HIPAA Guidelines for Healthcare Professionals

HIPAA Guidelines for Clinical Practice

After reading the information, you should be able to:

  1. Identify the purpose of HIPAA regulation.
  2. Explain the Privacy Rule.
  3. Apply the Privacy Rule to clinical practice by explaining how to maintain the confidentiality of PHI.

Important Acronyms related to HIPAA regulations include:

  • HIPAA:  Health Insurance, Portability, and Accountability Act of 1996
  • PHI:  Protected Health Information
  • NPP:  Notice of Privacy Practices
  • TPO:  Treatment, Payment, Healthcare Operations


When a patient sees a healthcare provider (i.e. doctor, nurse practitioner, dentist, pharmacist, etc) or is admitted to a hospital, a record is made of one’s health information.  In previous years (before computers), this information was generally kept in paper files that were locked away in an office or storage area.  Today, with the growing use of electronic record keeping and transfer of information, protection of an individual’s confidentiality and privacy is needed.

In 1996, President Clinton signed the Health Insurance, Portability, and Accountability Act (HIPAA).  This law:

  • Ensures continuity of healthcare coverage of individuals who are changing jobs;
  • Includes a provision that impacts the management of health information;
  • Seeks to simplify the administration of health insurance; and
  • Aims to combat waste, frauds, and abuse in health insurance and health care.

Developed by the Department of Health and Human Services (HHS) and passed by Congress, the standards provided individuals with greater access to their health records and greater control over how their personal health information is used and/or disclosed.  HIPAA refers to uniform, federal regulations and does not alter any state laws concerning public health.

Within this complex and comprehensive law are five titles or divisions.  Of greatest interest to you, a student/faculty entering a clinical area to provide direct patient care, is Title II, or the Privacy Rule.  The Privacy Rule of HIPAA directs the use and disclosure of protected health information (PHI) communicated electronically, verbally, or in written form.  With this federal law, individuals have greater privacy protections regarding their healthcare information.

Who must follow this law?

  • Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers
  • Health insurance companies, HMOs, and most employer group health plans
  • Certain government programs that pay for health care such as Medicare and Medicaid

Communication of healthcare information has an essential role in ensuring that individuals receive prompt and effective healthcare.  HIPAA establishes provisions to encourage electronic transactions with new safeguards in order to protect the security and confidentially of health information.

What information is protected by the federal law?

  • Information doctors, nurses, and other health care providers put in the medical record of an individual
  • Conversations that a healthcare provider has about a patient’s care or treatment with nurses or others
  • Information about an individual in the health insurer’s computer system
  • Billing information at a clinic or other agency
  • All medical records and other individually identifiable health information, whether communicated electronically, on paper, or orally

In this presentation, the following key sections of the law will be reviewed:

  1. Consumer control over health information
  2. Boundaries on medical record use and release
  3. Ensuring the security of personal health information
  4. Establishing accountability for medical records use and release
  5. Balancing public responsibility with privacy protections

Consumer Control Over Health Information:

With HIPAA regulations, patients have significant new rights to understand and control how their health information is used.  Healthcare providers and health plans are required to give patients a clear written explanation of how a provider or plan will use, keep, and disclose information.  The explanation involves a written document that is often labeled as “Notice of Privacy Practices” (NPP).  It must tell the individual how the healthcare provider will use personal information and how it will be protected.  In most cases, this is provided on an individual’s first visit to a healthcare provider or is sent by mail from the health insurer.  For hospitals, it is given to the patient upon admission.  Patients generally will be asked to sign, initial, or otherwise acknowledge that they received this notice.  NPP also provides information identifying how patients can get access to their medication information.

The patient may ask for and receive a copy of his/her medical record and other health information.  Health plans, doctors, hospital, clinics, nursing homes, and other agencies should provide access to these records within 30 days. The individual may be required to pay for the cost of copying and mailing the information.  If the person finds an error in the record or wishes to have additional information included, he/she has the right to ask for the correction or addition.  For example, if a patient and hospital agrees that the file has the wrong result for a test, the hospital must change it.  Even if the hospital believes that test result is correct, the individual still has the right to have the disagreement noted in the file.  One exception to this rule is if either the patient or someone else may be harmed by the disclosures.  An example of this would be domestic violence situations.

Under the privacy rule, patients can request that their doctors, health plans, and other covered agencies take reasonable steps to ensure that their communications with the patient are confidential.  An example of a request for confidential communications would be a patient who asks a doctor to call his or her office rather than home.  The doctor’s office should comply with the request if it can be reasonably accommodated.

Boundaries On Medical Records Use and Release:

The HIPAA Privacy Rule sets limits on how health plans and covered healthcare providers may use individually identifiable health information.  To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses, and other providers to share information needed to treat their patients.  Personal health information generally may not be used for purposes unrelated to healthcare. Agencies and healthcare providers may use or share only the minimum amount of protected information needed for a particular purpose.  In addition, the patient would have to sign a specific authorization before his/her medical information could be released to a life insurer, a bank, a marketing form, or another outside business for purposes not related to their health care.

There are new restrictions and limits on the use of patient information for marketing purposes.  Pharmacies, health plans, and healthcare providers must first obtain an individuals’ specific authorization before disclosing their patient information for marketing.  At the same time, the rule permits doctors and other healthcare providers to communicate freely with patients about treatment options and other health-related information, including disease-management programs.  For example, a health insurer is providing prescription coverage for an individual to receive a medication to control hypertension.  The health insurer may send the individual information concerning a low sodium diet and other related healthcare information.

HIPAA also allows for the flow of information among covered entities for the purpose of treatment, payment, and health care operations (TPO).  TPO is defined as activities in support of treatment and payment and for which protected health information (PHI) could be used or disclosed without individual authorization.

All hospitals keep a facility directory that lists daily the individuals who are currently receiving in-patient treatment.  The location and general condition (i.e. good, stable, fair) of a patient will be listed in the facility directory unless a patient chooses not to be listed.  When a patient chooses not to be listed, no information regarding the patient can be disclosed.  This includes whether the individual is currently hospitalized.

Ensuring the Security of Personal Health Information:

Communication of health care information requires that reasonable safeguards be implemented.  Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information.  Examples include:

  • Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
  • Avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;
  • Isolating or locking file cabinets or record rooms; or
  • Providing additional security, such as passwords on computers that maintain personal information.

It is important that a healthcare provider is allowed to have access to patients’ medical records if needed, but when such access is not necessary, the information should protected and accessed should be denied.  For example, an X-ray technician needs access to Patient X’s file to determine if he/she can stand for a chest x-ray or if a portable x-ray will be needed.  It is necessary for the technician to know this information so he/she can determine which technique to use.  However, the same x-ray technician should not have access to Patient X’s chart just because he/she is a neighbor of the technician; in this instance, such access is not medically necessary and therefore is prohibited by HIPPA.  An incidental use or disclosure of personal health information, such as another worker overhearing a conversation about a patient, would also be a violation of the Privacy Rule.

PHI is any information created or received by a healthcare provider, health plan, employer or healthcare clearinghouse.  This includes information that relates to a person’s present or future physical or mental health condition.  PHI is any written or verbal communication that directly identifies the patient (i.e. name, address, social security number, admission date, telephone number, etc.).  PHI also includes any written or verbal communication of information that is sufficiently specific so that the person can be identified.

Healthcare providers, health insurers, and healthcare agencies must develop written privacy procedures.  These procedures must include who has access to protected information, how it will be used within the agency, and when the information would or would not be disclosed to others.  Steps must also be taken to ensure that business associates protect the privacy of health information.

For most disclosures, such as information submitted with bills, covered agencies and healthcare providers are required to send only the minimum information needed for the purpose of the disclosure.  According to the Minimum Necessary rule, when PHI is used, disclosed, or requested, reasonable efforts must be taken to determine how much information will be sufficient to serve the intended purposes. To assist with treatment, providers are able to transmit comprehensive information.  For example, an elderly person develops chest pain while vacationing in Illinois.  The individual’s private physician would be able to transmit detailed medical information about previous cardiac treatments to assist in the care of this individual.  The private doctor would not be able to transmit information that was not related to the current health care situation such as previous treatment for depression, however.  Healthcare providers have full discretion in determining what personal health information to include when sending patients’ medical records to other providers for treatment purposes.  The standards specify procedures for electronic transmission and authentication of signatures.

Establishing Accountability For Medical Records Use and Release:

Agencies and healthcare providers must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring that the procedures are followed.  If an employee fails to follow these procedures, appropriate disciplinary action must be taken.

If an individual believes that his/her information was used or shared in a way that is not allowed under the privacy law, or if an individual is prevented from exercising his/her rights, he/she can file a complaint with the healthcare provider or health insurer.  The privacy notice given to the patient by the healthcare provider explains how to file a compliant.  A complaint may also be filed with the U.S. Government.  Information related to filing a complaint with the federal government is found at: www.hhs.gov/ocr/hipaa/

Penalties for covered entities that misuse personal health information are provided in HIPAA.  Health plans, providers, and other agencies that violate HIPAA standards would be subject to civil liability.  Civil money penalties are $100 per incident, up to $25,000 per person, per year, per standard.  There are also federal criminal penalties for health plans, healthcare providers, and other agencies that knowingly and improperly disclose information or obtain information under false pretenses.  Willful disclosure of PHI can result in personal fines of $50,000 and a prison term of one year.  Penalties are even higher for actions designed to generate money from the disclosure of PHI.  Penalties include monetary fines and/or imprisonment for up to ten years.

Balancing Public Responsibility With Privacy Protections:

Under the law, health care information may be used and shared for particular reasons.  Examples of when it is acceptable to share healthcare information include monitoring the quality of healthcare given by physicians, making sure nursing homes are clean and safe, reporting when the flu is in a particular area, or making required reports to the police, such as reporting gunshot wounds.  An individual can ask for and get a list of who has received his/her health information along with the reasons for disclosures.  All individuals can receive this report free, once a year.

In limited circumstances, healthcare providers may disclose health information for specific public responsibilities.  These permitted disclosures of health information include:

  • Emergency circumstances
  • Identification of the body of a deceased person or cause of death
  • Research with proper patient authorization
  • Public health needs (i.e. mandatory reporting of syphilis)
  • Judicial and administrative proceedings (i.e. determining if a specific type of breast implant causes harm to the patient)
  • Limited law enforcement activities (i.e. if a doctor is being investigated for providing harmful drugs to many patients)
  • Activities related to national defense and security (i.e. possible exposure to anthrax)

Direct Application to Student/Faculty Nurses:

How does HIPAA impact you, the nursing student/faculty?

Everyone working in a healthcare agency must always be aware of the release, use, storage, and disposal of PHI.

As a student/faculty nurse, you are considered to be a healthcare provider, and therefore, you MUST comply with the HIPAA regulations.  In addition, you need to be aware of how the agency where you are providing direct patient care complies with the HIPAA regulations.  Of critical importance is the protection of patient healthcare information.  Charts and medical records should not be open to the general public, including computer screens.  Medical records and PHI should not be disposed of in the trash.  Instead, these papers are placed in a confidential disposal bin, the contents of which are shredded at a later time.  When using speakerphone, close the door to the room so that others are unable to hear the conference.  Fax transmittals should include a coversheet and the coversheet should include a confidentiality notice.  A fax machine receiving PHI should be in a secured area so that information is not readily accessible.  Computer applications should not be left open when unattended.  Computer IDs should be kept where no one else can find them.  IDs and passwords should never be shared with anyone.  Printers receiving confidential information should not be left unattended during printing.  Discussion regarding patient information must be conducted in a location where it cannot be overheard.  Conversations regarding patients should be avoided in elevators and cafeterias.  When working on the telephone, never leave PHI on voice mail.  Be very careful when talking to family members in a waiting room.

In the learning situation, you may have full access to patient information, but only if you are correctly identified with an ID badge. The medical records may be accessed and read, but information cannot be shared outside of the learning environment.  For example, it is acceptable to discuss information in a conference setting with fellow students/faculty and your instructor, but it is not acceptable to discuss this information away from the conference (i.e. telling your husband about your patient).

Another serious concern is pre-planning.  All instructors will expect that you have read the medical records of assigned patient(s) and are prepared to present/discuss the clinical situation.  This requires that you take notes so you can review the information in your textbook.  However, these notes must be strictly guarded.  Identifying information such as a patient’s name or room number must not be included.  You may NOT make photocopies of laboratory values, medication profiles, or any other medical record papers/documentation for your use or review.  When providing care, all notes that you have made should be kept strictly private and carried in your pocket so that other individuals cannot read the information.  All discussions of a clinical nature (i.e., why Ms. X, who has congestive heart failure, is experiencing renal failure) must take place in a private location and with a tone of voice that cannot be overheard by individuals not involved in the direct care of the individual.  Certainly, all information that would allow someone listening to the conversation to identify the individual being discussed is strictly prohibited and would be a serious violation of HIPAA rules.


Evaluate your knowledge of the review material by taking the HIPAA Exam.