Safety guides and audits to make your job as a safety professional easier

HIPAA Overview


Privacy Rule

The Privacy Rule establishes national standards for the protection of certain health information. It applies to all forms of individuals' protected health information, whether electronic, written, or oral. The major goal of the Privacy Rule is to make sure an individuals’ health information is properly protected while allowing the flow of health information needed to provide high quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of those who need care.

The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.

For the average health care provider or health plan, the Privacy Rule requires activities, such as:

  • Notify patients about their privacy rights and how their information can be used.
  • Adopting and implementing privacy procedures for its practice, hospital, or plan.
  • Training employees so that they understand the privacy procedures.
  • Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Protecting Patients’ Privacy


Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients’ privacy. To ease the burden of complying with the requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs.

The scalability of the Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard.

Here are some examples:

  • The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
  • The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
  • The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.

Security Rule


The Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form.

Prior to HIPAA, no generally accepted set of security standards or general requirement for protecting health information existed in the healthcare industry. At the same time, new technologies were being created, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The health care marketplace is so diverse, therefore, the Security Rule is designed to be flexible so a covered entity can implement policies, procedures, and technologies appropriate for the entity’s particular size, organizational structure, and risks to consumers’ personal information.

Security Rule Coverage


The Security Rule applies to health plans, healthcare clearinghouses, and any health care provider who transmits health information in an electronic form.

Covered entities include individual and group plans who provide or pay the cost of medical care. Health plans include the following:

  • health
  • dental
  • vision
  • prescription drug insurers
  • health maintenance organizations (“HMOs”)
  • Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers
  • long-term care insurers (excluding nursing home fixed-indemnity policies)

Health Plans

Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.

The following two types of government-funded programs are not health plans:

  1. those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program
  2. those programs whose principal activity is directly providing health care, such as a community health center, or the making of grants to fund the direct provision of health care

Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance.

Privacy vs. Security

Privacy and security go hand-in-hand. Privacy is the “what.” It says patients have the right to have their health information protected from unauthorized disclosures. Security is the “how.” In other words, agencies must determine the procedures they will put into place to protect health information.

According to the Department of Health and Human Services (HHS), the majority of Security Rule violations occur as a result from a covered entity not having adequate policies and procedures in place to safeguard personal information contained on its information systems.

HIPAA Privacy


This part of the law prohibits the disclosure of Protected Health Information (PHI) in any form except as required or permitted by law.

The HIPAA Privacy rule mandates how PHI may be used and disclosed.

The Privacy Rule protects PHI in any form including but not limited to:

  • e-mail
  • fax
  • information on the computer
  • voice
  • paper

The HIPAA Privacy Rule says don’t listen, tell, or show any client's PHI to anyone who does not have a legitimate right to see or hear that information.

Protected Healthcare Identifiers (PHI)


The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form of media, whether electronic, paper, or oral.

HIPAA protects information that alone or combined may identify a patient, the patient’s relatives, employer or household members. Health information that contains even one patient identifier is protected under HIPAA. Here are some examples:

  • name
  • address
  • birthdate
  • telephone numbers
  • fax numbers
  • email addresses
  • social security number
  • medical record number
  • health plan beneficiary number
  • account number
  • voice recordings
  • photographic images
  • other characteristics which may identify the person, such as the individual’s past, present, or future physical or mental health or condition

PHI Locations


Here are some examples of other places you might find patient information:

  • patient status boards
  • financial records
  • fax sheets
  • data used for research purposes
  • patient’s identification bracelet
  • prescription bottle labels
  • photograph or video recording of a patient

Wrongful Disclosure of PHI

If you observe someone wrongfully disclosing PHI, you should do the following:

  1. First, talk to the person who is disclosing PHI. Tell them what you heard or saw and why you believe PHI has been wrongfully disclosed.
  2. Then talk with your supervisor about the situation immediately.

If you wrongfully disclose PHI, you should do the following:

  1. Write down the following information:
    1. whose PHI was disclosed
    2. how it was disclosed
    3. to whom
    4. what day and time
    5. what was done to correct the problem
  2. Inform your supervisor immediately.

Good Privacy Practices

There are several things that can be put into place to protect a patients’ privacy. Here are just a few examples:

  • Do put papers with PHI in a secured area.
  • Don't leave PHI exposed where other can see the content.
  • Do discuss particular cases in private.
  • Don't discuss a case in a public area where other people can overhear you.
  • Use passwords to keep other people from accessing your computer files.
  • Make sure your computer is locked when you leave your desk.
  • Minimize PHI in e-mails. Include as little as possible.
  • Protect fax machines that will be receiving PHI by putting them in secure and private locations.


Two doctors are eating lunch at a restaurant with many other patrons nearby. They are discussing a patient case that involves medical coverage and eligibility concerns. They are talking about confidential PHI regarding the patient. What should they do?

  1. Ask one of the people nearby for an opinion on the case being discussed.
  2. Stop talking about the case and move to a private location where their discussion cannot be overheard.
  3. Announce they are talking about private information that contains PHI, so nearby patrons shouldn’t listen.

The correct answer is: Move the discussion to a private location where it cannot be overheard.


Before beginning this quiz, we highly recommend you review the module material. This quiz is designed to allow you to self-check your comprehension of the module content, but only focuses on key concepts and ideas.

Read each question carefully. Select the best answer, even if more than one answer seems possible. When done, click on the "Get Quiz Answers" button. If you do not answer all the questions, you will receive an error message.

Good luck!

1. The major goal of the Privacy Rule is to _____.

2. The _____ established a national set of security standards for protecting certain health information that is held or transferred in electronic form.

3. Which of the following are places where you might find confidential patient information?

4. Health information that contains at least _____ patient identifier is protected under HIPAA.

5. If you observe someone wrongfully disclosing PHI, what should you do FIRST?

Have a great day!

Important! You will receive an "error" message unless all questions are answered.