Skip to Main Content

Office of Mental Health

Information for Counties and Providers
Privacy Rule

HIPAA Privacy Standards: An Overview
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. In 1999, Congress directed the federal Department of Health and Human Services (HHS) to establish comprehensive national standards for the privacy and protection of 'individually identifiable health information'. These standards are referred to as the 'HIPAA Privacy Rule'.

HHS published the final privacy rule in August 2002. Under this rule, any use or disclosure of individually identifying health information is prohibited except as otherwise permitted or required by the rule. HIPAA privacy standards cover medical records, health care claims and payments, benefit enrollments and disenrollments, and any other individually identifiable health information held or disclosed by health plans, health care clearing houses and certain health care providers in any form, whether communicated, on paper or verbally.

It has been long recognized that inappropriate disclosure of a person's mental health information could result in that person being subjected to prejudice and stigma. Effective and lasting mental health therapy can take place only in an environment of privacy and trust in which the patient knows that his/her statements will be safeguarded and held in strictest confidence. New York State currently has some of the most restrictive patient confidentiality laws in the country.

What health information is covered by this rule?
The privacy standards protect health information developed or maintained by a 'covered entity' that identifies an individual. If the information has any components that could be used to identify a person, it is protected under the privacy regulation. The protection stays with the information as long as it is in the hands of the covered entity or its business associate.

Preemption of State Laws
HIPAA privacy standards preempt (supersede) all but the 'more stringent' provisions of State law. In this context, 'more stringent' means that the State law is more restrictive regarding the availability of individually identifying patient information to third parties, and more permissive regarding its availability to the patient.

In New York State, HIPAA privacy standards are thought by the Office of Mental Health to preempt some State Mental Hygiene provisions, although the New York standards will continue to prevail in many instances. It may be necessary for some mental health providers and county mental health departments to modify the way they treat patient information, in order to be in compliance with HIPAA. (For more information on NYS provisions thought by OMH to be preempted by HIPAA, please refer to the OMH HIPAA Privacy Rule Preemption Analysis.)

Key privacy provisions in a nutshell

  1. Patient Rights
    The standards provide basic rights for individuals with respect to their protected health information (PHI):
    • The right to receive a written Notice of Privacy Practices from health plans and covered providers. The notice must provide a clearly written explanation of how patient medical information will be used and disclosed, and must also inform patients of their rights with regard to their health information under the federal privacy regulations.
    • The right to access or request an amendment to one's own health records.
    • The right to receive an accounting of the instances where the individual's PHI was disclosed for purposes other than treatment, payment or health care operations, if a patient authorization was not required to be signed in order to make the disclosure.
  2. Uses and Disclosures of Protected Health Information (PHI)
    The standards prescribe when PHI can be used or disclosed:
    • Covered entities can use and disclose PHI without patient authorization for treatment, payment and health care operations purposes.
    • Unless another exception applies (e.g. for health oversight purposes, for law enforcement purposes, or the use/disclosure is required by law), patient authorization is required for any other use or disclosure of PHI (other than treatment, payment and health care operations).
  3. Administrative Requirements
    Under this rule, covered providers and payers are required to implement basic administrative procedures to protect PHI:
    • Written policies and procedures must be established to document compliance with the privacy standards.
    • Reasonable efforts must be made to disclose no more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure.
    • Appropriate administrative, technical and physical safeguards must be in place to protect the security of the PHI.
    • Written agreements must be developed and used that will ensure that business associates also protect the privacy of PHI.
    • A privacy official must be designated by each covered entity. The privacy official is responsible for the development and implementation of the covered entity's privacy policies and procedures, including mandatory employee awareness training and instruction on the new privacy protection procedures.
    • A system of sanctions for employees and business associates who violate the entity's privacy policies must be developed and used.

To learn more about HIPAA privacy standards and how to come into compliance with this rule, review the 'Need To Know' section. This material is an educational tool for local mental health departments and service providers and it offers practical tips on how to begin to assess and remediate your privacy practices. This is Not intended to serve as legal guidance.

Please consult your own attorney for legal assistance in developing your own HIPAA compliance strategies.