What is the Privacy Rule?
Addresses the use and disclosure of PHI by covered entities and business associates
Conditions that allow use or disclosure of PHI
- Direct communication with individual about his/her PHI
- With individual’s written authorization or other legal agreement
- Without the individual’s authorization if used for treatment, payment, and operations (TPO)
- In other limited situations specifically allowed by HIPAA
HIPAA’s minimum necessary standard requires we limit use and disclosure of PHI to only what’s needed to accomplish the goal