CMS Administrative Simplification Fact Sheets

The Administrative Simplification Basics fact sheets are designed to help the health care industry understand the purpose of HIPAA adopted transactions and to explain which standards and operating rules govern each transaction.

HHS Updates Guidance on Disclosing PHI

The Department of Health and Human Services Office of Civil Rights (OCR) recently released a series of clarifying guidance documents on how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosures of protected health information (PHI).  HIPAA FAQs for Professionals are organized into several searchable categories.

In addition, OCR and the Office of the National Coordinator for Health Information Technology (ONC) released a fact sheet explaining how HIPAA permits disclosures of PHI to support public health activities conducted by public health agencies, as authorized by state or federal law. It provides examples of how to exchange PHI for scenarios such as:

  • Reporting of disease
  • Conducting public health surveillance
  • Public health investigations and interventions
  • Exchanges subject to Food and Drug Administration jurisdiction
  • Identifying patients exposed to a communicable disease
  • Supporting medical surveillance of the workplace
  • Using certified electronic health record technology


In August 2016, the Maryland Attorney General issued an opinion on a health care provider giving information to the parents or custodian of a person over the age of 18 who is having a mental health crisis.


In August 2016, CMS revised its publication, HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules.  This document describes basic legal requirements of the privacy, security and breach notification rules under HIPAA.  It explains who must comply, covered entities and enforcement, and includes several resource links for more details.

Test your HIPAA Knowledge:  Three Data Sharing Situations

The Health Insurance Portability and Accountability Act (HIPAA) allows data sharing without patient authorization for certain health care operations activities:

1. Care coordination.
2. Quality assessment and improvement.
3. Care planning.

Experts at the Office of the National Coordinator for Health IT recently published a series of blog posts on permitted uses and disclosures of protected health information (PHI) under HIPAA. The series provides reference materials and offers clarification to physicians and patients on when they can use and disclose PHI. It also offers several examples of when physicians or hospitals can disclose PHI without patient authorization.

From April 8 AMA Wire post

Top 3 HIPAA Lessons Learned in 2015

Justin Pope, J.D., Associate Risk Manager at Professional Risk Management Services, Inc. (PRMS) shared the following three lessons from 2015:

      1. Encrypt!
      2. A “thorough and accurate” risk assessment is a great start.
      3. Technology can help and hurt.

Click here to read the details.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA addresses several areas: health insurance continuity when a person changes employment, transmission and safeguarding of electronic health information, and protecting confidentiality of health care information.

HIPAA’s Privacy Rule establishes standards for use, disclosure, and protection of all (electronic, paper, oral) health information created by “covered entities.” The rule includes, for example, rights for patients to access and amend their own medical records.  Every physician who transmits health information electronically must comply. This includes psychiatrists on whose behalf someone else transmits data electronically, such as a billing service. A written agreement must be in place with all business associates, who are others with whom patient information is shared for such purposes as billing, fee collections, and the like.  Every patient must be given a written notice of privacy polices and practices at the time of the first professional service and attest to receipt of the notice. Copies of all authorizations must be kept for at least six years.  A record of releases of information must be kept and provided it to the patient upon request.

For up-to-date details, sample forms and notices and other resources, please visit the APA site or the DHMH site.

Protected Health Information Clarifications

HHS guidance clarifying the Privacy Rule includes the following:

  • HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances can share information for treatment purposes
  • HIPAA does not require providers to eliminate all incidental disclosures
  • HIPAA does not cut off all communications between providers and the families and friends of patients as long as the patient does not object
  • HIPAA does not stop calls or visits to hospitals by family, friends, clergy or anyone else unless the patient objects
  • HIPAA does not prevent child abuse reporting
  •  HIPAA is not anti-electronic
 A complete list of HIPAA medical privacy resources is available on the HHS website.