, except for self-pay restriction)
Confidential communicationPatients can request communication through specific means (e.g., "Call my cell phone, not my home phone")
Accounting of disclosuresPatients can request a list of non-TPO disclosures made in the prior 6 years
Notice of Privacy Practices (NPP)Patients must receive the NPP at their first visit; it describes how PHI may be used and the patient's rights
ComplaintPatients can file a complaint with the covered entity or with HHS/OCR if they believe their rights have been violated

Self-Pay Restriction (HITECH Act Addition)

If a patient pays in full out of pocket (self-pay) and requests that the provider not disclose the encounter to their health plan, the provider must honor this restriction. This is the one restriction request that is mandatory.

Test Your Knowledge

A specialist office calls to request a patient's medical records for an upcoming consultation. Under HIPAA, what should the CMAA do?

A
B
C
D
Test Your Knowledge

A patient's employer calls and asks for information about the patient's diagnosis. What should the CMAA do?

A
B
C
D
Test Your Knowledge

Under HIPAA, within how many days must a covered entity respond to a patient's request to access their medical records?

A
B
C
D
Test Your Knowledge

Which of the following is the Minimum Necessary Standard an exception for?

A
B
C
D
Up Next

3.2 HIPAA Security Rule and Breach Notification

Continue learning