A major reason for the 1996 enactment of the Health Insurance Portability and Accountability Act (HIPAA) was to protect patient health information (PHI) and medical records from being used or disclosed improperly according to HIPAA privacy rules. Part of federal HIPAA law is something called the Privacy Rule, the purpose of which is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by health providers and health plans.

What is protected health information?

All individually identifiable health information held by a health care providers, pharmacies or other covered entities is protected health information. This includes any information or health date that identifies an individual, or for which there is a reasonable basis to believe it can be used to identify an individual. This information includes demographic information related to:

• The individual’s past, present or future physical or mental health condition

• Providing health care services to the individual

• Past, present or future payment for the provision of health care to the individual

Individually identifiable personal health information includes many common identifiers, such as: name, address, patient records, birth date and social security number. There are no restrictions on the use or disclosure of health information that has been de-identified. To de-identify health information, individually identifiable information must be removed until it is not possible to identify the individual.

What uses and disclosures of protected health information are permitted?

Health plans and providers can use or disclose an individual’s protected health information in two situations:

• When authorized in writing by the individual (or the individual’s agent or parent)

• As permitted by the Privacy Rule

Under the Privacy Rule, health plans, insurance companies and health providers are permitted to use and disclose protected health information, without the individual’s written authorization, only in the following situations:

• In communication with the individual

• Treatment, payment, medical information and health care operations

• Uses or disclosure where there is an opportunity for the individual to agree or object to the disclosure. For example, notifying family members of a health condition

• Incident to a permitted use if information was limited to minimum necessary

• Public interest and benefit activities, typically required by law

• Limited data set, meaning direct identifiers of the individual—and their relatives—have been removed for the purposes of research, public health or health care operations

If a health plan or provider wants to use or disclose an individual’s protected health information for any other use, it must obtain the individual’s written authorization. A plan or provider cannot condition treatment on obtaining authorization. Authorizations must be in plain language, and include specific information about the information to be disclosed for HIPAA compliance. It must also describe when it expires, and provide a right to revoke the authorization in writing.

Obligations for providers and plans

When using or disclosing protected health information, providers and plans must limit their use to only the minimum necessary. This means a provider or plan must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose. Providers and plans must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.

Entities must provide patients with notice of their patient privacy practices—which is typically provided at, or prior to, the first visit. Entities must make a good faith effort to obtain a written patient authorization of the notice of privacy practices.

The notice must also make the patient aware that any violations of use or disclosure of their protected health information can be reported to the U.S. Department of Health and Human Services (HHS). HHS, responsible for HIPAA enforcement, can levy fines and criminal penalties on entities with HIPAA violations. If you believe an entity has not provided adequate privacy protections of your health records, you should reach out to an experienced Massachusetts health care attorney who can provide you information about your individual rights and HIPAA regulations.

For more information on this area of law, see our overview of health care law.