HIPAA’s Privacy and Security Rules

Friday, September 22 2023

As healthcare providers, you are subject to HIPAA’s Privacy and Security rules. These rules govern the use, disclosure, and transmission of protected health information (PHI). Let’s discuss what PHI includes, how HIPAA affects the use and transmittance of PHI, and how to handle disclosing it.

What is protected health information?

PHI includes all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. 

Individually identifiable health information is information created or received by a healthcare provider that identifies the individual and relates to:

  • The individual’s past, present or future physical or mental health or condition
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual. 

Some examples of PHI relevant to your practice include a client’s name, phone number, social security number, and email address.

The Privacy Rule and the Security Rule

HIPAA’s Privacy Rule defines and limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities. Under the rule, providers may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. 

HIPAA’s Security Rule, on the other hand, requires providers to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic PHI (e-PHI). Verbal communications are not subject to the Security Rule. The rule requires that covered entities:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information; and
  3. Protect against reasonably anticipated, impermissible uses or disclosures.

Privacy and security issues you may encounter

The right of access 
Providers must disclose PHI to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their PHI. See Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524


Minors and parents 
In general, parents have access to their children’s PHI as “personal representatives” of their unemancipated minor children. However, under certain circumstances, the minor is considered the individual and therefore has the right of access under the Privacy Rule. See Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?. In those specific circumstances, the parent does not automatically have the right of access to health information specific to the situation. However, other state law may still permit or require the disclosure of PHI about the minor to their parent(s). 


Disclosures to other treating providers 
Treating providers do not need a client’s authorization to disclose PHI to each other for treatment activities, as long as both providers have or had a relationship with the client and the protected health information pertains to the relationship. See Treatment, Payment, & Health Care Operations.


Disclosures to friends and family 
Providers can share PHI that is directly relevant to the involvement of a family member in the client’s health care or payment for care if, when given the opportunity, the client does not object to the disclosure. See If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care? and Disclosures to Family and Friends.


Disclosures required by law 
Providers may be required by law to disclose PHI to law enforcement or other government agencies. HIPAA permits those disclosures without prior authorization from the client. See When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials? and Disclosures Required by Law


Disclosure authorization 
Providers must obtain the patient’s written authorization for any use or disclosure of PHI that is not otherwise required or allowed under HIPAA. Here is a template of a PHI Disclosure Authorization form

Finally, keep in mind that any disclosure of PHI that occurs electronically (e.g. email) must comply with HIPAA’s Security Rule. 


Psychotherapy notes 
With few exceptions, the Privacy Rule requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason. Psychotherapy notes are notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. See Does HIPAA provide extra protections for mental health information compared with other health information?


Substance use disorder providers 
Substance use disorder (SUD) Providers who receive federal assistance are subject to the Substance Abuse Confidentiality regulations. These regulations place additional protections on SUD records. See Substance Abuse Confidentiality Regulations.

Additional resources

Please review the following for additional information:

Get guidance throughout your mental health journey.

Stay connected and supported with the latest tips and information from SonderMind.