HIPAA Privacy Rule

HIPAA Privacy Rule: A Comprehensive Guide for CIPP/US Exam Preparation

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is one of the most important and frequently tested topics on the CIPP/US (Certified Information Privacy Professional/United States) exam. It represents a cornerstone of U.S. privacy law, specifically governing how health information is collected, used, disclosed, and protected in the private sector. Understanding the HIPAA Privacy Rule is essential not only for passing the exam but also for any privacy professional working in or adjacent to the healthcare industry.

Why Is the HIPAA Privacy Rule Important?

The HIPAA Privacy Rule is critically important for several reasons:

1. Protection of Sensitive Health Information: Health information is among the most sensitive categories of personal data. Medical records, treatment histories, mental health information, and genetic data can all be used to discriminate against individuals in employment, insurance, and social settings. The Privacy Rule establishes a federal floor of protection for this information.

2. Balancing Access and Protection: The Privacy Rule strikes a careful balance between protecting individual privacy and ensuring that health information can flow appropriately to facilitate high-quality healthcare, public health activities, and other essential functions. Without this balance, either patients would be harmed by unrestricted disclosure or healthcare delivery would be impeded by overly restrictive rules.

3. Federal Baseline with State Law Interaction: Before HIPAA, health information privacy was governed by a patchwork of state laws. The Privacy Rule established a nationwide baseline, while still allowing more protective state laws to remain in effect through its preemption framework.

4. Enforcement and Accountability: The Privacy Rule is backed by meaningful enforcement mechanisms, including civil monetary penalties and, in some cases, criminal penalties. This gives the rule teeth and ensures that covered entities take compliance seriously.

5. Trust in the Healthcare System: When patients trust that their health information will be protected, they are more likely to seek care, be candid with their providers, and participate in research — all of which improve public health outcomes.

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) was issued by the U.S. Department of Health and Human Services (HHS) and became effective on April 14, 2003. It was promulgated under the authority granted by HIPAA (Public Law 104-191), enacted in 1996. Here are the foundational elements:

1. Who Is Covered? (Covered Entities and Business Associates)

The Privacy Rule applies to covered entities, which include:

- Health plans: Health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and other entities that pay for healthcare.
- Healthcare clearinghouses: Entities that process nonstandard health information into standard formats (or vice versa).
- Healthcare providers: Any provider who transmits health information electronically in connection with a HIPAA-covered transaction (e.g., claims, eligibility inquiries).

The rule also extends to business associates — entities that perform functions or activities on behalf of, or provide services to, a covered entity that involve access to protected health information (PHI). Examples include billing companies, cloud storage providers, and IT contractors. The HITECH Act of 2009 made business associates directly liable for compliance with certain HIPAA provisions.

2. What Is Protected? (Protected Health Information — PHI)

The Privacy Rule protects Protected Health Information (PHI), which is individually identifiable health information held or transmitted by a covered entity or its business associate, in any form — electronic, paper, or oral. PHI includes:

- Information that relates to an individual's past, present, or future physical or mental health condition
- The provision of healthcare to the individual
- Past, present, or future payment for healthcare

...and that identifies the individual or could reasonably be used to identify the individual.

Important distinction: PHI does not include de-identified health information (information from which specified identifiers have been removed using the Safe Harbor or Expert Determination methods), employment records held by a covered entity acting as an employer, or education records covered by FERPA.

3. The Minimum Necessary Standard

A key principle of the Privacy Rule is the minimum necessary standard. Covered entities must make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose. However, this standard does not apply to:

- Disclosures to or requests by a healthcare provider for treatment purposes
- Disclosures to the individual who is the subject of the information
- Uses or disclosures made pursuant to a valid authorization
- Disclosures to HHS for enforcement purposes
- Uses or disclosures required by law
- Uses or disclosures required for HIPAA compliance

How Does the HIPAA Privacy Rule Work?

1. Permitted Uses and Disclosures Without Authorization

The Privacy Rule permits covered entities to use and disclose PHI without individual authorization for the following purposes:

- Treatment: Sharing PHI between providers for the purpose of treating a patient.
- Payment: Using PHI for billing, claims management, and other payment-related activities.
- Healthcare Operations: Using PHI for quality assessment, compliance activities, business planning, training, and other operational purposes.

These three categories are collectively known as TPO (Treatment, Payment, and Healthcare Operations) and represent the primary permitted uses of PHI without authorization.

Beyond TPO, the Privacy Rule also permits disclosures without authorization in several other circumstances, including:

- Public health activities: Reporting to public health authorities for disease surveillance, injury reporting, etc.
- Victims of abuse, neglect, or domestic violence: Reporting to government authorities as required by law.
- Health oversight activities: Disclosures to health oversight agencies for audits, investigations, and inspections.
- Judicial and administrative proceedings: Disclosures in response to court orders or subpoenas (with certain conditions).
- Law enforcement purposes: Disclosures for specific law enforcement activities under defined conditions.
- Decedents: Disclosures to coroners, medical examiners, and funeral directors.
- Organ and tissue donation: Disclosures to facilitate cadaveric organ, eye, or tissue donation.
- Research: Disclosures for research purposes with an Institutional Review Board (IRB) or Privacy Board waiver of authorization, or using a limited data set with a data use agreement.
- Serious threat to health or safety: Disclosures to prevent or lessen a serious and imminent threat.
- Essential government functions: Including military, veterans' activities, national security, intelligence, and protective services.
- Workers' compensation: Disclosures as authorized by workers' compensation laws.
- Required by law: Disclosures mandated by other laws.

2. Uses and Disclosures Requiring Authorization

For uses and disclosures not covered by the permitted categories above, the covered entity must obtain a valid written authorization from the individual. A valid authorization must contain specific core elements, including:

- A description of the information to be used or disclosed
- The person(s) authorized to make the disclosure
- The person(s) to whom the disclosure may be made
- The purpose of the use or disclosure
- An expiration date or event
- The individual's signature and date
- A statement of the individual's right to revoke the authorization
- A statement that information disclosed may be subject to re-disclosure and may no longer be protected

Certain uses always require authorization, including:

- Use of PHI for marketing purposes (with limited exceptions for face-to-face communications and promotional gifts of nominal value)
- Sale of PHI (added by the HITECH Act)
- Use of psychotherapy notes (with limited exceptions)

3. Individual Rights Under the Privacy Rule

The Privacy Rule grants individuals several important rights regarding their PHI:

- Right of Access: Individuals have the right to inspect and obtain a copy of their PHI maintained in a designated record set. Covered entities must respond within 30 days (with one 30-day extension). The HITECH Act added the right to receive PHI in electronic format if maintained electronically.
- Right to Request Amendment: Individuals may request that a covered entity amend their PHI. The covered entity may deny the request under certain circumstances but must provide a basis for the denial.
- Right to an Accounting of Disclosures: Individuals may request a list of certain disclosures of their PHI made by the covered entity during the prior six years. Disclosures for TPO, disclosures to the individual, and certain other categories are excluded from this accounting.
- Right to Request Restrictions: Individuals may request that a covered entity restrict uses or disclosures of PHI for TPO or to family members. The covered entity is generally not required to agree, except that under the HITECH Act, a covered entity must agree to restrict disclosure to a health plan if the individual pays out of pocket in full for the service.
- Right to Request Confidential Communications: Individuals may request that communications be sent to an alternative address or by an alternative means (e.g., sending correspondence to a work address instead of home).
- Right to a Notice of Privacy Practices (NPP): Covered entities must provide individuals with a notice describing their privacy practices, their legal duties, and the individual's rights. Healthcare providers with a direct treatment relationship must make a good faith effort to obtain a written acknowledgment of receipt.

4. Administrative Requirements

Covered entities must implement several administrative measures:

- Designate a privacy officer responsible for developing and implementing privacy policies
- Designate a contact person for receiving complaints
- Train all workforce members on privacy policies and procedures
- Implement safeguards to protect PHI
- Establish a complaint process for individuals
- Implement sanctions against workforce members who violate privacy policies
- Mitigate harmful effects of any improper use or disclosure
- Refrain from retaliation against individuals who exercise their rights or file complaints
- Maintain documentation of policies and procedures for six years

5. Business Associate Agreements (BAAs)

Before disclosing PHI to a business associate, a covered entity must enter into a Business Associate Agreement (BAA). The BAA must:

- Establish the permitted and required uses and disclosures of PHI by the business associate
- Require the business associate to implement appropriate safeguards
- Require the business associate to report breaches and security incidents
- Require the business associate to ensure that subcontractors agree to the same restrictions
- Authorize termination of the contract if the business associate violates the agreement

Under the HITECH Act, business associates are directly subject to HIPAA's Security Rule and certain provisions of the Privacy Rule, and they are directly liable for violations.

6. De-identification of PHI

The Privacy Rule provides two methods for de-identifying PHI so that it is no longer considered PHI and thus no longer subject to HIPAA restrictions:

- Safe Harbor Method: Removal of 18 specified identifiers (e.g., names, geographic subdivisions smaller than a state, dates more specific than year for individuals over 89, Social Security numbers, medical record numbers, etc.) and the covered entity has no actual knowledge that the remaining information could identify an individual.
- Expert Determination Method: A qualified statistical or scientific expert determines that the risk of identification is very small and documents the methods and results.

7. Preemption

The HIPAA Privacy Rule generally preempts (overrides) contrary state laws, unless the state law:

- Is more stringent (provides greater privacy protection or gives individuals greater rights)
- Relates to the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance
- Requires health plans to report or provide access to information for management audits, financial audits, etc.
- Addresses controlled substances
- Has been granted an exception by the HHS Secretary

8. Enforcement and Penalties

HIPAA enforcement is handled by the HHS Office for Civil Rights (OCR). Penalties were significantly strengthened by the HITECH Act and are organized into a tiered structure:

- Tier 1: Lack of knowledge — $100 to $50,000 per violation
- Tier 2: Reasonable cause (not willful neglect) — $1,000 to $50,000 per violation
- Tier 3: Willful neglect, corrected within 30 days — $10,000 to $50,000 per violation
- Tier 4: Willful neglect, not corrected — $50,000 per violation

Annual maximum penalties can reach up to $1.5 million per violation category (adjusted for inflation). Criminal penalties, enforced by the Department of Justice (DOJ), can include fines up to $250,000 and up to 10 years of imprisonment for offenses committed with intent to sell, transfer, or use PHI for personal gain or malicious harm.

Note: HIPAA does not provide a private right of action. Individuals cannot sue directly under HIPAA, though they may bring claims under state law theories.

9. The HITECH Act and Its Impact on the Privacy Rule

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009 as part of the American Recovery and Reinvestment Act, significantly expanded and strengthened HIPAA. Key HITECH provisions include:

- Breach notification requirements: Covered entities and business associates must notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI.
- Direct liability for business associates
- Enhanced penalties (tiered structure described above)
- Marketing restrictions: Subsidized communications from third parties require authorization
- Sale of PHI: Requires authorization (with limited exceptions)
- Individual's right to electronic copies of PHI
- Mandatory restriction on disclosure to health plans when the individual pays out of pocket in full
- State attorneys general granted authority to bring civil actions on behalf of state residents

Exam Tips: Answering Questions on the HIPAA Privacy Rule

The HIPAA Privacy Rule is a high-yield topic on the CIPP/US exam. Here are detailed strategies for maximizing your score:

Tip 1: Master the Scope — Know Who and What Is Covered
Many exam questions test whether you understand the jurisdictional limits of HIPAA. Remember that HIPAA applies only to covered entities and business associates. It does not apply to employers (in their capacity as employers), life insurers, schools (covered by FERPA), or most app developers and wearable device companies (unless they qualify as business associates). Questions may present scenarios where a non-covered entity handles health information — the correct answer will often be that HIPAA does not apply.

Tip 2: Understand TPO Thoroughly
Treatment, Payment, and Healthcare Operations (TPO) is the foundation of permitted uses and disclosures. Know the definitions precisely. Treatment involves the provision, coordination, or management of healthcare. Payment involves billing, claims, and utilization review. Healthcare operations include quality assessment, compliance, training, business management, and similar activities. Many questions will test whether a given scenario falls within TPO.

Tip 3: Know the Exceptions to the Minimum Necessary Standard
Exam questions frequently test the minimum necessary rule and its exceptions. Remember that the minimum necessary standard does not apply to disclosures for treatment, disclosures to the individual, disclosures pursuant to an authorization, disclosures to HHS, disclosures required by law, and disclosures for HIPAA compliance. If a question describes a provider sharing full medical records with another provider for treatment, the minimum necessary standard does not apply.

Tip 4: Distinguish Between Permitted, Required, and Authorized Disclosures
The Privacy Rule distinguishes between:
- Disclosures that are permitted (the covered entity may choose to disclose)
- Disclosures that are required (the covered entity must disclose — only two: to the individual upon request, and to HHS for enforcement)
- Disclosures that require authorization

This distinction is heavily tested. If a question asks what a covered entity must do, remember the two required disclosures.

Tip 5: Focus on Individual Rights
Understand each individual right, including timeframes, exceptions, and nuances. Key testable points include:
- The 30-day response period for access requests (with one 30-day extension)
- The right to amend can be denied if the information is accurate and complete
- The accounting of disclosures does not include TPO disclosures (though HITECH proposed expanding this for electronic records)
- The mandatory restriction on health plan disclosure when an individual pays out of pocket in full

Tip 6: Know What Requires Authorization
Three categories always require authorization: marketing, sale of PHI, and psychotherapy notes. Know the exceptions for marketing (face-to-face communications and promotional gifts of nominal value) and the limited exceptions for sale of PHI (e.g., for public health, research, treatment, certain payment activities).

Tip 7: Understand De-identification Methods
Be prepared to distinguish between the Safe Harbor and Expert Determination methods. Know that Safe Harbor requires removal of 18 specific identifiers. Exam questions may present a scenario and ask whether information is de-identified — check whether all 18 identifiers have been removed and whether there is no actual knowledge of re-identification risk.

Tip 8: Understand Preemption
HIPAA preemption questions are common. Remember the general rule: HIPAA preempts contrary state law unless the state law is more stringent (more protective of privacy). If a question presents a conflict between HIPAA and a state law that gives individuals greater rights, the state law prevails.

Tip 9: Know the Role of the HITECH Act
Many exam questions blend HIPAA and HITECH provisions. Key HITECH additions to remember include: breach notification, direct business associate liability, enhanced penalties, marketing and sale restrictions, electronic access rights, mandatory restriction for out-of-pocket payments, and state attorney general enforcement authority.

Tip 10: Recognize What HIPAA Does NOT Do
HIPAA does not provide a private right of action. HIPAA does not apply to all health information — only PHI held by covered entities and business associates. HIPAA does not cover employment records held by a covered entity acting as an employer. HIPAA does not require covered entities to agree to restriction requests (except the HITECH out-of-pocket exception). These negative facts are commonly tested.

Tip 11: Use Process of Elimination
When facing a complex scenario question, eliminate answer choices that contain factual errors about HIPAA. Common distractors include statements that HIPAA allows individuals to sue, that the minimum necessary standard applies to treatment disclosures, or that all health data is PHI regardless of who holds it.

Tip 12: Watch for HIPAA vs. Other Laws
The CIPP/US exam may test the boundaries between HIPAA and other federal laws such as FERPA (education records), the FTC Act (health apps and non-covered entities), 42 CFR Part 2 (substance abuse treatment records, which have stricter protections), the Genetic Information Nondiscrimination Act (GINA), and the ADA. Know when HIPAA applies and when another law takes precedence.

Tip 13: Remember Key Timeframes and Numbers
- 30 days to respond to access requests (plus one 30-day extension)
- 6-year lookback for accounting of disclosures
- 6 years for document retention
- 60 days for breach notification to individuals
- 18 identifiers for Safe Harbor de-identification
- Penalty tiers and maximum amounts

Summary

The HIPAA Privacy Rule is a comprehensive framework that limits how covered entities and business associates in the healthcare sector collect, use, and disclose protected health information. It establishes individual rights, administrative requirements, and enforcement mechanisms that together create a robust system for protecting health data privacy. For the CIPP/US exam, a thorough understanding of who is covered, what information is protected, how PHI may be used and disclosed, individual rights, the minimum necessary standard, authorization requirements, de-identification, preemption, and the HITECH Act's enhancements is essential. By mastering these concepts and applying the exam strategies outlined above, you will be well-prepared to answer HIPAA Privacy Rule questions with confidence.