12
COM Outlook . Spring 2014
HEALTH CARE LEGAL EAGLE
HIPAA Privacy 101:
The Basics
By Fred Segal, Esq.
The Privacy Rule’s general purpose is to
safeguard protected health information (PHI)
from improper disclosure by covered entities,
which includes physicians and other types of
providers. PHI, under the Privacy Rule, is indi-
vidually identifiable health information relating
to a patient’s past, present, or future condi-
tion. Except as otherwise permitted by law, or
authorized in writing by the patient, a covered
entity is prohibited from using or disclosing
PHI, except as for treatment, payment, or op-
erational purposes.
Sometimes a covered entity uses vendors
and other consultants, including attorneys, to
assist in performing a function that involves
a permissible use of PHI. The Privacy Rule
defines these vendors and consultants as busi-
ness associates of the covered entity. However,
before a covered entity provides a business
associate with PHI, HIPAA requires that the
covered entity and the business associate enter
into a business associate agreement where the
business associate agrees to comply with all
necessary HIPAA privacy and security rules.
Not every impermissible disclosure of PHI
is punishable by the government. A covered
entity may only face penalties if an impermis-
sible disclosure rises to a level of a breach. A
breach only occurs when an impermissible
disclosure results in a significant risk of harm
to the patient whose PHI was disclosed. The
determination of whether a disclosure equates
to a significant risk of harm is subjective and
involves weighing factors such as whether the
disclosure puts the patient at risk of financial
or reputational harm.
If a breach occurs, a covered entity must no-
tify the individuals whose privacy was breached
in a manner provided in the Privacy Rule.
The notification requirements vary based on
how many patients’ PHI was breached by the
covered entity. The notification, among other
It is likely common
knowledge among medi-
cal students that pa-
tients have certain legal
rights to the privacy of
their medical informa-
tion. These rights are
afforded to patients
through the Health Insur-
ance Portability and Ac-
countability Act of 1996,
colloquially known as
HIPAA. The act’s Privacy
Rule is the part of the
law that governs the dis-
closure of certain types
of health information.
This column will provide
a brief summary of the
Privacy Rule and some of
its important provisions.
Fred Segal is a health law attorney
in the Miami office of the law firm
Broad and Cassel and is a graduate
of NSU’s Shepard Broad Law Center.
things, must describe steps the covered entity
will take to prevent future breaches.
A covered entity could be subject to signifi-
cant monetary penalties upon a breach of the
Privacy Rule. However, there are no private
causes of action under HIPAA. This means no
patient can bring a lawsuit against a covered
entity directly for damages suffered as a result
of a breach of the Privacy Rule. All penalties
are levied by the government at its discretion.
Depending on the magnitude of the breach,
penalties can range from $100 to $50,000 per
violation and up to $1.5 million for identical
violations occurring during the calendar year.
All medical students and residents will, at
some point in the near future, receive sig-
nificant training regarding all of the dos and
don’ts regarding the disclosure of patient in-
formation. This article is meant to be a simple
primer of a law that is far more wide ranging.
The moral of the story is this: If you aren’t
sure, then don’t disclose patient information
to anyone unless you have consulted with
someone that confirms it is permissible under
the Privacy Rule.