How Does the HIPAA Privacy Rule Protect the Confidentiality of PHI?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses how the HIPAA Privacy Rule protects the confidentiality of PHI. The HIPAA Privacy Rule provisions addressing business associate agreements, and the provisions regulating the ability of individuals to access protected health information, both address the subject of HIPAA confidentiality.

How Do Business Associate Agreements Protect the Confidentiality of PHI?

Business associate agreements are required, binding contracts between covered entities and business associates. These agreements, called BAAs, address the obligations of covered entities and business associates with respect to protected health information. A BAA must be executed by both entities before any PHI may be shared, exchanged, or transmitted between the entities. The agreement outlines how the business associate will protect covered entity-provided PHI, as well as what safeguards the business associate will use to ensure the PHI is not inappropriately disclosed. 

The HIPAA Privacy Rule states that the contract or agreement may permit the business associate to use the PHI it receives in its capacity as a business associate, for:  

• The proper management and administration of the business associate; and
• Carrying out the legal responsibilities of the business associate.

The business associate may use the PHI for these purposes, if, and only if:

• The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and
• The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

How Does the Right of Access Rule Protect the Confidentiality of PHI? 

The HIPAA Privacy Rule provides that individuals have a right of access to inspect and obtain a copy of protected health information contained in their medical records. In some instances, a covered entity may deny individual access, without having to provide the individual an opportunity to have that denial decision reviewed. 

Unreviewable grounds for denial exist, in part, to foster HIPAA confidentiality. For example, a covered entity may deny access if the protected health information was obtained by someone other than a healthcare provider under a promise of confidentiality, and the access requested would be reasonably likely to reveal the source of the information. This provision exists to allow non-healthcare providers to confidentially transmit information to covered entities without the non-healthcare provider having to fear that he or she will be revealed as the source of the information. 

When May a Provider Disclose PHI Without Written Authorization or the Opportunity to Agree or Object?

In some instances, the HIPAA Privacy Rule does not require either written authorization or giving a patient the opportunity to agree or object to a use or disclosure of PHI.  For example, a covered entity may, without obtaining written authorization or providing the opportunity for an individual to agree or object:

• Disclose PHI to a law enforcement official who is reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. 
• Report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity. 
• Divulge PHI to law enforcement to alert law enforcement to an individual’s death, where there is a suspicion that the death resulted from criminal conduct.