4.2 HIPAA Privacy Rule
Key Takeaways
- Protected Health Information is individually identifiable health information held or transmitted by a Covered Entity or Business Associate, and the Privacy Rule lists 18 identifiers that make data identifiable.
- PHI may be used and disclosed without patient authorization for Treatment, Payment, and Healthcare Operations (TPO) — the core permission billers rely on to submit claims.
- The minimum necessary standard limits PHI use and disclosure to the least amount needed, but it does not apply to treatment disclosures, disclosures to the patient, or patient-authorized disclosures.
- Patients have a right to access their records generally within 30 days with one 30-day extension, plus rights to amend, to an accounting of disclosures, to request restrictions, and to confidential communications.
- An authorization is a specific signed permission required for non-TPO uses such as marketing or the sale of PHI; general consent is not required for routine TPO.
What the Privacy Rule Protects
The HIPAA Privacy Rule sets national standards for protecting protected health information (PHI). PHI is individually identifiable health information — covering a person's past, present, or future physical or mental health, the care provided, or payment for that care — that is created or held by a Covered Entity or Business Associate, in any form: paper, electronic, or spoken. Notice the breadth: a billing question shouted across an open office is just as much PHI as the 837 claim file.
Health information is considered identifiable when it includes one or more of 18 specific identifiers. Removing all 18 — and confirming there is no remaining reasonable way to re-identify the person — produces de-identified data, which is no longer PHI and falls outside the Privacy Rule. A limited data set strips most identifiers but keeps dates and some geographic data; it still requires a data use agreement.
The 18 HIPAA Identifiers
| # | Identifier | # | Identifier |
|---|---|---|---|
| 1 | Names | 10 | Account numbers |
| 2 | Geographic data smaller than a state | 11 | Certificate or license numbers |
| 3 | All dates (except year) tied to an individual | 12 | Vehicle identifiers and license plates |
| 4 | Telephone numbers | 13 | Device identifiers and serial numbers |
| 5 | Fax numbers | 14 | Web URLs |
| 6 | Email addresses | 15 | IP addresses |
| 7 | Social Security numbers | 16 | Biometric identifiers (fingerprints, voiceprints) |
| 8 | Medical record numbers | 17 | Full-face photos and comparable images |
| 9 | Health plan beneficiary numbers | 18 | Any other unique identifying number or code |
A frequent exam trap: a date of service, an SSN, and a member ID on a claim are all identifiers — you cannot strip just the name and call data anonymous. ZIP codes count as geography; under safe harbor de-identification, even the first three ZIP digits must be generalized when the population is small.
TPO: Treatment, Payment, and Healthcare Operations
The Privacy Rule permits a Covered Entity to use and disclose PHI without patient authorization for three core purposes, abbreviated TPO:
- Treatment — providing and coordinating patient care among providers
- Payment — billing and collecting for care, including submitting claims, verifying eligibility, obtaining prior authorization, and pursuing reimbursement
- Healthcare Operations — quality improvement, audits, business management, training, and credentialing
Billing is squarely a payment activity, so a biller does not need a signed authorization to submit a claim to a payer or to call about a denial.
Minimum Necessary Standard
When using or disclosing PHI, a Covered Entity must make reasonable efforts to limit it to the minimum necessary to accomplish the purpose. A claim should carry only the diagnoses, procedures, and demographics the payer needs to adjudicate — not the entire chart. The important exceptions where minimum necessary does not apply:
- Disclosures to or requests by a provider for treatment
- Disclosures to the patient about their own information
- Disclosures the patient has specifically authorized
- Disclosures required by law or to HHS for compliance
Notice of Privacy Practices and Patient Rights
A Covered Entity must give patients a Notice of Privacy Practices (NPP) describing how PHI is used and the rights patients hold, and must make a good-faith effort to obtain a written acknowledgment of receipt. Key patient rights:
| Right | What It Means |
|---|---|
| Access | Inspect and obtain a copy of records, generally within 30 days, with one 30-day extension allowed |
| Amendment | Request a correction to inaccurate or incomplete records |
| Accounting of disclosures | Receive a list of certain non-TPO disclosures, generally for the prior six years |
| Request restrictions | Ask the CE to limit certain uses or disclosures (and a paid-in-full self-pay restriction must be honored) |
| Confidential communication | Request contact by an alternative method or location |
| Complaint | File a complaint with the CE or with the HHS Office for Civil Rights |
Authorization vs. Consent
A HIPAA authorization is a specific, signed document required before PHI may be used or disclosed for non-TPO purposes such as marketing, the sale of PHI, or release of psychotherapy notes. A general consent for routine TPO is permitted but not required. Billers should never treat a signed authorization as optional for non-TPO releases — those uses are prohibited without it, and improperly disclosing PHI to, say, a marketing firm without authorization is a Privacy Rule violation.
Incidental Disclosures and Common Billing Pitfalls
The Privacy Rule tolerates incidental disclosures — minor, unavoidable exposures that occur as a byproduct of an otherwise permitted use — as long as the entity applies reasonable safeguards and minimum necessary. A patient overhearing a name at a busy front desk is incidental and not a violation; posting that patient's full diagnosis on a whiteboard visible to the waiting room is not. For billers, the everyday risks are predictable: faxing an explanation of benefits to the wrong number, mailing a statement to an old address, discussing a balance with a relative who is not a personal representative, or leaving detailed voicemails.
Best practice is to leave only minimal callback information and to verify identity before releasing account details.
A Covered Entity may disclose PHI to a patient's personal representative — someone with legal authority such as a parent of a minor or a healthcare power of attorney — but not to a spouse or adult child by default. When a payer, attorney, or family member requests records for a non-TPO purpose, route the request through a valid HIPAA authorization rather than releasing on a verbal say-so.
A biller submits a CMS-1500 claim to a commercial payer that includes the patient's diagnoses, procedures, and demographics. No signed patient authorization is on file for this specific claim. Is this disclosure permitted?
Under the Privacy Rule, a Covered Entity must generally provide a patient access to their records within how many days of the request, before any extension?
Type your answer below