What is HIPAA Confidentiality?

Several HIPAA regulations address the concept of confidentiality of PHI – the principle that protected health information is the product of confidential communications between covered entities and patients, or in the course of a provider rendering treatment to a patient. HIPAA confidentiality requirements are addressed in the HIPAA Security Rule and the HIPAA Privacy Rule.

When Does HIPAA Confidentiality Apply?

The HIPAA regulations define “confidentiality” as “The property that data or information is not made available or disclosed to unauthorized persons or processes.”

Under the HIPAA Security Rule, covered entities and business associates must ensure the confidentiality of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. Various provisions of the Security Rule specifically require confidentiality be assessed, preserved, or maintained. These HIPAA confidentiality provisions require the following:

• Performing a Risk Analysis: Performing a risk analysis requires healthcare providers and business associates to (among other things) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of electronic protected health information held by the covered entity or business associate; and
• Implementing Administrative, Physical, and Technical Safeguards: The plan sponsor of a group health plan must implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality of the electronic protected health information the plan sponsor creates, receives, maintains, or transmits on behalf of the group health plan. 

Are There Other Circumstances Requiring HIPAA Confidentiality?

The HIPAA Privacy Rule provisions addressing business associate agreements, and the provisions regulating the ability of individuals to access protected health information, both address the subject of HIPAA confidentiality.

Business Associate Agreements:Business associate agreements are required, binding contracts between covered entities and business associates. These agreements, called BAAs, address the obligations of covered entities and business associates with respect to protected health information. A BAA must be executed by both entities before any PHI may be shared, exchanged, or transmitted between the entities. The agreement outlines how the business associate will protect covered entity-provided PHI, as well as what safeguards the business associate will use to ensure the PHI is not inappropriately disclosed. 

The HIPAA Privacy Rule states that the contract or agreement may permit the business associate to use the PHI it receives in its capacity as a business associate, for:  

• The proper management and administration of the business associate; and
• Carrying out the legal responsibilities of the business associate.

The business associate may use the PHI for these purposes, if, and only if:

• The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and
• The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached. 

Ability of Individuals to Access PHI:

The HIPAA Privacy Rule provides that individuals have a right of access to inspect and obtain a copy of protected health information contained in their medical records. In some instances, a covered entity may deny individual access, without having to provide the individual an opportunity to have that denial decision reviewed. 

Unreviewable grounds for denial exist, in part, to foster HIPAA confidentiality. For example, a covered entity may deny access if the protected health information was obtained by someone other than a healthcare provider under a promise of confidentiality, and the access requested would be reasonably likely to reveal the source of the information. This provision exists to allow non-healthcare providers to confidentially transmit information to covered entities without the non-healthcare provider having to fear that he or she will be revealed as the source of the information. 

When Does HIPAA Confidentiality Not Apply?

In a number of circumstances, HIPAA permits healthcare providers to disclose protected health information. For example, the Privacy Rule permits doctors or other healthcare practitioners to share information that is directly relevant to the involvement of a spouse, family members, friends, or other people identified by a patient. If the patient has the capacity to make healthcare decisions, the doctor may discuss this information with the family or others present if the patient agrees or, when given the opportunity, does not object. Even when the patient is not present or it is not practical to ask the patient’s permission because of emergency or incapacity, a doctor may share this information with family members or friends when, in exercising professional judgment, the doctor determines that doing so would be in the best interest of the patient.

A covered entity may also:

• Disclose PHI to a law enforcement official who is reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. 
• Report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity. 
• Divulge PHI to law enforcement to alert law enforcement to an individual’s death, where there is a suspicion that the death resulted from criminal conduct. 

In some instances, a healthcare provider must divulge PHI. For example, healthcare providers who notice medical signs of child, adult, or elder mistreatment, abuse, or neglect, must normally  report such information to protective services or to the police.