What counts as protected health information, how it can be used, patient rights, and the minimum necessary standard that governs every disclosure.
45 CFR Parts 160 & 164 Subparts A & E
Any data relating to an individual's past, present, or future physical or mental health condition, or provision of health care, or payment for health care.
The information identifies the individual — or there is a reasonable basis to believe it could be used to identify the individual.
By a covered entity or business associate, in any form or medium — oral, written, or electronic. All three forms are protected equally.
45 CFR § 160.103 (definition of protected health information)
Remove all 18 to achieve Safe Harbor de-identification under 45 CFR § 164.514(b)
Remove all 18 identifiers listed in 45 CFR § 164.514(b)(2). Covered entity must have no actual knowledge that the remaining data could identify an individual. Prescriptive but straightforward.
A qualified statistical expert applies generally accepted principles to certify that the risk of identifying an individual is very small. More flexible — can retain some geographic or date data. Requires documented analysis.
De-identified data is not PHI and is not subject to the Privacy Rule.
45 CFR § 164.514(a)–(b)
Providing, coordinating, or managing health care and related services by one or more providers. Includes referrals and consultations.
Example: ER physician shares records with specialist.
Activities to obtain reimbursement — billing, claims management, prior authorization, coordination of benefits, eligibility determination.
Example: Sending a claim to the patient's insurer.
Quality improvement, training, audits, accreditation, fraud detection, certain business management functions of the covered entity.
Example: Reviewing records for quality review.
45 CFR § 164.506 | 45 CFR § 164.501 (definitions of treatment, payment, health care operations)
45 CFR § 164.508 (authorization requirements)
Mandatory reporting obligations
Disease surveillance, vital statistics
Child abuse, neglect, domestic violence
Audits, investigations, licensing
Court orders, subpoenas
With specific conditions/process
Funeral directors, medical examiners
Procurement organizations
IRB/Privacy Board waiver granted
To health or safety of person/public
Military, intelligence, State Dept
As authorized by state law
45 CFR § 164.512 (uses and disclosures for which authorization is not required)
Inspect and obtain copy of PHI in a designated record set. CE must respond within 30 days (one 30-day extension allowed). Fee must be reasonable/cost-based.
Request correction of PHI. CE may deny if info is accurate and complete. Must document denials and allow patient to submit a statement of disagreement.
Obtain a list of disclosures of PHI for purposes other than TPO, made in the prior 6 years. Does not cover disclosures for treatment, payment, or operations.
Request restrictions on use/disclosure. CE need not agree — except: must agree to restrict disclosure to health plan when patient pays out-of-pocket in full.
Request to receive communications by alternative means or at alternative locations. Must accommodate reasonable requests.
File complaints with the CE and with HHS OCR. CE cannot retaliate against individuals for exercising privacy rights or filing complaints.
45 CFR §§ 164.522–164.530
Covered entities must make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose. Not a case-by-case assessment for every disclosure — policies must be in place.
Role-based access controls are the primary operational mechanism — limit access to PHI to only those with a job-related need.
45 CFR § 164.502(b) | 45 CFR § 164.514(d)
Workforce members who access PHI beyond what their role requires may face disciplinary action and expose the organization to sanctions.