HIPAA Privacy Rules for the Protection of Health and Mental Health Information (2023)

(Note: The information provided below is a summary and intended for general informational purposes. Mental health providers and other covered entities should not rely on this summary as a source of legal information or advice and should consult with their own attorney or HIPAA Privacy Officer for specific guidance.)


This document provides guidance about key elements of the requirements of the Health Insurance Portability and Accountability Act (HIPAA), federal legislation passed in 1996 which requires providers of health care (including mental health care) to ensure the privacy of patient records and health information. HIPAA required the federal Department of Health and Human Services (HHS) to develop regulations to implement these privacy requirements, called the Privacy Rule, which became effective on April 14, 2003. State statutes which provide more stringent protections of health care privacy remain in effect even after HIPAA, and therefore this document includes a few relevant references to requirements in New York State's mental health confidentiality statute (section 33.13 of the Mental Hygiene Law).

(Video) The HIPAA Privacy Rule


The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the first comprehensive Federal protection for the privacy of health and mental health information. The Rule is intended to provide strong legal protections to ensure the privacy of individual health information, without interfering with patient access to treatment, health care operations, or quality of care.

The Privacy Rule applies to “covered entities” which generally includes health plans and health care providers who transmit health information in electronic form. Covered entities include almost all health and mental health care providers, whether they are outpatient, residential or inpatient providers, as well as other persons or organizations that bill or are paid for health care.

(Video) Webinar: HIPAA for Dummies

Basic Principles of the Privacy Rule:

  1. The Privacy Rule protects all “protected health information” (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements.
  2. A major purpose of the Privacy Rule is to define and limit the circumstances under which an individual's PHI may be used or disclosed by covered entities. Generally, a covered entity may not use or disclose PHI to others, except:
    1. as the Privacy Rule permits or requires; or
    2. as authorized by the person (or personal representative) who is the subject of the health information. A HIPAA-compliant Authorization must contain specific information required by the Privacy Rules.
  3. A covered entity must provide individuals (or their personal representatives) with access to their own PHI (unless there are permitted grounds for denial), and must provide an accounting of the disclosures of their PHI to others, upon their request.
  4. The Privacy Rule supersedes State law, but State laws which provide greater privacy protections or which give individuals greater access to their own PHI remain in effect.

(Note: One must consult not only HIPAA but also other relevant federal privacy laws (such as regulations pertaining to Medicaid and federally funded substance abuse treatment programs), as well as State privacy laws (including the Mental Hygiene Law- section 33.13, the Public Health Law, the Education Law licensing provisions, and the Civil Practice Laws and Rules), to determine whether a disclosure of medical information is permissible in a given circumstance.)

Permitted Uses or Disclosures of PHI Without Authorization:

(Video) HIPAA Privacy and Breach Compliance in 2022: Everything You Need to Know

Extensive provisions of the Privacy Rule describe circumstances under which covered entities are permitted to use or disclose PHI, without the authorization of the individual who is the subject of the protected information. These purposes include, but are not limited to, the following:

  1. A covered entity may disclose PHI to the individual who is the subject of the information.
  2. A covered entity may use and disclose protected health information for its own “treatment, payment, and health care operations.”
    1. Treatment is the provision, coordination, or management of health care and related services for an individual, including consultation between providers and referral of an individual to another provider for health care.
    2. Payment includes activities of a health care provider to obtain payment or to receive reimbursement for the provision of health care to an individual.
    3. Health care operations include functions such as: (a) quality assessment and improvement; (b) competency assessment,, including performance evaluation, credentialing, and accreditation; (c) medical reviews, audits, or legal services; (d) specified insurance functions; and (e) business planning, management, and general administration.
  3. Permission may be obtained from the individual who is the subject of the information or by circumstances that clearly indicate an individual with capacity has the opportunity to object to the disclosure but does not express an objection. Providers may also rely on an individual's informal permission to disclose health information to an individual's family, relatives, close personal friends, or to other persons identified by the individual, limited to information directly related to such person's involvement.
  4. When an individual is incapacitated or in an emergency, providers sometimes may use or disclose PHI, without authorization, when it is in the best interests of the individual, as determined by health care provider in the exercise of clinical judgment. The PHI that may be disclosed under this provision includes the patient's name, location in a health care provider's facility, and limited and general information regarding the person's condition.
  5. Providers may use and disclose PHI without a person's authorization when the use or disclosure of PHI is required by law, including State statute or court order.
  6. Providers generally may disclose PHI to State and Federal public health authorities to prevent or control disease, injury, or disability, and to government authorities authorized to receive reports of child abuse and neglect.
  7. Providers may disclose PHI to appropriate government authorities in limited circumstances regarding victims of abuse, neglect, or domestic violence.
  8. Providers may disclose PHI to health oversight agencies, (e.g., the government agency which licenses the provider), for legally authorized health oversight activities, such as audits and investigations.
  9. PHI may be disclosed in a judicial or administrative proceeding if the request is pursuant to a court order, subpoena, or other lawful process (note that "more stringent" NYS Mental Hygiene law requires a court order for disclosure of mental health information in these circumstances).
  10. Providers may generally disclose PHI to law enforcement when:
    1. Required by law, or pursuant to a court order, subpoena, or an “administrative request,” such as a subpoena or summons (Note: the "more stringent" NYS Mental Hygiene Law section 33.13 requires a court order for disclosure of mental health information in these circumstances). The information sought must be relevant and limited to the inquiry.
    2. To identify or locate a suspect, fugitive, material witness or missing person (Note: under Mental Hygiene Law section 33.13 this information is limited to “identifying data concerning hospitalization”).
    3. In response to a law enforcement request for information about a victim of a crime (Note: under Mental Hygiene Law section 33.13 this information is limited to “identifying data concerning hospitalization”).
    4. To alert law enforcement about criminal conduct on the premises of a HIPAA covered entity.
  11. Providers may disclose PHI that they believe necessary to prevent or lessen a
    1. serious and imminent physical threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).
  12. An authorization is not required to use or disclose PHI to certain government
    1. programs providing public benefits or for enrollment in government benefit
    2. programs if the sharing of information is required or expressly authorized by statute or regulation, or other limited circumstances

“Minimum Necessary” Rule:

A covered entity must make reasonable efforts to use, request, or disclose to others only the minimum amount of PHI which is needed to accomplish the intended purpose of the use, request or disclosure. When the minimum necessary standard applies, a covered entity may not use, disclose, or request a person's entire medical record, unless it can specifically justify that the entire record is reasonably needed.

(Video) HIPAA for Dummies - Part II

The minimum necessary standard does not apply under the following circumstances:

  1. disclosure to a health care provider for treatment;
  2. disclosure to an individual (or personal representative) who is the subject of the information;
  3. use or disclosure made pursuant to an Authorization by the person (or personal representative);
  4. use or disclosure that is required by law; or
  5. disclosure to HHS for investigation, compliance review or enforcement.

Penalties for Violation of HIPAA:

  1. Civil monetary penalties: HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement- not to exceed $25,000 per calendar year for multiple violations of the same Privacy Rule requirement. Generally, HHS may not impose civil monetary penalties when a violation is due to reasonable cause, there was no “willful neglect,” and the covered entity corrected the violation within 30 days of when it knew (or should have known) of the violation.
  2. Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA could face a fine of $50,000 and imprisonment for up to one year. If the wrongful conduct involves “false pretenses” the criminal penalties could increase up to a fine of $100,000 and up to five years imprisonment. A fine of up to $250,000 and up to ten years imprisonment could be imposed if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information “for commercial advantage, personal gain, or malicious harm.”

To view the entire Privacy Rule, or for other information about how it applies, visit the website of the HHS, Office of Civil Rights at: http://www.hhs.gov/ocr/hipaa/ HIPAA Privacy Rules for the Protection of Health and Mental Health Information (1).
Read more about HIPAA.

(Video) Recent Developments in Health Information Privacy HIPAA Right of Access NPRM & Information Blocking


Which is the best answer as to who must comply with HIPAA? ›

Who must comply with HIPAA? Any person or organization that stores or transmits individually identifiable health information electronically is considered a “covered entity” and is required by law to comply with HIPAA.

What are the 3 main purposes of HIPAA? ›

So, in summary, what is the purpose of HIPAA? To improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data.

What type of information does the minimum necessary standard refer to under the HIPAA privacy Rule? ›

The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.

What can you say and not say with HIPAA? ›

Under the HIPAA regulations, doctors, nurses, and “covered entities” cannot disclose personal health information without the patient's written authorization. That includes the patient's name, age, address and phone number diagnosis, treatment, payment or anything else that could be construed as PHI.

How do you explain HIPAA to a patient? ›

The best way to explain HIPAA to patients is to put the relevant information in the Privacy Policy, and then give the patients a synopsis of what the policy contains. For example, explain to the patient: They have the right to request their medical records whenever they like.

What are my HIPAA rights at work? ›

Right to Privacy

The HIPAA Privacy Rule gives patients and employees: The right to authorize disclosure of their health records. The right to request or inspect a copy of their health records. The right to have mistakes corrected at any time.

What are 4 main purposes of HIPAA? ›

The HIPAA legislation had four primary objectives:

Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions. Reduce healthcare fraud and abuse. Enforce standards for health information. Guarantee security and privacy of health information.

What is the importance of HIPAA in health care? ›

The HIPAA Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information. It gives patients more control over their health information. It sets boundaries on the use and release of health records.

What is included under protected health information? ›

Protected health information (PHI), also referred to as personal health information, is the demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate ...

Do I have to disclose medical information to my employer? ›

It is unreasonable for an employer to make compulsory, completion of an employee consent to release of their medical information, as a pre-condition to sick leave benefits. Requiring an employee to disclose their personal medical information to a third-party also engages the employee's privacy interest.

What is the most common HIPAA violation? ›

HIPAA Violation 1: A Non-Encrypted Lost or Stolen Device

One of the most common HIPAA violations is that a lost or stolen device can easily result in theft or unauthorized access to PHI. Fines of up to $1.5 million – per violation category, per year that the violation has been allowed to persist.

Can I talk about patients without saying their name? ›

Forbid any reference to the client's first name, last name, or description to protect their identity. It doesn't just stop at talking about patients without using names, there's more that needs to take place. Obviously, continue to reiterate that gossiping about patients isn't allowed at your practice.

What is the key to HIPAA compliance quizlet? ›

What is the Key to HIPAA Compliance: HIPAA Safeguards. HIPAA requires the confidentiality, integrity, and availability of PHI to be protected by implementing safeguards. The safeguards that must be implemented include administrative, physical, and technical safeguards.

Who is covered under the HIPAA law quizlet? ›

Healthcare providers (including doctors, nurses, hospitals, dentists, nursing homes, and pharmacies). As a healthcare worker, you are part of the "healthcare provider" network and therefore are required to comply with HIPAA rules and regulations regarding Protected Health Information (PHI).

Who must comply with the security Rule quizlet? ›

Only healthcare providers are required to comply with the Security Rule. The security rule contains provisions that CEs can ignore. Security awareness training is required every two years. The Security Rule contains both required and addressable standards.

Which of the following is not required of the HIPAA privacy standards? ›

Question 2 - The requirements of HIPAA Privacy include all of the following EXCEPT: Answer: Putting firewalls on all internet connections. Designating a privacy officer. Business Associate contracts.

What are the three covered entities that must comply with HIPAA? ›

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

What is not a covered entity under HIPAA? ›

Generally, employers are not Covered Entities under HIPAA because employee health records maintained by an employer are not used for HIPAA-covered transactions (i.e., a request to a health plan for payment in respect of the provision of healthcare).

What are examples of a specific person's PHI? ›

Examples of PHI include: Name. Address (including subdivisions smaller than state such as street address, city, county, or zip code) Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89.


1. What kinds of ePHI are protected under the HIPAA Privacy Rule?
(HIPAA Help Center)
2. HIPAA, Information Blocking, and Patient Confidentiality
(Holland & Hart LLP)
3. What is PHI (Protected Health Information)? | HIPAA Training
4. Privacy and Behavioral Health: Much More Than HIPAA – Behavioral Health Crash Course Webinar Series
(Epstein Becker Green)
5. HIPAA Rules 2022 Update: Post-Pandemic Guidelines for HIPAA
6. HIPAA for Dummies
(Executives for Health Innovation)
Top Articles
Latest Posts
Article information

Author: Jonah Leffler

Last Updated: 03/17/2023

Views: 5475

Rating: 4.4 / 5 (45 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.