HHS Issues Privacy Guidelines

Published September 1, 2001

The U.S. Department Health and Human Services (HHS) released on July 6 the first set of privacy guidelines required by the Health Insurance Portability and Accountability Act (HIPAA). Here are some highlights, as developed by the American Hospital Association for its AHA News Now Special Report dated July 9, 2001.


  • Providers need to obtain a patient’s written consent only once. The consent document may be brief and written in general terms, but it must be preceded by notice of the covered entities’ privacy practices.
  • Providers may not use Protected Health Information (PHI) to set up appointments or to schedule surgery or other procedures for new patients without first obtaining written consent. (HHS said it will propose modifications to this provision, but did not elaborate.). Revocations of consent must be in writing.
  • Pharmacists may not fill prescriptions phoned in by a physician if the patient is a new customer and has not filed a consent form. HHS will propose modifications to this provision.
  • Pharmacists may give advice about over-the-counter medications without obtaining consent.
  • Friends or family members may pick up prescriptions for patients when they effectively verify they are involved in the patient’s care.

Minimum Necessary

  • Providers must establish policies and procedures to identify the persons or classes of persons who need access to the information to carry out their job duties; the categories or types of information needed; and conditions appropriate to such access.
  • The minimum necessary standards for the use and disclosure of PHI do not apply when patients authorize disclosures to third parties or to federal or state agencies. Application of the standards will not “impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment.”

Oral Communications

  • The rule applies to all forms of communications, electronic, written, or oral. During oral communications, providers must safeguard protected information and have in place policies and procedures that reasonably limit access to and use of PHI to the minimum necessary for treatment.
  • Providers do not, however, need to soundproof patient rooms as a way to limit overhearing oral communications.
  • Providers are not required to provide patients with access to oral communications, such as the transcript of a discussion by physicians about a patient’s treatment.

Business Associates

  • A business associate is defined as a person or entity who provides certain functions, activities, or services for or to a covered entity but is not a member of the health care provider, health plan, or other covered entity’s workforce.
  • Providers may disclose PHI to business associates only so that associates may help providers carry out health care functions, not for independent use by the associates. It is important to note, however, that the privacy regulations do not pass through to, or cause business associates to comply with provisions of the rule.
  • Providers, plans, or other covered entities are not liable for privacy violations by business associates.
  • Business associates must provide assurances they will use the information only for the purposes for which they were engaged by the covered entity; will safeguard the information from misuse; and will help the covered entity comply with its duties to provide information about individuals to them when appropriate.

Parents and Minors

  • Treatment information regarding minors cannot be disclosed to parents when: the parent agrees the minor and the provider may have a confidential relationship; the provider reasonably believes the child may be subjected to abuse; or treating the parent as the child’s representative could endanger the child.
  • The regulations defer to determinations under other law when a state or other law does not require consent of a parent or when a court determines, or other law authorizes, someone other than the parent to make decisions for a minor.

Communications and Marketing

  • Covered entities are not marketing when they describe participating or preferred providers or plans or describe services or benefits covered by plans. The rule does not expand the ability of providers and marketers to use PHI to market goods and services to patients.


  • In the course of conducting research, researchers may create, use, or disclose PHI, sometimes with authorization and sometimes without. To disclose PHI without authorization covered entities must obtain:
  • documentation that an alteration or waiver of research participants’ authorization for disclosure of information about them has been approved by an Institutional Review Board or a Privacy Board;
  • representations from the researcher that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes;
  • or representations from the researcher that the use or disclosure being sought is solely for research on the PHI of decedents and documentation of the death of the individuals.

Restrictions on Government Access

  • HHS says the rule does not “require or allow any new government access to medical information.” In addition, the department says the rule will not make it easier for law enforcement agencies to get PHI, but instead “limits access to a greater degree than currently exists.”


  • The rule does not prohibit providers from reporting to consumer credit agencies, prohibit them from using collection agencies, or conflict with the Fair Credit Reporting Act. HHS says it is “not aware of any conflict” between the rule and the Fair Debt Collection Practices Act.