The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality
Improvement

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

How Can I Maintain Patient Privacy in a Health Information Technology System?

A main component of ensuring patient privacy comes from efforts to protect patient information within your health IT system.  Federal and State laws require that certain steps be followed to protect the privacy of patient health information.  You must take steps so that your organization complies with the HIPAA Standard for Privacy of Individually Identifiable Health Information, more commonly known as the HIPAA Privacy Rule.  

The Privacy Rule defines what information is protected and the circumstances in which PHI can be used and disclosed.  Its standards also provide for the right of an individual to control the use of his or her personal information.  The Privacy Rule applies to PHI in all forms, including electronic, paper, and oral.  HIPAA preempts State laws, unless the State law has greater privacy protections than HIPAA.  One way to think about it, is that HIPAA sets the floor for patient privacy, not the ceiling.  For more on these exceptions, see the Health Resources and Services Administration’s (HRSA) Health IT Adoption Toolbox, Privacy and Security Module.

Part of the HIPAA Privacy Rule clarifies when it is permissible to share a patient’s individually identifiable PHI.  The table below provides information on the context in which you can, must, and cannot share PHI.  

WHEN YOU CAN, MUST, AND CANNOT SHARE PHI

Without Written Patient Permission

Only With Written Patient Permission 

Can Share

Must Share

Cannot Share

Can Share

  • With the patient

  •  

  • For treatment, payment, and health care operations purposes

  •  

  • When the patient agrees to share PHI

  •  

  • In the case of incidental use or disclosure

  •  

  • In the public interest

  •  

  • For a limited dataset (which includes PHI but direct identifiers of individuals and their relatives, household members, and employers have been removed) for the purposes of evaluation, public health, or health care operations
  • With the patient (or their personal representatives) when they request access to, or an accounting of, disclosures of their PHI

  •  

  • With HHS when it is undertaking a compliance investigation or review or enforcement action
  • Any other PHI with any other entity

    Exceptions to this include:

  •  

  • Business associates under a business associate contract

  •  

  • Personal health information that has been de-identified so that it cannot link back to the patient
  • All other instances in which you plan to use or disclose PHI for reasons other than treatment, payment, health care operations, or activities otherwise permitted or required by the Privacy Rule

ALL USES AND DISCLOSURES MUST BE LIMITED TO THE MINIMUM NECESSARY.

Particularly when treating patients with HIV/AIDS, you should take note of the HIPAA Privacy Rule stipulation that you must limit the PHI you share to the minimum necessary.  This means that you may only disclose your patients’ PHI to those who need it for treatment purposes, and then you should disclose only the minimum amount of PHI necessary.  This information should be shared on a need-to-know basis and HIV/AIDS status should not be disclosed to anyone who does not require this information– including health care staff and other providers.  To ensure that patients do not feel coerced into sharing their PHI, you may not require a patient to authorize the release of PHI as a condition of providing that patient care.   

Also note in the table above that you can share PHI if you are doing so in the public interest or benefit.  All 50 States and the District of Columbia require that you report positive HIV tests to the appropriate public health authority in your State so that it can conduct disease surveillance.  As of 2008, the Centers for Disease Control and Prevention (CDC) in the Summary of Changes to the National HIV Surveillance Report notes that all States had implemented confidential name-based HIV infection reporting (prior to this, name-based reporting was required for only confirmed AIDS cases).  Mandatory name-based reporting has important implications for the electronic reporting and exchange of this data and requires that this information be secure.  This means that whatever reporting mechanism you are using, whether paper-based or electronic, the means of that transmission must be secure.  For example, an unencrypted email would not be a HIPAA compliant method of submitting a report.  By working with your local public health authorities, your organization can develop safe and secure methods of electronically storing and transmitting mandatory public health reporting, including HIV/AIDS reports.

Although patient permission is not required for a provider to use and share PHI for treatment, payment, and healthcare operations, a provider may voluntarily obtain patient consent.  The Privacy Rule leaves it up to providers to design their own consent forms and procedures.  In contrast, a provider must obtain the patient’s written authorization to use or share PHI for reasons other than treatment, payment, or healthcare operations.  The contents of the authorization are detailed in the Privacy Rule and must include a number of specified data elements, a description of the PHI to be used and disclosed, the person authorized to make the disclosure, the person to whom the covered entity may make the disclosure, and the expiration date.  The difference between ‘consent’ and ‘authorization’ under the Privacy Rule is explained by HHS on its Frequently Asked HIPAA Questions webpage.   Again, some States require patient consent in order for a covered entity to release information for treatment, payment or healthcare operations.  HIPAA does not preempt these stricter laws.  Please consult the Health IT Adoption Toolbox, Privacy and Security Module or your attorney for more information on your own State’s laws.  

The HITECH Act’s 2009 Breach Notification interim rule requires that providers, other covered entities, and business associates notify patients following a breach of unsecured PHI.  A breach is defined as an impermissible use or disclosure that compromises the security or privacy of the PHI and poses a significant risk of financial, reputational, or other harm to the affected individual.  This rule involves only unsecured PHI, which is PHI that has not been secured through the use of a technology or methodology specified by HHS.  When a breach of unsecured PHI is discovered, a written notice must be sent by first-class mail to the patient within 60 days.  If a breach impacts 500 or more patients, then HHS must be notified.  Providers who secure their data by encryption or destruction are exempt from this rule.   This speaks to the need for all covered entities to incorporate encryption software on all mobile devices (such as laptop computers) and to develop record retention and destruction policies.  

Related Resources:

HIPAA Privacy Rule for Covered Entities – The Office for Civil Rights (OCR) provides information and guidance materials to HIPAA covered entities, including providers, health plans, and health care clearinghouses.  
Minimum Necessary Requirement – This OCR document explains what the minimum necessary requirement means for providers and other covered entities.
Health Information Privacy Enforcement Examples Involving HIV/AIDS – This OCR document contains examples of appropriate and inappropriate access to HIV/AIDS related health information.
Health IT Toolkit, Privacy – This section of HRSA’s Privacy and Security module addresses issues of protected health information and HIPAA.
The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment – This OCR guidance document provides information regarding the HIPAA Privacy Rule as it relates to the individual choice principle in the Privacy and Security Framework.
Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act – Federal Register notification of the HHS’s proposed rule, posted July 14, 2010.  

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
About
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed

Register for the HealthIT and Quality Improvement eNewsletter

Comments?
E-mail the HealthIT e-mail box: healthit@hrsa.gov