8.2 HIPAA, Confidentiality, and Release of Information

What HIPAA Protects

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects protected health information (PHI) — any individually identifiable health information held or transmitted by a covered entity. There are 18 identifiers that make data PHI, including name, all dates more specific than year (birth, admission, discharge), telephone and fax numbers, email, medical record number (MRN), Social Security number, account numbers, full-face photographs, and any other unique code.

PHI is not limited to the chart: appointment schedules, sign-in sheets, prescription labels, billing records, voicemails, and the hallway conversation about a patient are all PHI.

A covered entity that handles PHI is bound by both the Privacy Rule (who may see/share PHI) and the Security Rule (administrative, physical, and technical safeguards for electronic PHI). The HITECH Act strengthened breach notification and extended liability to business associates.

TPO: Disclosures Allowed Without Authorization

HIPAA permits the use and disclosure of PHI without separate patient authorization for treatment, payment, and health-care operations (TPO). Sharing a chart with the consulting cardiologist (treatment), sending a claim to the insurer (payment), and internal quality review (operations) are all permitted. Most disclosures outside TPO — to a life-insurance company, an employer, an attorney, or a family member who is not involved in care — require the patient's signed authorization specifying what is released, to whom, and for how long.

Quick Decision Table

Minimum Necessary and Its Exceptions

The minimum-necessary standard says you disclose only the least PHI needed to accomplish the purpose. If billing needs a date and code, you do not send the entire chart. Important exceptions where minimum necessary does not apply: disclosures to the provider for treatment, disclosures to the patient about their own record, disclosures made under a valid authorization, and disclosures required by law.

Patient Access and Breach Timelines

Under the HIPAA right of access, a patient may inspect and obtain a copy of their record, and the practice must act on the request within 30 days (one 30-day extension allowed with notice). Patients may also request amendments and an accounting of disclosures.

A breach of unsecured PHI triggers notification: affected individuals must be notified without unreasonable delay and no later than 60 days. Breaches affecting 500 or more individuals also require notice to the Department of Health and Human Services (HHS) and to prominent media. The CCMA's role in any suspected breach — a misdirected fax, a record opened in error, a lost device — is to report it immediately through facility policy, not to conceal or independently investigate it.

Daily Safeguards and the Identity Trap

The most-tested CCMA decision: verify identity and authorization before releasing anything. A friendly caller who recites the patient's birth date is not automatically authorized; results go only to the patient or an authorized representative through approved channels. Other safeguards: position monitors away from the waiting room, log off shared workstations, do not discuss patients in elevators or break rooms, shred PHI rather than tossing it, and never look up a record (a coworker, a celebrity, a relative) you are not treating — that is unauthorized access even if nothing is shared.

Privacy Rule vs. Security Rule vs. Breach Notification

The exam distinguishes three pieces of HIPAA. The Privacy Rule governs who may use or disclose PHI and the patient's rights over it. The Security Rule applies specifically to electronic PHI (ePHI) and requires three categories of safeguards: administrative (training, access policies, sanction policies), physical (locked doors, screen privacy filters, device control), and technical (unique user logins, automatic logoff, encryption, audit trails). The Breach Notification Rule is the response when unsecured PHI is exposed.

Encrypting data is powerful because properly encrypted PHI that is lost is generally not a reportable breach — the data is unreadable.

Common Daily Examples by Safeguard Type

Special Situations the Exam Loves

• Family and friends in care: You may share PHI directly relevant to a person's involvement in the patient's care (for example, telling a spouse helping with discharge meds) if the patient agrees, does not object, or — when incapacitated — it is in the patient's best interest. You still apply minimum necessary.
• Patient self-pay restriction: A patient may request that the practice not disclose a specific service to their health plan if they pay out of pocket in full; this request must be honored.
• Marketing and sale of PHI: These generally require separate authorization; routine appointment reminders do not.
• Incidental disclosures: A name overheard at a busy front desk is permitted if reasonable safeguards (lowered voice, sign-in privacy) are in place — HIPAA is not violated by every unavoidable overhearing.
• Psychotherapy notes receive heightened protection and usually need a specific authorization separate from the rest of the record.

Violations carry civil and criminal penalties that scale with culpability, from unknowing violations to willful neglect; egregious cases can mean substantial fines and termination. The CCMA's protective instinct on every item: verify, disclose the minimum, use approved channels, and report any suspected breach immediately.