Health Information Privacy and HIPAA

Health information privacy sits at the intersection of personal dignity and federal law — a combination that produces some surprisingly specific rules about who can say what to whom, and under what circumstances. The Health Insurance Portability and Accountability Act of 1996, known universally as HIPAA, establishes the national framework governing how protected health information is handled across the US healthcare system. This page covers the definition and scope of health information privacy, how HIPAA's mechanisms operate in practice, common scenarios where these rules apply, and the boundaries that determine when sharing is permitted versus prohibited.

Definition and scope

Protected health information — PHI in the shorthand that pervades healthcare administration — is any individually identifiable information that relates to a person's physical or mental health condition, the provision of healthcare, or payment for that care (HHS, Summary of the HIPAA Privacy Rule). That definition is broader than most people expect. It covers not just a diagnosis written in a chart, but also appointment dates, billing records, and even the fact that someone is a patient at a particular facility.

HIPAA applies to a defined set of entities. The law's Privacy Rule, codified at 45 CFR Parts 160 and 164, governs three categories of covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. The 2013 Omnibus Rule extended significant obligations to business associates — vendors, contractors, and subcontractors who handle PHI on behalf of covered entities (HHS, HIPAA Administrative Simplification).

It is worth being precise about what HIPAA does not cover. Employers receiving medical certifications for FMLA leave, life insurers, law enforcement agencies, and most health apps operate outside HIPAA's jurisdiction unless they qualify as a covered entity or business associate. This boundary surprises people — and it matters for anyone navigating patient rights in medical services.

How it works

HIPAA's operational architecture rests on three rules that work as a system.

  1. The Privacy Rule sets the floor for how PHI may be used and disclosed. Covered entities may use PHI without patient authorization for treatment, payment, and healthcare operations — the TPO framework — but most other disclosures require written authorization or meet a narrow enumerated exception.

  2. The Security Rule (45 CFR §§ 164.302–164.318) applies specifically to electronic PHI (ePHI) and mandates administrative, physical, and technical safeguards. It requires covered entities to conduct documented risk analyses, implement access controls, and maintain audit logs — a framework that increasingly intersects with technology innovation in medical services.

  3. The Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach, and to notify HHS. Breaches affecting 500 or more individuals in a state also require prominent media notice (HHS Breach Notification Rule).

The Office for Civil Rights (OCR) within HHS enforces all three rules. Penalties are tiered across four categories based on culpability, ranging from a minimum of $100 per violation for unknowing violations up to $1.9 million per violation category per calendar year for willful neglect uncorrected (HHS, Civil Money Penalties).

Common scenarios

The rules play out differently depending on the care context. Three scenarios illustrate the range.

Telehealth consultations involve electronic transmission of PHI by definition, triggering Security Rule obligations even when the visit is straightforward. Providers offering telehealth and virtual medical services must use platforms with signed Business Associate Agreements and implement encryption for video transmissions.

Mental health records carry an additional layer. While HIPAA governs these records as it does any PHI, psychotherapy notes occupy a special subcategory under 45 CFR § 164.524 — they are excluded from the patient's general right of access and require separate authorization for disclosure. Providers delivering mental health medical services must distinguish between psychotherapy notes and the broader mental health record in their authorization processes.

Long-term care and home health settings present disclosure challenges because family members are frequently involved in care. HIPAA permits disclosure to a family member who is "involved in the individual's care" without formal authorization, provided the patient has not objected — but the covered entity must exercise professional judgment about scope (HHS, Sharing PHI with Family Members). This scenario is common across home health medical services and long-term care medical services.

Decision boundaries

The central analytical question in any HIPAA scenario is whether a proposed disclosure falls within a permitted use or requires authorization. A structured breakdown of the decision path:

  1. Is the entity a covered entity or business associate? If not, HIPAA does not apply — though state law may.
  2. Is the information PHI? Fully de-identified data (meeting the standards of 45 CFR § 164.514) is no longer PHI and can be used freely.
  3. Does the disclosure fall under TPO? Treatment, payment, or healthcare operations disclosures are permitted without authorization.
  4. Does a mandatory disclosure exception apply? Public health reporting, abuse investigations, court orders, and national security disclosures can override the privacy default under specific conditions enumerated at 45 CFR § 164.512.
  5. Is there valid written authorization? A compliant authorization must identify the information to be disclosed, the recipient, the purpose, and an expiration condition.

The contrast between the Privacy Rule and the Security Rule reflects a meaningful design choice: privacy is about who sees information, while security is about how that information is protected. A system can be secure and still violate privacy — disclosing records to an unauthorized party through a perfectly encrypted channel — which is why the two rules require separate compliance programs rather than a single unified policy. For a broader view of how these frameworks fit into healthcare delivery, the regulatory context for medical services provides essential grounding.

📜 1 regulatory citation referenced  ·   · 

References

Read Next

Patient Rights in Medical Services: Legal Protections and Expectations ANA › Life Services Authority › National Health › National Medicalservices Patient Rights in Medical Services: Legal Protections and... Technology and Innovation in Medical Services: AI, EHR, and More ANA › Life Services Authority › National Health › National Medicalservices Technology and Innovation in Medical Services: AI, EHR, and... Telehealth and Virtual Medical Services in the US ANA › Life Services Authority › National Health › National Medicalservices Telehealth and Virtual Medical Services in the US Telehealth...