4.2 HIPAA Privacy Rule
Key Takeaways
- Protected Health Information is individually identifiable health information held or transmitted by a Covered Entity or Business Associate, and HIPAA lists 18 identifiers that make data identifiable.
- PHI may be used and disclosed without patient authorization for Treatment, Payment, and Healthcare Operations (TPO) — the core permission billers rely on.
- The minimum necessary standard requires limiting PHI use and disclosure to the least amount needed for the purpose, though it does not apply to treatment disclosures between providers.
- Patients have a right to access their records, generally within 30 days with one 30-day extension, plus rights to amend, to an accounting of disclosures, to request restrictions, and to confidential communication.
- Authorization is a specific signed permission required for non-TPO uses such as marketing or selling PHI; general consent is not required for routine TPO.
What the Privacy Rule Protects
The HIPAA Privacy Rule sets national standards for protecting protected health information (PHI). PHI is individually identifiable health information — covering a person's physical or mental health, the care provided, or payment for that care — that is created or held by a Covered Entity or Business Associate, in any form: paper, electronic, or spoken.
Health information is considered identifiable when it includes one or more of 18 specific identifiers. Removing all 18 (and confirming no remaining way to re-identify the person) produces de-identified data, which is no longer PHI.
The 18 HIPAA Identifiers
| # | Identifier | # | Identifier |
|---|---|---|---|
| 1 | Names | 10 | Account numbers |
| 2 | Geographic data smaller than a state | 11 | Certificate or license numbers |
| 3 | All dates (except year) tied to an individual | 12 | Vehicle identifiers and license plates |
| 4 | Telephone numbers | 13 | Device identifiers and serial numbers |
| 5 | Fax numbers | 14 | Web URLs |
| 6 | Email addresses | 15 | IP addresses |
| 7 | Social Security numbers | 16 | Biometric identifiers (fingerprints, voiceprints) |
| 8 | Medical record numbers | 17 | Full-face photos and comparable images |
| 9 | Health plan beneficiary numbers | 18 | Any other unique identifying number or code |
TPO: Treatment, Payment, and Healthcare Operations
The Privacy Rule permits a Covered Entity to use and disclose PHI without patient authorization for three core purposes, abbreviated TPO:
- Treatment — providing and coordinating patient care
- Payment — billing and collecting for care, including submitting claims, verifying eligibility, and obtaining authorization
- Healthcare Operations — quality improvement, audits, training, and general administration
Billing is squarely a payment activity, so a biller does not need a signed authorization to submit a claim to a payer.
Minimum Necessary Standard
When using or disclosing PHI, a Covered Entity must make reasonable efforts to limit it to the minimum necessary to accomplish the purpose. A claim should carry the diagnoses, procedures, and demographics the payer needs — not the entire chart. Important exception: minimum necessary does not apply to disclosures to a provider for treatment, to the patient, or to disclosures the patient has authorized.
Notice of Privacy Practices and Patient Rights
A Covered Entity must give patients a Notice of Privacy Practices (NPP) describing how PHI is used and what rights patients have. Key patient rights:
| Right | What It Means |
|---|---|
| Access | Inspect and obtain a copy of records, generally within 30 days, with one 30-day extension allowed |
| Amendment | Request a correction to inaccurate or incomplete records |
| Accounting of disclosures | Receive a list of certain non-TPO disclosures |
| Request restrictions | Ask the CE to limit certain uses or disclosures |
| Confidential communication | Request contact by an alternative method or location |
| Complaint | File a complaint with the CE or with the HHS Office for Civil Rights |
Authorization vs. Consent
A HIPAA authorization is a specific, signed document required before PHI may be used or disclosed for non-TPO purposes such as marketing or the sale of PHI. A general consent for routine TPO is permitted but not required. Billers should never treat a signed authorization as optional for non-TPO releases — those uses are prohibited without it.
A biller submits a CMS-1500 claim to a commercial payer that includes the patient's diagnoses, procedures, and demographics. No signed patient authorization is on file for this claim. Is this disclosure permitted?
Under the Privacy Rule, a Covered Entity must generally provide a patient access to their records within how many days of the request, before any extension?
Type your answer below