Privacy (Use and Disclosure of PHI)



HIPAA’s Privacy and Security Rules

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) and Standards for Security of Individually Identifiable Health Information (“Security Rule”), promulgated under HIPAA, establish a set of national standards for the protection of certain health information. This section will primarily address the Privacy Rule as it specifically relates to health plans. The Security Rule is addressed in a separate section of the Dashboard.

Covered Entities

The Privacy Rule standards address the use and disclosure of individually identifiable health information (called “protected health information” or “PHI”) by organizations subject to the Privacy Rule (“Covered Entities”). Covered Entities include health care providers, health plans, and health care clearinghouses.  The Privacy Rule also contains individual privacy rights with respect to use, disclosure, and access to individual PHI in the possession of Covered Entities.  The Security Rule addresses various procedural, technical, and administrative safeguards that must be implemented for protection of electronic PHI (“ePHI”).

Although an employer may sponsor a health plan, the plan and the employer are regarded as two separate entities for purposes of the Privacy Rule.  This concept and its consequences are often misunderstood.  For a handy refresher on what this means, please see the “FAQs on the Delicate Relationship Between Employers and Their Self-Insured Health Plans”.

For general help in determining who is a Covered Entity, click here to use the decision tool.

What is PHI?

The Privacy Rule governs the way health plans handle “Protected Health Information” (“PHI”). PHI is individually identifiable health information held or transmitted by a Covered Entity or its business associate, in any form or media, whether electronic, paper, or oral.

Health information is information that:

Health information is individually identifiable if it is received or created by various organizations, specifically including employers and their health plans; and identifies the individual to whom it relates, or in the reasonable view of the disclosing party, can be used to identify the individual.

Common individual identifiers that may create PHI include:

Of course, this information must bear some relationship to health information; i.e., it must be associated with information about a person’s medical condition, treatment, or payment.  For example, a person’s name and SSN is not PHI; however, that same information along with name of the person’s health plan or insurer is PHI.

In addition, the information will be considered PHI if it can be combined with other available information to determine identity.

Is Health Information Combined with the Last Four Digits of a Person’s Social Security Number Considered PHI?

Most likely, it is PHI.Many entities include the last four digits of a person’s SSN as part of their records. A quick Google search for “last four digits of SSN” should make it apparent that a great deal of personal information can be gleaned from that data.Government guidance makes it clear that health information that includes the last four digits of a SSN should be considered PHI.

PHI does not include health information maintained by an employer in its capacity as an employer.  For example, medical information maintained by an employer in connection with its compliance obligations under the FMLA, ADA, workers compensation laws would not be considered PHI.

Is Enrollment Information Considered PHI?

Sometimes it is and sometimes it isn’t. Enrollment and disenrollment information is not PHI if it is created by and remains in the hands of the employer. This may include information obtained by an employer at open enrollment or at the start or termination of employment. However, that same information when held by or received from the health plan would be PHI.This highlights the importance of distinguishing and segregating PHI from similar information that is not PHI.

De-Identified Information

PHI that has been de-identified is no longer considered PHI and therefore may be used and disclosed for any purpose.  This simply means that all the information in the PHI that could be used to identify an individual has been removed.

The government has provided safe-harbor guidance for de-identification.  It consists of two parts:

See Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act Privacy Rule, (“Guidance”).

The 18 Identifiers

The following identifiers of an individual or of relatives, employers, or household members of the individual, must be removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers.

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code.


It’s not just identifiers unique to the individual that must be deleted. The same identifiers must also be deleted for the individual’s relatives, employers and household members.

The Absence of Actual Knowledge

Actual knowledge means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information.  According to the Guidance, a covered entity has actual knowledge if it concludes that the remaining information could be used to identify the individual.

This suggests that a health plan would be well advised to reach no conclusions about the propensity of the remaining information to identity an individual.  Unsurprisingly, this does not appear to be an option.  Several hypotheticals in the Guidance describe scenarios in which the covered entity “must have concluded” that the information in question could identify an individual.  The hypotheticals do not state that the covered entity did, in fact, reach that or any other conclusion or that it even considered the actual knowledge test.


For better or worse, employees in smaller companies tend to know more about each other’s business than employees in larger ones. Employers should account for this level of familiarity when applying the actual knowledge test.By the way, the fact that an employee may have described his colon surgery in excruciating detail to everyone in the lunch room does not change the fact that the same information, when it comes from the health plan, is still PHI.

Plans Covered

The Privacy Rule applies to “health plans”; i.e., individual and group plans that provide or pay for the cost of medical care, including:

This includes employer-sponsored medical plans and most dental, and vision care plans.  Health FSAs and HRAs are also health plans covered by the Privacy Rule.  So are wellness programs that include screenings.

There is a narrow exception from HIPAA’s Privacy Rule for plans that are self-insured, self-administered, and have fewer than 50 participants.  In addition, there is an exception for certain “excepted benefits.” However, stand-alone dental and vision plans remain subject to the rule (even though they are considered excepted benefits for other purposes.)

Core Privacy Requirements

The Privacy Rule provides comprehensive Federal protection for the privacy of health information. This rule, which became effective on April 14, 2003, set national standards for the protection of health information, as applied to the three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically.  Failure to implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

PHI Use/Disclosure

Covered Entities cannot use or disclose PHI except as permitted or required under the Privacy Rule.  Permitted uses and disclosures include those made for purposes of treatment, payment, and health care operations, those made pursuant to an authorization, and those permitted due to an exception in the Privacy Rule.


Treatment means the provision, coordination, or management of health care and related services by one or more health care providers.  A health plan may use and disclose PHI for its own treatment activities and those of a health care provider.

Some Examples:  An employer-sponsored health plan typically will not provide any treatment; however, employers with wellness programs, EAPs or on-site medical clinics may have plans that provide treatment.  In any event, a health plan may share PHI with a person’s doctor if the latter needs it for treatment purposes.


Payment, for a health plan, means activity to obtain premiums; to determine the amount of benefits due; and to provide reimbursement.  A health plan can use and disclose PHI for its own payment operations and disclose it to another covered entity or a health care provider for the payment activities of the recipient.

Some Examples:  A health plan can use and/or disclose PHI:

Healthcare Operations

Healthcare operations are certain specified activities related to payment and treatment.  They include health care fraud and abuse detection activities, quality assessment, population-based studies of health care costs, protocol development, and case management.  A health plan can use and disclose PHI for its own healthcare operations.   It may also disclose PHI to another covered entity for the purposes of the recipient’s healthcare operations.

Some Examples: A health plan can use and/or disclose PHI:

Minimum Necessary

Disclosures must meet a “minimum necessary” standard:  health plans must take reasonable steps to ensure that PHI used, disclosed, or requested is limited to the minimum amount of information necessary to accomplish the intended purpose of the use, disclosure or request.  Access must be limited to only individuals who need access to carry out their job-related duties.  Policies and procedures must be adopted to limit PHI disclosures to meet the minimum necessary standard.

The default minimum necessary standard of disclosure is the “limited data set”.  A “limited data set” is PHI that has been partially de-identified, meaning that all of the 18 identifiers listed in the Privacy Rule have been removed except for dates (Item (C) in the list above) and the zip codes (Item (B) above).    The limited data set should be used unless the health plan determines that this limitation is not practicable to accomplish the purpose of the use or disclosure.

Required Disclosures

The Privacy Rule requires disclosure of PHI in several circumstances; however, most employers and employer health plans are likely to encounter only three:

  1. to respond to a request by an individual exercising his individual rights (see Individual Rights, below);
  2. to cooperate with the Department of Health and Human Services in connection with its HIPAA enforcement and compliance review activities; and
  3. in response to a subpoena or as otherwise required by law (i.e., the request is enforceable in court).

Permitted Disclosures

Permitted exceptions to the PHI disclosure restrictions include public policy exceptions, such as disclosures in judicial or administrative legal proceedings, or disclosures required to avert a serious threat to public health and safety.  Disclosures may also be permitted in limited circumstances, for example:

Authorized Disclosures


Employees often ask their HR department for assistance in sorting out their health claims. Of course, any health information provided by the employee to HR is not PHI (since neither the employer nor the employee is a covered entity). But what if HR needs to call the employer’s TPA or insurance company to answer the employee’s question? Each TPA or insurer will have its own policy but don’t be surprised if it requires you to have the employee present during your call or requires you to have a signed authorization.

If a use or disclosure of PHI is neither permitted nor required, the covered entity must obtain an authorization. Authorizations to use and disclose PHI must be voluntarily executed by the individual whose PHI is being used or disclosed. The authorization form must meet specific formal requirements to comply with the Privacy Rule.

Incidental Disclosures

The Privacy Rule permits what it calls incidental disclosures.  These are inadvertent disclosures of PHI that may occur in the ordinary course of an otherwise permitted use or disclosure and in spite of the fact that the health plan had implemented reasonable safeguards to prevent the disclosure and had implemented the minimum necessary standard.  Government guidance gives the following example:

A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information.  If the health plan employee made reasonable efforts to avoid being overheard and reasonably limited the information shared, the incidental disclosure resulting from the conversation would not violate Privacy Rule.

Individual Rights

HIPAA affords individuals certain rights to access and manage their PHI.

Right of Access: An individual has a right to inspect and copy his or her own PHI maintained by a health plan in a “Designated Record Set” (DSR).

Right to Amend or Correct PHI:  An individual has a right to amend or correct PHI in a DSR if the information is incorrect or incomplete.

Right to Obtain an Accounting of Disclosures:  An individual has the right to obtain an accounting of disclosures of his or her own PHI made within 6 years before the date of the request.

Right to Request Restrictions of Uses and Disclosures:  An individual may request that a health plan restrict the uses and disclosures of PHI to carry out treatment, payment and health care operations; however, the plan does not have to grant such requests and, in our experience, most plans routinely deny them.

Right to Request Alternate Communications:  A health plan must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.

Right to Receive a Notice of Privacy Practices: An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the health plan, and of the individual’s rights and the plan’s legal duties with respect to PHI. A model privacy notice can be found here. Plans may use HHS’ Model NPP template; choose the Health Plan version!

As discussed below, a fully-insured plan that receives no PHI (other than summary health information) does not need to have a privacy notice.  A fully-insured plan that receives PHI that exceeds what would be considered summary health information must maintain a privacy notice; however, it does not have to provide the notice except upon request.


Implementation Requirements for Employers with Fully-Insured Plans if They Receive No PHI

The Privacy Rule does not impose a big compliance burden on an employer that provides health benefits only through fully-insured plans and receives no (or almost no) PHI.  The only administrative requirements that apply are those related to waiver and non-retaliation (see below).  In addition, such an employer can receive PHI in the form of:

without any additional compliance requirements.

Summary health information is information that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and from which the 18 identifiers discussed above have been deleted, except that the geographic information need only be aggregated to the level of a five digit zip code.

The specified purposes are:

Implementation Requirements for Employers with Self-Insured Plans or Who Receive PHI

Employers that sponsor self-insured health plans (even if they don’t receive PHI) and employers that receive PHI with respect to their fully-insured health plans need to follow a rigorous path to compliance.

Health FSAs and HRAs

Many employers with fully-insured health benefits may still sponsor a health FSA or HRA. These are health plans covered by the Privacy Rule and accordingly, employers with such plans need to comply with the far more elaborate set of requirements summarized in the next section. This is true even if the actual plan administration is performed by a third party and the employer receives no PHI.

There are actually two sets of requirements here.  One set applies directly to the sponsoring employer; it details what an employer must do in order to receive the PHI it needs to fulfill the second set of requirements and perform other plan-related functions.  The second set applies to the health plan itself, although as a practical matter, in most cases, it will be the sponsoring employer that actually implements the requirements.

Employer Requirements

In order for a health plan or insurer to disclose PHI to an employer, the employer’s health plan must include provisions that:

Plan Requirements


As we have previously noted, most employer-sponsored health plans will not have any employees of their own. If a plan does have employees, it is responsible for training them and imposing sanctions on any of its employees that fail to comply with the plan’s policies and procedures.

A health plan must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity; and a contact person or office who is responsible for receiving complaints about Privacy Rule violations and who is able to provide further information about matters covered by the plan’s notice of privacy practices.

Of course, this means that a health plan must also provide a process for individuals to make complaints and provide that it can’t retaliate against a person who makes a complaint, testifies against or opposes any practices of a plan on the grounds that it has violated the Privacy Rule.

Moreover, a health plan cannot require a person to waive any rights they may have under the privacy rule as condition of enrolling in or receiving benefits from the plan.

A health plan must implement policies and procedures with respect to PHI that are reasonably designed to ensure such compliance with the Privacy Rule.

A health plan must mitigate, to the extent practicable, any harmful effect that is known to the plan of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the plan or its business associates.

Notes on Mitigation

This provision is broader than the requirements for breaches of unsecured PHI, discussed below. The key is the obligation to mitigate “to the extent practicable”. The breach provision requires only notice whereas the mitigation provision may require more or less, depending on the nature of the breach. For example, if the breach entails a credit risk, credit monitoring may be appropriate. If the breach presents the possibility of medical ID theft, new member ID cards may be in order. It’s also possible no mitigation effort would be practicable and therefore no steps need to be taken.

Privacy Policy

A health plan must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

Plans must create, implement, and maintain written policies and procedures reasonably designed to ensure compliance with the Privacy Rule. Covered Entities often encapsulate such policies and procedures within a written Privacy Policy document. All self-insured plans must have a written Privacy Policy. Fully insured plans must have a Privacy Policy document if they receive PHI, subject to the two exceptions outlined above. (Anchor to the Implementation Section on the page just about this section.)

Additionally, Employers must decide whether to create a separate policy for each Plan or create one Policy document for all Plans. Factors affecting this decision include Plan type, location of employees, and Plan eligibility. Speak with counsel about this decision.

Unlike a Plan’s Security Policy, a Privacy Policy document may contain standardized legal language to conform it to the particulars of the HIPAA regulations. However, a Plan must still customize portions of the Privacy Policy with applicable Plan details and contact information.

Privacy Policy documents may contain some or all of the following sections (based upon language from HIPAA’s Privacy Rule)
Plan Name and Definitions from HIPAA’s statute.

Creating the Privacy Policy is typically a duty of the designated Privacy Officer/Office but will require input from company personnel such as owners, directors, managers, counsel, and HR staff.

In Summary: A Privacy Policy must include information about:

It is a best practice to maintain the Privacy Policy with its Notice of Privacy Practices and additional forms in a written format and update it at least annually.

Last, a Privacy Policy often contains an Appendix of forms containing the Plan’s Notice of Privacy Practices document (as required by HIPAA), as well as any forms the Plan creates for authorizations and restrictions of PHI.  Participant request forms may include the following:

Notice of Privacy Practices

Covered Entities must provide individuals with a notice of their privacy practices for PHI.  The notice must describe:

HHS has provided a model Privacy Notice. Plans may use HHS’ Model NPP template; choose the Health Plan version!

Providing the Notice

Security Breach Notification

If the security of Unsecured PHI is breached, the Covered Entity must provide notice without unreasonable delay and within 60 days after discovery of the breach.

This notice must be provided to:

Security Breach Definition


HHS has qualified certain NIST standards for encryption of electronic data in motion and at rest as well as for destruction of storage media as meeting the required standards.

In order to determine whether a breach has occurred for which notification is required, a Covered Entity or Business Associate must determine whether the disclosure poses a substantial risk of personal, financial or other harm to the affected individual.  Accordingly, all Covered Entities and Business Associates must adopt a risk assessment procedure.

Content of Notice

Business Associates

Relationships with Business Associates

Employers often use third-party service providers to assist with the administration of their health plans.  If that assistance requires the third-party to handle PHI, it will be a “business associate” of the health plan and the Privacy Rule strictly regulates that aspect of the business relationship between the third party and the employer.  More specifically, a third-party service provider is a business associate if it:

This is permissible only if the Covered Entity and the Business Associate have entered into an agreement imposing specific obligations on the Business Associate with respect to the use and disclosure of PHI.   A model agreement was published as part of the DOL regulations that established the Privacy and Security Rule.

Pursuant to 42 CFR Part 2, self-insured plan sponsors (and applicable fully insured plan sponsors) receiving Substance Use Disorder (SUD) records as part of the administration of the group health plan (GHP) must ensure any GHP service provider agreements, including business associate agreements, contain a statement indicating SUD records will be protected. For example, the following statement may read, “42 CFR Part 2 prohibits unauthorized disclosure of these [SUD] records.

Some employers may believe that they do not have any business associates if they have fully insured health plans.  However, employers should consider all aspects of their employee health benefit plans.  For example, an employer with a fully insured health plan may still have business associates acting on behalf of a plan if:


Employers naturally think about TPAs, consultants, accountants and auditors when they think about business associates (“BAs”). However, it’s important to analyze all vendor relationships where the vendor might have access to PHI. For example:

The Dept. of Health and Human Services has posted sample business associate agreement provisions.


HIPAA imposes civil penalties for violations:

Additional Resources

Department of Health & Human Services Web Site.

Decision Tool for help in determining who is a covered entity.

A sample business associate contract language is available on the Office for Civil Rights (OCR) website.

Department of Health & Human Services Summary of the HIPAA Privacy Rule.

HIPAA Privacy Rule and Health Information Technology (HIT).

Online Form for Submitting Notice of Breach to HHS.