Skip to Main Content

Office of Mental Health

Information for Counties and Providers
Privacy Rule
What Do You Need to Know?

Q: Does the HIPAA privacy rule apply to my business?

A: The privacy rule applies to your business if you are a covered entity under HIPAA, i.e. you use any of the standard HIPAA electronic transactions.

Q: When must covered entities be in compliance with this rule?

A: For most covered entities, April 14, 2003; small health plans have an additional year to come into compliance.

Q: What is Protected Health Information (PHI)?

A: PHI means individually identifiable information relating to the past, present or future physical or mental health condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual. HIPAA privacy standards cover medical records, health care claims and payments, benefit enrollments and disenrollments and any other individually identifiable health information held or disclosed by health plans, health care clearing houses and health care providers that transmit PHI electronically.

Q: What should a covered entity do to achieve compliance by April 14, 2003?

A: A good start are the nine remediation steps suggested below. Importantly, each of these steps must be documented - when it was started, what was achieved and what further remediation activities are needed.

  1. Designate a privacy officer responsible for (a) developing and implementing the HIPAA privacy policies and procedures, and (b) for receiving complaints and providing privacy practice information to consumers.
  2. Limit the amount of PHI disclosed to the minimum amount necessary to achieve the purpose of the disclosure.
  3. Prepare a detailed Notice of Privacy Practices (NPP) which (a) details the intended and permitted use of PHI for treatment, payment and health care operations, and (b) informs patients of their right to request PHI disclosures and, under certain circumstances, object such to such disclosure.
  4. Amend business associate contracts to (a) establish the permitted and required uses and disclosures of PHI, and (b) require business associates to safeguard all PHI, report any misuse of PHI, and grant individuals access and ability to amend their PHI.
  5. Develop procedures to establish rights of individuals to
    • receive a written Notice of Privacy Practice
    • request restriction of PHI use and disclosure
    • inspect, release or amend their PHI
    • file a complaint with the covered entity privacy officer and with HHS
  6. Develop authentication procedures to verify the identity and access authority of the person requesting the PHI.
  7. Maintain documentation of all PHI disclosures for a period of 6 years. Include in the documentation the date, a description of the PHI disclosed and to whom it was disclosed. Exceptions are disclosures (a) for treatment, payment and health care operations; (b) authorized by the individual; (c) to the individual; (d) for the facility director or persons involved in the individual's care; (e) for national security/intelligence;(f) for corrections and law enforcement officials; (g) which occurred prior to April 14, 2003.
  8. Develop and implement administrative, technical and physical safeguards to protect the privacy and security of PHI from any intentional or unintentional use or disclosure violation.