The HIPAA Privacy Rule and the FIPPs
The Privacy Rule is HIPAA's most detailed implementation of Fair Information Privacy Practices: privacy notices, authorizations, minimum necessary limits, access and amendment rights, safeguards, and accountability. The OCR is the primary enforcer.
The Privacy Rule is HIPAA's most detailed implementation of the Fair Information Privacy Practices (FIPPs). Key protections include privacy notices at first service delivery, authorizations, the minimum necessary standard, access and accounting rights, safeguards, and accountability. The OCR is the primary Privacy Rule enforcer within HHS.
- Privacy notices: required at first service delivery, with exceptions for indirect treatment relationships and medical emergencies
- Authorizations: HIPAA itself permits use for TPO; other uses need the individual's opt-in authorization; stricter rules for psychotherapy notes; a CE may not condition treatment on signing an authorization
- Minimum necessary: except for treatment, limit use/disclosure to the minimum needed
- Access and amendment: individuals may access, copy, and amend PHI in the designated record set; a denied amendment lets the patient file a statement included in future disclosures
- Safeguards: administrative, physical, and technical safeguards for all PHI
- Accountability: designate a privacy official, train personnel, maintain complaint procedures
Use and disclosure for TPO (treatment, payment, operations) needs no separate authorization. Most other uses require the individual's opt-in authorization. Face-to-face communications are not considered marketing.