Chapter 8: Medical Privacy

Limits and Exceptions to the Privacy Rule

The Privacy Rule does not apply to deidentified information and offers flexibility for research. Other exceptions allow disclosure without consent for public health, abuse reporting, legal proceedings, and law enforcement. Post-Dobbs guidance stresses the Rule permits but does not require law enforcement disclosures.

The Privacy Rule does not apply to deidentified information. Two methods exist: Safe harbor deidentification (remove at least 18 listed data elements) or Expert determination (an expert certifies re-identification risk is very small).

Research: with individual consent, or without consent if an IRB approves it consistent with human-subjects rules; permitted on deidentified data; more flexible with a limited data set
Public health activities
Reporting victims of abuse, neglect, or domestic violence
Judicial and administrative proceedings; certain law enforcement; specialized government functions
Required release to the individual (or representative) and to the HHS secretary for compliance investigations

Reproductive health after Dobbs

After the Supreme Court overturned Roe v. Wade in 2022, HHS clarified that the Privacy Rule permits but does NOT require covered entities to disclose PHI for law enforcement purposes, and such permissions are narrowly tailored.

Key terms - quick answers

What is “Safe harbor deidentification”?

Removing at least 18 listed data elements (name, phone, address, etc.) to deidentify data under the Privacy Rule.

What is “Expert determination”?

The deidentification method where a qualified expert certifies the re-identification risk is very small.

← The HIPAA Privacy Rule and the FIPPs The HIPAA Security Rule →