Healthcare Privacy I: The HIPAA Privacy Rule

HIPAA, the Health Insurance Portability and Accountability Act, is narrower than people think, and the exam's first trap is assuming it covers all health data. It doesn't. HIPAA reaches three kinds of covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit claims electronically.

It also reaches their business associates, the vendors that handle protected health information on their behalf, through a contract. But your fitness tracker, most consumer health apps, and your employer when it's acting as your employer are generally not covered entities. So the very first move on a HIPAA question is the coverage question: is this actor a covered entity or business associate?

If not, HIPAA doesn't apply, and you look to the F-T-C or state law instead.

The data HIPAA protects is protected health information, P-H-I: individually identifiable information about a person's health, care, or payment for care, held or transmitted by a covered entity or business associate. HIPAA lists eighteen identifiers, like name, dates, addresses, and medical record numbers, that when tied to health information make it P-H-I. Strip those identifiers under HIPAA's rules and you get de-identified data, which falls outside the rule entirely, an important exam point: de-identification is the recognized off-ramp.

When P-H-I is in electronic form, we call it e-P-H-I, and that's what the separate Security Rule, which we'll cover next lecture, protects. For now, anchor on this: identifiable health data, held by a covered entity, equals P-H-I.

The heart of the Privacy Rule, and the most-tested framework, is T-P-O: treatment, payment, and healthcare operations. A covered entity may use and disclose P-H-I for those three purposes without the patient's separate authorization. Treatment is care coordination, payment is billing and claims, and operations covers quality, training, and administration.

That's deliberately broad so the healthcare system can function. Outside T-P-O, the default flips: most other uses, especially marketing and the sale of P-H-I, require the patient's written authorization. So the exam pattern is to describe a data flow and ask whether authorization is needed.

If it's treatment, payment, or operations, no authorization. If it's marketing a third party's product, almost always yes.

Two more pillars round out the Privacy Rule. First, the minimum-necessary standard: when you use or disclose P-H-I, you must limit it to the least amount needed for the purpose. There's a key carve-out the exam tests, treatment disclosures are exempt, because a doctor needs the full picture to treat.

Second, patient rights, the FIPs in healthcare form: patients can access and get copies of their records, request amendments to correct errors, receive an accounting of certain disclosures, and request restrictions on use. Covered entities must also give patients a Notice of Privacy Practices describing how their information is used. When a question asks what a patient can demand, run through access, amend, accounting, and restrict.

One relationship deserves its own beat because the exam tests it constantly: the business associate. A business associate is a person or company that creates, receives, maintains, or transmits protected health information to perform a function for a covered entity, think a billing company, a cloud host storing records, or an analytics vendor. Before P-H-I is shared, the covered entity must put a Business Associate Agreement, a B-A-A, in place, a contract that binds the vendor to protect the data and use it only as permitted.

And the chain flows downhill: a business associate that hires a subcontractor touching P-H-I must get a B-A-A from that subcontractor too. A favorite exam fact pattern shows a covered entity handing P-H-I to a vendor with no B-A-A in place, that gap is itself a HIPAA violation, separate from any later breach. So whenever P-H-I leaves the covered entity for a vendor, look for the B-A-A.

Let's turn the Privacy Rule into a clean decision path. Step one, is the actor a covered entity or business associate? If not, HIPAA is out, look elsewhere.

Step two, is the data identifiable P-H-I, or has it been de-identified and left HIPAA's reach? Step three, is the use treatment, payment, or operations? If yes, no authorization is needed; if it's marketing or another outside purpose, authorization is generally required, and remember minimum-necessary except for treatment.

The single biggest distractor on this topic is assuming every piece of health data is HIPAA-protected, the fitness-app and employer scenarios exist precisely to catch that. Recap: coverage, then P-H-I, then T-P-O, plus minimum-necessary and patient rights. Now go test yourself, then we tackle the Security and Breach rules.