Compliance Glossary

The HIPAA Privacy Rule sets standards for safeguarding individuals’ medical records and identifiable health information, commonly known as PHI. 

For example, discussions between doctors and patients should occur privately, and patients may prefer to be contacted on their cell phones rather than at home. Even well-meaning family members may not necessarily access a loved one’s medical information.

Ethical healthcare practices have traditionally emphasized keeping patients’ medical data confidential. HIPAA has formalized this responsibility for covered entities, including healthcare providers, health plans, healthcare clearinghouses, and business associates who transmit health information electronically.

Confidential communication

Healthcare practitioners should ensure confidential communication with patients in line with their preferences. While medical discussions should be private, practitioners can share medical information with a patient’s immediate family or close friends if related to the patient’s care payment by limiting information exchange to what’s necessary. 

Personal representatives authorized by the patient have the same access and confidentiality rights, although practitioners may restrict information if there are concerns about domestic violence, abuse, or neglect.

Certain situations may require disclosure by law, typically when a patient’s condition poses a risk to others. 

For example, infectious diseases like COVID-19, HIV, syphilis, and tuberculosis must be reported to public health agencies. Signs of abuse or neglect, including child, adult, or elder abuse, are generally reported to protective services. 

Conditions affecting a patient’s ability to drive, such as dementia or recent seizures, may need to be reported to the Department of Motor Vehicles in some states.