1.2 HIPAA & Protected Health Information

Key Takeaways

  • Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity in any form — electronic, paper, or oral
  • The minimum necessary standard requires limiting PHI use, disclosure, and requests to the smallest amount needed for the purpose — but it does NOT apply to disclosures made for treatment
  • TPO (Treatment, Payment, and Healthcare Operations) uses and disclosures are permitted without a separate patient authorization
  • Covered entities must make a good-faith effort to obtain a patient's written acknowledgment of receiving the Notice of Privacy Practices (NPP), and must document the attempt if the patient declines to sign
  • Patients have HIPAA rights to access and obtain copies of their records, request amendments, receive an accounting of certain disclosures, and request restrictions on how their information is used
Last updated: July 2026

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is the federal law that governs how healthcare organizations protect patient information. For a patient access professional, HIPAA is not an abstract legal concept — it shapes nearly every interaction at the registration desk, on the phone, and in the scheduling queue. The CHAA exam tests HIPAA heavily because access staff routinely handle PHI before a clinician ever enters the room.

What Counts as PHI

Protected Health Information (PHI) is any individually identifiable health information that a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) creates, receives, maintains, or transmits, in any form — electronic, paper, or spoken. "Individually identifiable" means the information includes one or more identifiers (name, date of birth, medical record number, Social Security number, address, phone number, and other identifiers defined by HIPAA) that could reasonably identify the patient, combined with health-related information such as a diagnosis, treatment, or payment detail. A patient's name alone is not PHI; a patient's name linked to the fact that they have an appointment in the oncology department is PHI.

The Minimum Necessary Standard

The minimum necessary standard requires covered entities to make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount needed to accomplish the intended purpose. In practice, this means:

  • A registrar pulling up a patient's chart to verify an appointment should not browse unrelated portions of the record.
  • When faxing records to another provider, only the specifically requested information should be sent — not the entire chart.
  • Access to PHI within a hospital's systems should be role-based, so staff can only view what their job function requires.

Critical exam distinction: the minimum necessary standard does not apply to disclosures for treatment purposes between providers. A physician requesting a full record to coordinate a patient's care is not bound by minimum necessary — clinical judgment, not administrative limitation, governs what a treating provider needs to know.

TPO: Treatment, Payment, and Healthcare Operations

HIPAA permits covered entities to use and disclose PHI without a separate patient authorization for three categories, collectively known as TPO:

CategoryWhat It Covers
TreatmentProviding, coordinating, or managing healthcare and related services among providers
PaymentBilling, claims processing, eligibility verification, utilization review, and collection activities
Healthcare OperationsQuality assessment, credentialing, training, business planning, and administrative activities

Because patient access work is fundamentally about payment and operations — verifying insurance, scheduling, registering — nearly everything a CHAA-certified professional does falls under TPO and does not require the patient to sign a separate release each time. A written authorization is still required, however, for disclosures outside TPO, such as releasing records to an employer, a life insurance company, or for marketing purposes.

Notice of Privacy Practices (NPP)

Every covered entity must provide patients with a Notice of Privacy Practices (NPP) describing how their PHI may be used and disclosed, and their rights regarding that information. For a direct-treatment provider, the NPP must be offered at the first point of service, and the provider must make a good-faith effort to obtain the patient's written acknowledgment of receipt. If the patient declines to sign, the encounter is not blocked — the provider simply documents the good-faith effort and the reason acknowledgment could not be obtained. This is a frequently tested nuance: HIPAA does not require a signature to proceed with care; it requires a documented attempt.

Patient Rights Under HIPAA

The Privacy Rule gives patients several enforceable rights over their own PHI that access staff are often the first to field:

  • Right of access — patients (or their personal representatives) can inspect and obtain a copy of their medical and billing records, generally within 30 days of a request.
  • Right to request amendment — patients can ask that inaccurate or incomplete information be corrected; the covered entity may accept or, with justification, deny the request.
  • Right to an accounting of disclosures — patients can request a list of certain disclosures made outside of TPO over the prior six years.
  • Right to request restrictions — patients can ask that certain information not be shared with specific parties, such as a health plan, for services paid out-of-pocket in full, though the covered entity is not always obligated to agree.
  • Right to confidential communications — patients can request to be contacted only by a certain method or at a certain location.

Applying HIPAA at the Front Desk

Day to day, this translates into concrete habits: verifying identity before discussing any health information over the phone, never discussing a patient's condition within earshot of other patients in a waiting area, logging off shared workstations, and directing record-amendment or access requests to the correct department rather than either blocking them or handling them informally. HIPAA violations — even unintentional ones, like a registrar calling out a patient's diagnosis in a crowded waiting room — can trigger organizational liability, so recognizing PHI in its many forms is a foundational CHAA competency.

Test Your Knowledge

A registrar needs to fax a patient's insurance and demographic face sheet to a scheduling office at another facility. Under the minimum necessary standard, what should the registrar send?

A
B
C
D
Test Your Knowledge

A patient refuses to sign the acknowledgment of receipt for the Notice of Privacy Practices. What must the provider do?

A
B
C
D