Skip to Main Content
Ann Marie T. Sullivan, M.D., Commissioner
Governor Andrew M. Cuomo

Information for Counties and Providers
Privacy Rule

HIPAA Privacy Standards: An Overview
In enacting the 1996 Health Insurance Portability and Accountability Act (HIPAA), Congress recognized that advances in electronic technology in the health care industry could lead to an erosion of the privacy and confidentiality of patient health information. While many States have already taken steps to safeguard patient information, health plans, providers, and clearinghouses must currently rely on a patchwork of State laws and regulations that often are incomplete and, at times, inconsistent. In 1999, Congress directed the federal Department of Health and Human Services (HHS) to establish comprehensive national standards for the privacy and protection of 'individually identifiable health information'. These standards are referred to as the 'HIPAA Privacy Rule'.

HHS published the final privacy rule in August 2002. Under this rule, any use or disclosure of individually identifying health information is prohibited except as otherwise permitted or required by the rule. HIPAA privacy standards cover medical records, health care claims and payments, benefit enrollments and disenrollments, and any other individually identifiable health information held or disclosed by health plans, health care clearing houses and certain health care providers (i.e., providers that engage in standard electronic transactions to conduct the 'business' of health care), in any form, whether communicated, on paper or verbally. Covered entities (including the NYS Office of Mental Health) have until April 14, 2003 to come into compliance with this rule.

The notion of confidentiality of individually identifying health information, particularly mental health information, is not new to the public mental health sector. In fact, it has been long recognized that inappropriate disclosure of a person's mental health information could result in that person being subjected to prejudice and stigma in his/her professional and personal life. Effective and lasting mental health therapy can take place only in an environment of privacy and trust in which the patient knows that his/her statements will be safeguarded and held in strictest confidence. New York State currently has some of the most restrictive patient confidentiality laws in the country.

What health information is covered by this rule?
The privacy standards protect health information developed or maintained by a 'covered entity' that identifies an individual. If the information has any components that could be used to identify a person, it is protected under the privacy regulation. The protection stays with the information as long as it is in the hands of the covered entity or its business associate.

Preemption of State Laws
HIPAA privacy standards preempt (supersede) all but the 'more stringent' provisions of State law. In this context, 'more stringent' means that the State law is more restrictive regarding the availability of individually identifying patient information to third parties, and more permissive regarding its availability to the patient. In New York State, HIPAA privacy standards are thought by the Office of Mental Health to preempt some State Mental Hygiene provisions, although the New York standards will continue to prevail in many instances. It may, therefore, be necessary for some mental health providers and county mental health departments to modify the way, in which they treat patient information, in order to be in compliance with HIPAA. (For more information on NYS provisions thought by OMH to be preempted by HIPAA, please refer to the OMH HIPAA Privacy Rule Preemption Analysis.)

Key privacy provisions in a nutshell

  1. Patient Rights
    The standards provide basic rights for individuals with respect to their protected health information (PHI):
    • The right to receive a written Notice of Privacy Practices from health plans and covered providers. The notice must provide a clearly written explanation of how patient medical information will be used and disclosed, and must also inform patients of their rights with regard to their health information under the federal privacy regulations.
    • The right to access or request an amendment to one's own health records.
    • The right to receive an accounting of the instances where the individual's PHI was disclosed for purposes other than treatment, payment or health care operations, if a patient authorization was not required to be signed in order to make the disclosure.
  2. Uses and Disclosures of Protected Health Information (PHI)
    The standards prescribe when PHI can be used or disclosed:
    • Covered entities can use and disclose PHI without patient authorization for treatment, payment and health care operations purposes.
    • Unless another exception applies (e.g. for health oversight purposes, for law enforcement purposes, or the use/disclosure is required by law), patient authorization is required for any other use or disclosure of PHI (other than treatment, payment and health care operations).
  3. Administrative Requirements
    Under this rule, covered providers and payers are required to implement basic administrative procedures to protect PHI:
    • Written policies and procedures must be established to document compliance with the privacy standards.
    • Reasonable efforts must be made to disclose no more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure.
    • Appropriate administrative, technical and physical safeguards must be in place to protect the security of the PHI.
    • Written agreements must be developed and used that will ensure that business associates also protect the privacy of PHI.
    • A privacy official must be designated by each covered entity. The privacy official is responsible for the development and implementation of the covered entity's privacy policies and procedures, including mandatory employee awareness training and instruction on the new privacy protection procedures.
    • A system of sanctions for employees and business associates who violate the entity's privacy policies must be developed and used.

To learn more about HIPAA privacy standards and how to come into compliance with this rule, click on the 'What Do You Need To Know' link. This material has been designed as an educative tool for local mental health departments and service providers and it offers practical tips on how to begin to assess and remediate your privacy practices; it is not, however, intended to serve as legal guidance. Please consult your own attorney for legal assistance in developing your own HIPAA compliance strategies.

Once the OMH compliance documents are made public, they will be made available to counties and providers through this web page to use as guides and templates as they develop their own privacy policies and procedures.

Another good source of information is the 'Additional Resources/Related HIPAA Sites' link. This link features sites that were selected because they offer valuable information on provider privacy requirements, preferred privacy practices as well as many practical tips and guidelines.

For more information on privacy-related questions please check the Privacy FAQ page or submit your own questions on-line at 'Ask CMS'.

Comments or questions about the information on this page can be directed to the Office of the Counsel.