4.2 HIPAA Privacy Rule

Key Takeaways

  • Protected Health Information is individually identifiable health information held or transmitted by a Covered Entity or Business Associate, and the Privacy Rule lists 18 identifiers that make data identifiable.
  • PHI may be used and disclosed without patient authorization for Treatment, Payment, and Healthcare Operations (TPO) — the core permission billers rely on to submit claims.
  • The minimum necessary standard limits PHI use and disclosure to the least amount needed, but it does not apply to treatment disclosures, disclosures to the patient, or patient-authorized disclosures.
  • Patients have a right to access their records generally within 30 days with one 30-day extension, plus rights to amend, to an accounting of disclosures, to request restrictions, and to confidential communications.
  • An authorization is a specific signed permission required for non-TPO uses such as marketing or the sale of PHI; general consent is not required for routine TPO.
Last updated: June 2026

What the Privacy Rule Protects

The HIPAA Privacy Rule sets national standards for protecting protected health information (PHI). PHI is individually identifiable health information — covering a person's past, present, or future physical or mental health, the care provided, or payment for that care — that is created or held by a Covered Entity or Business Associate, in any form: paper, electronic, or spoken. Notice the breadth: a billing question shouted across an open office is just as much PHI as the 837 claim file.

Health information is considered identifiable when it includes one or more of 18 specific identifiers. Removing all 18 — and confirming there is no remaining reasonable way to re-identify the person — produces de-identified data, which is no longer PHI and falls outside the Privacy Rule. A limited data set strips most identifiers but keeps dates and some geographic data; it still requires a data use agreement.

The 18 HIPAA Identifiers

#Identifier#Identifier
1Names10Account numbers
2Geographic data smaller than a state11Certificate or license numbers
3All dates (except year) tied to an individual12Vehicle identifiers and license plates
4Telephone numbers13Device identifiers and serial numbers
5Fax numbers14Web URLs
6Email addresses15IP addresses
7Social Security numbers16Biometric identifiers (fingerprints, voiceprints)
8Medical record numbers17Full-face photos and comparable images
9Health plan beneficiary numbers18Any other unique identifying number or code

A frequent exam trap: a date of service, an SSN, and a member ID on a claim are all identifiers — you cannot strip just the name and call data anonymous. ZIP codes count as geography; under safe harbor de-identification, even the first three ZIP digits must be generalized when the population is small.

TPO: Treatment, Payment, and Healthcare Operations

The Privacy Rule permits a Covered Entity to use and disclose PHI without patient authorization for three core purposes, abbreviated TPO:

  • Treatment — providing and coordinating patient care among providers
  • Payment — billing and collecting for care, including submitting claims, verifying eligibility, obtaining prior authorization, and pursuing reimbursement
  • Healthcare Operations — quality improvement, audits, business management, training, and credentialing

Billing is squarely a payment activity, so a biller does not need a signed authorization to submit a claim to a payer or to call about a denial.

Minimum Necessary Standard

When using or disclosing PHI, a Covered Entity must make reasonable efforts to limit it to the minimum necessary to accomplish the purpose. A claim should carry only the diagnoses, procedures, and demographics the payer needs to adjudicate — not the entire chart. The important exceptions where minimum necessary does not apply:

  • Disclosures to or requests by a provider for treatment
  • Disclosures to the patient about their own information
  • Disclosures the patient has specifically authorized
  • Disclosures required by law or to HHS for compliance

Notice of Privacy Practices and Patient Rights

A Covered Entity must give patients a Notice of Privacy Practices (NPP) describing how PHI is used and the rights patients hold, and must make a good-faith effort to obtain a written acknowledgment of receipt. Key patient rights:

RightWhat It Means
AccessInspect and obtain a copy of records, generally within 30 days, with one 30-day extension allowed
AmendmentRequest a correction to inaccurate or incomplete records
Accounting of disclosuresReceive a list of certain non-TPO disclosures, generally for the prior six years
Request restrictionsAsk the CE to limit certain uses or disclosures (and a paid-in-full self-pay restriction must be honored)
Confidential communicationRequest contact by an alternative method or location
ComplaintFile a complaint with the CE or with the HHS Office for Civil Rights

Authorization vs. Consent

A HIPAA authorization is a specific, signed document required before PHI may be used or disclosed for non-TPO purposes such as marketing, the sale of PHI, or release of psychotherapy notes. A general consent for routine TPO is permitted but not required. Billers should never treat a signed authorization as optional for non-TPO releases — those uses are prohibited without it, and improperly disclosing PHI to, say, a marketing firm without authorization is a Privacy Rule violation.

Incidental Disclosures and Common Billing Pitfalls

The Privacy Rule tolerates incidental disclosures — minor, unavoidable exposures that occur as a byproduct of an otherwise permitted use — as long as the entity applies reasonable safeguards and minimum necessary. A patient overhearing a name at a busy front desk is incidental and not a violation; posting that patient's full diagnosis on a whiteboard visible to the waiting room is not. For billers, the everyday risks are predictable: faxing an explanation of benefits to the wrong number, mailing a statement to an old address, discussing a balance with a relative who is not a personal representative, or leaving detailed voicemails.

Best practice is to leave only minimal callback information and to verify identity before releasing account details.

A Covered Entity may disclose PHI to a patient's personal representative — someone with legal authority such as a parent of a minor or a healthcare power of attorney — but not to a spouse or adult child by default. When a payer, attorney, or family member requests records for a non-TPO purpose, route the request through a valid HIPAA authorization rather than releasing on a verbal say-so.

Test Your Knowledge

A biller submits a CMS-1500 claim to a commercial payer that includes the patient's diagnoses, procedures, and demographics. No signed patient authorization is on file for this specific claim. Is this disclosure permitted?

A
B
C
D
Test Your KnowledgeFill in the Blank

Under the Privacy Rule, a Covered Entity must generally provide a patient access to their records within how many days of the request, before any extension?

Type your answer below