Skip to Main Content

Office of Mental Health

Information for Consumers
Privacy Rule

HIPAA Privacy Standards: An Overview

In enacting the 1996 Health Insurance Portability and Accountability Act (HIPAA), Congress recognized that advances in electronic technology in the health care industry could lead to an erosion of the privacy and confidentiality of patient health information. While many States have already taken steps to safeguard patient information, health plans and health care providers must currently rely on a patchwork of State laws and regulations that often are incomplete and, at times, inconsistent. In 1999, Congress directed the federal Department of Health and Human Services (HHS) to establish comprehensive national standards for the privacy and protection of 'individually identifiable health information'. These standards are referred to as the 'HIPAA Privacy Rule'.

What health information is covered by this rule?

The privacy rule protects electronically transmitted health information that identifies an individual - medical records, patient charts, plan enrollment and disenrollment information, admission and discharge records, health care claims and payments, claims attachments, and so forth. If the health information contains any data that could be used to identify a patient, it is protected under this rule. The protection stays with the information as long as it is in the hands of a health plan or health care provider.

Preemption of State Laws

The HIPAA privacy rule preempts (supersedes) all but the 'more stringent' provisions of State law. 'More stringent' means that the State law is more restrictive when it comes to disclosing patient health information to another party, and more permissive when it comes to patient access to his/her own health information. In New York State, HIPAA privacy standards are thought by the Office of Mental Health to preempt some State Mental Hygiene provisions, although the New York standards will continue to prevail in many instances. It may, therefore, be necessary for some mental health providers and county mental health departments to modify the way in which they treat patient information. (For more information on NYS provisions thought by OMH to be preempted by HIPAA, please refer to the OMH HIPAA Privacy Rule Preemption Analysis.)

Key privacy provisions in a nutshell

A. Patient Rights
The HIPAA privacy rule establishes basic patient rights with respect to protected health information (PHI):

  • The right to receive a written Notice of Privacy Practices from your health plan and covered provider. The notice must clearly explain how patient information will be used and disclosed.
  • The right to access or request an amendment to your health records.
  • The right to receive an accounting of the instances where your PHI was disclosed for purposes other than treatment, payment or health care operations, if your signed authorization was not required in order to make the disclosure.
  • The right to inquire or make complaints to your health care provider or health plan regarding the privacy and confidentiality of your health information.

B. Disclosing Protected Health Information (PHI)
The Privacy rule prescribes when PHI can be used or disclosed:

  • Providers and health plans can use and disclose your PHI without your authorization for the purposes of treatment, payment and health care operations.
  • Your signed authorization is required for any other use or disclosure of your PHI (unless another exception applies, such as for public health oversight purposes, law enforcement, judicial and administrative proceedings, research or any other use or disclosure required by law).

C. Safeguarding Protected Health Information (PHI)
Providers and health plans must implement administrative procedures to protect your PHI:

  • Reasonable efforts must be made to disclose no more than the minimum amount of PHI necessary to accomplish the intended purpose of the disclosure.
  • Appropriate administrative, technical and physical safeguards must be in place.
  • A privacy official must be designated. The privacy official is responsible for the development and implementation of privacy policies and procedures, including mandatory employee awareness training. The privacy official must receive complaints and respond to inquiries relating to privacy practices.
  • A system of sanctions for employees and business associates who violate the privacy policies must be developed and used.

To learn more about HIPAA privacy standards, click on the 'What Do You Need To Know' link. This material has been designed as an educative tool for mental health consumers and it offers practical HIPAA tips. Another good source of information is the 'Additional Resources/Related HIPAA Sites' link. This link features sites that were selected because they offer valuable information on consumer privacy rights and provide many practical tips and guidelines.

For more information on privacy-related questions please check the Privacy FAQ page or submit your own questions on-line at 'Ask CMS'.