This is a sample from the lesson

You can take this lesson in its entirety by creating an account. You pay for your lessons/exams either before or after taking them. Your CEU's will only be valid after you pay for the lesson.

HIPAA 2: Privacy Standards

HIPAA Rules and Regulations Privacy Standards and Sample Contract

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.

To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Included in this lesson is a description of the three categories of organizations that HIPAA laws and rules apply to, Covered Entities and their Workforce, Business Associates, and Sub-Contractors and Agents.  It also includes the support staff of Business Associates.

This lesson is divided into four parts:

The HIPAA Privacy Rule Summary

HIPAA Privacy Standards and The Sample Business Associate Contract

HIPAA Privacy Rule Frequently Asked Questions

The HIPAA Security Rule and Security FAQ

Who do HIPAA rules apply to?

Covered Entities are required to follow HIPAA laws and regulations.  An example of a covered entity is an insurance company or hospital.  A more detailed description of covered entities is provided later in the lesson.

Attorneys fall into the category of Business Associates for the purposes of HIPAA regulations.  A business associate is someone who is required to have a Business Associate Contract with a Covered Entity.

While court reporters are not generally considered to be a Business Associate of a Covered Entity, the attorneys they work for are required to have a Business Associate Contract.  This is because the court reporter is an agent or sub-contractor of the Attorney Business Associate.

The Attorney Business Associate is required HIPAA’s recommended Business Associate Contract with the Covered Entity to ensure the Court Reporter is in compliance with HIPAA regulations.

If the court reporter has a contract directly with a Covered Entity they may be considered a Business Associate.

Standards for Privacy of Individually Identifiable Health Information 45 CFR Parts 160 and 164


This guidance explains and answers questions about key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule).  The Privacy Rule, as modified, is carefully balanced to provide strong privacy protections that do not interfere with patient access to or the quality of health care delivery.

The guidance that follows is meant to communicate as clearly as possible the privacy policies contained in the Privacy Rule. For a particular segment in the Privacy Rule, the guidance will provide a brief explanation of the segment and how the Rule works.

The guidance does not address all of the relevant provisions in the Rule, although we anticipate adding segments in the future as we develop guidance on more Privacy Rule standards. We will also be adding to the “Frequently Asked Questions” on an ongoing basis as new questions arise. HHS plans to work expeditiously to address these additional questions to facilitate understanding of the Rule and to encourage voluntary compliance with its requirements. However, for a full understanding of one’s rights and responsibilities under the Rule, it is important to consult the Rule itself.

The Privacy Rule Standards Addressed

General Overview

Incidental Uses and Disclosures (45 CFR 164.502(a))

Minimum Necessary (45 CFR 164.502(b), 164.514(d))

Personal Representatives (45 CFR 164.502(g)) (not covered in this lesson)

Business Associates (45 CFR 164.502(e), 164.504(e), 164.532(d) and (e))

Uses and Disclosures for Treatment, Payment, and Health Care Operations (45 CFR 164.506)

Marketing (45 CFR 164.501, 164.508(a))  (not covered in this lesson)

Public Health (45 CFR 164.512(b))

Research (45 CFR 164.501, 164.508, 164.512(i), 164.514(e), 164.528, 164.532)

Workers’ Compensation Laws (45 CFR 164.512(l))

Notice (45 CFR 164.520)

Government Access (45 CFR Part 160, Subpart C, 164.512(f))

General Overview

45 CFR Part 160 and Subparts A and E of Part 164  (Download a copy in PDF)

The following overview provides answers to general questions regarding the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS).

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, included “Administrative Simplification” provisions that required HHS to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

In response to the HIPAA mandate, HHS published a final regulation in the form of the Privacy Rule in December 2000, which became effective on April 14, 2001. This Rule set national standards for the protection of health information, as applied to the three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically.

By the compliance date of April 14, 2003 (April 14, 2004, for small health plans), covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to timely implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

Secretary Tommy Thompson called for an additional opportunity for public comment on the Privacy Rule to ensure that the Privacy Rule achieves its intended purpose without adversely affecting the quality of or creating new barriers to patient care. After careful consideration of these comments, in March 2002, HHS published proposed modifications to the Rule, to improve workability and avoid unintended consequences that could have impeded patient access to delivery of quality health care. Following another round of public comment, in August 2002, the Department adopted as a final Rule the modifications necessary to ensure that the Privacy Rule worked as intended.

The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.

Incidental Uses and Disclosures 45 CFR 164.502(a)(1)(iii)  


Many customary health care communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective health care. Due to the nature of these communications and practices, as well as the various environments in which individuals receive health care or other services from covered entities, the potential exists for an individual’s health information to be disclosed incidentally.

For example, a hospital visitor may overhear a provider's confidential conversation with another provider or a patient, or may glimpse a patien's information on a sign-in sheet or nursing station whiteboard.

The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and thus does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.

How the Rule Works

General Provision.  The Privacy Rule permits certain incidental uses and disclosures that occur as a byproduct of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.

An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a byproduct of an underlying use or disclosure which violates the Privacy Rule.

Reasonable Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures.

It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business.

In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.

Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information – for instance:

By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;

By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;

By isolating or locking file cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining personal information.

Protection of patient confidentiality is an important practice for many health care and health information management professionals.  Covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule.

Minimum Necessary. Covered entities also must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes.  These minimum necessary policies and procedures also reasonably must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes. For example, a physician is not required to apply the minimum necessary standard when discussing a patient’s medical chart information with a specialist at another hospital.

An incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not permitted under the Privacy Rule.  For example, the minimum necessary standard requires that a covered entity limit who, within the entity, has access to protected health information, based on who needs access to perform their job duties. If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard.

Therefore, any incidental use or disclosure that results from this practice, such as another worker overhearing the hospital employee’s conversation about a patient’s condition, would be an unlawful use or disclosure under the Privacy Rule.

Minimum Necessary Requirement 45 CFR 164.502(b), 164.514(d)


The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.

The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule’s requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.

How the Rule Works

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following:

Disclosures to or requests by a health care provider for treatment purposes.

Disclosures to the individual who is the subject of the information.

Uses or disclosures made pursuant to an individual’s authorization.

Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.

Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.

Uses or disclosures that are required by other law.

The implementation specifications for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce.

While guidance cannot anticipate every question or factual application of the minimum necessary standard to each specific industry context, where it would be generally helpful, we will seek to provide additional clarification on this issue in the future. In addition, the Department will continue to monitor the workability of the minimum necessary standard and consider proposing revisions, where appropriate, to ensure that the Rule does not hinder timely access to quality health care.

Reasonable Reliance. In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable u...