Attorney Articles | How to Comply with the Privacy Rule
X

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

How to Comply with the Privacy Rule

Learn about the Privacy Rule and the forms you will need to have in your office to comply.  Be advised that the Notice of Privacy Practices has been updated.

by David G. Jensen, JD
Staff Attorney
May/June 2003

Updated August 2010 by David G. Jensen, JD, Staff Attorney
Updated October 2012


The Privacy Rule, which is just one component part of HIPAA, has been created to give your patients more rights and control over their health information. The Privacy Rule also imposes upon covered providers a duty to take appropriate administrative, technical, and physical precautions to ensure that patient information is kept confidential. However, these appropriate administrative, technical, and physical safeguards are more fully spelled out in the Security Standards, which is another, separate component part of HIPAA. The deadline for complying with the Security Standards is April 21, 2005. The deadline for complying with the Privacy Rule, however, is April 14, 2003. Consequently, to comply with the Privacy Rule, marriage and family therapists who are covered entities must understand the rights that patients have under the Privacy Rule, and they must be able to address these rights in their practices.

Patient Rights
The Privacy Rule gives patients six rights, each of which is discussed in turn:

  1. The Right to Request Restrictions on Certain Uses and Disclosures of their Protected Health Information;
  2. The Right to Receive Confidential Communications from Health Care Providers;
  3. The Right to Inspect & Receive a Copy of Their PHI;
  4. The Right to Receive an Accounting of Disclosures of Their PHI;
  5. The Right to Amend Their PHI; and,
  6. The Right to Receive a Paper Copy of Your Notice of Privacy Practices.

The Right to Request Restrictions on Certain Uses and Disclosures of Protected Health Information
Under the Privacy Rule, your patients have the right to request restrictions on how you will use their Protected Health Information ("PHI"), which is any individually identifiable health information that is maintained by you in any form, i.e., paper or electronic. Your patients also have the right to request restrictions regarding to whom you will disclose their PHI to for treatment, payment, and health care operations purposes. For instance, a patient of yours, who also has a psychiatrist, may request that you not communicate with the psychiatrist. However, you do not have to agree to this request because there may be times when you need to communicate with the psychiatrist as part of a patient's treatment and you should not be prohibited from doing so. On the other hand, under the Privacy Rule, you can agree to such a restriction. But, if you do agree to abide by a restriction, you are bound to act in accordance with that restriction, and your failure to do so could be the basis of a complaint being filed against you. In general, we don't think that you should agree to place any restrictions on how you can use a patient's PHI or to whom you can disclose it to for treatment, payment, or health care operations purposes. And, we strongly recommend that you get patient authorizations, where at all possible, before disclosing any PHI.

As an aside, in light of changes to HIPAA that President Obama made in the Health Information Technology for Economic and Clinical Health Act, a provider subject to HIPAA must accept the restriction if the disclosure is to be a health plan for purposes of carrying out payment or health care operations, but not treatment, and the patient's personal health information pertains to a service that the covered provider has been paid for out of pocket.

In addition to knowing about this right, complying with this aspect of the Privacy Rule involves having a form ready to allow patients to request restrictions on certain uses and disclosures of their PHI. For a sample form, please click here (Right to Request Restrictions). Once the patient submits this form to you for review, you then have to decide whether to approve or deny the request for the restriction. Keep in mind, however, that you do not have to agree to any restrictions and we strongly recommend that you do not.

Moreover, the patient's request for restrictions on uses/disclosures of PHI cannot be used to prevent the Secretary of Health & Human Services from investigating complaints about possible privacy violations committed by you, or to prohibit you from using/disclosing information that you are legally permitted or compelled to use/disclose without your patients consent, i.e., making child, elder or dependent adult abuse reports.

The Right to Receive Confidential Communications from Health Care Providers
Your patients have the right to request restrictions on how and where you communicate their PHI to them. For instance, a patient can request that his PHI be sent to an alternate address, or that you contact the patient only at home or work.

To comply with this aspect of the Privacy Rule, you must permit your patients to request that they receive communications of their PHI from you at alternate locations or by alternate means, which entails that you have a form to do so. For a sample Request for Restrictions on the Manner or Method of Confidential Communications, please click here (Request for Restrictions on the Manner or Method of Confidential Communications).

The Right to Inspect and/or Receive a Copy of PHI
As with California law, the Privacy Rule gives your patients the right to inspect and/or receive a copy of their PHI. However, this is an area where there is some conflict between applicable California law and HIPAA. For instance, under California law a psychotherapist, once a patient has requested a copy of the patient's file, has the right to summarize the patient's medical records in lieu of giving the patient a copy of the file. Thus, under California law, a therapist can force a client to accept a summary. However, under HIPAA, a psychotherapist loses this option unless the patient agrees to accept a summary of his treatment. The State of California's Office of HIPAA Implementation tentatively believes that HIPAA will preempt (take precedence over) California law in this area. Consequently, our recommendations about what to do to respond to patient requests to inspect and/or receive a copy of their PHI are based on the Office of HIPAA Implementation's tentative conclusion that HIPAA will preempt California law in this area. Consequently, the recommendations that follow are based on HIPAA and not California law.

You can require your patients to submit in writing a request to inspect and/or receive a copy of their PHI. And, although the Privacy Rule grants your patients the right to inspect and/or receive a copy of their PHI, you must decide whether to accept or deny their requests to or for such information.

Accepting Requests to Inspect & Receive a Copy of PHI
If you accept a patient's request to inspect and/or receive a copy of PHI, that means that you are going to allow that patient to inspect and/or receive a copy of the patient's PHI. However, your patient must request to do this in writing. For a sample Request to Inspect & Copy PHI form, please click here (Request to Inspect & Receive a Copy of Protected Health Information). Once the request has been made, you have five (5) working days to allow your patient to inspect his/her PHI, and up to fifteen (15) days to provide him/her with copies of his/her PHI.

HIPAA allows you to prepare a summary of the patient's treatment in lieu of providing access or copies; however, the patient must agree in advance to receiving the summary and must agree to paying the fee incurred in preparing the summary.

You can charge a reasonable, cost-based fee for copying the records or preparing the summary, which includes copying costs such as supplies and labor, postage, and time spent preparing the summary.

Denying Requests to Inspect & Copy PHI
If you deny a patient's request to inspect and copy PHI that means that you are not going to allow the patient to inspect and/or receive a copy of the PHI. Again, once the initial request has been made by the patient to inspect and receive a copy of PHI, you have five (5) working days to permit inspection and fifteen (15) days to provide copies of PHI. However, should you decide to deny the request, you have 30 days to provide your patient with a written denial. In addition, you can get a one-time extension of up to thirty (30) days to respond to the request. To get this extension, within 30 days of receiving the initial request to inspect and receive a copy, you must provide your patient with a written statement concerning the reasons for the delay and you must tell your patient when you will provide the patient with your response. For a sample Response to Request to Inspect & Copy PHI form, please click here (Response to Request to Inspect & Receive a Copy of PHI).

Once you have denied a patient's request to inspect and/or receive a copy of PHI, a patient can request to have your decision reviewed by a licensed health care professional that did not participate in the original decision to deny the patient access to PHI. Keep in mind, however, that some, but not all, of your decisions to deny a patient access to PHI can be reviewed. If you denied the request to inspect and receive a copy of PHI because the information requested is (1) psychotherapy notes; (2) information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative proceeding; or, (3) information that was obtained from someone other than a health care provider under a promise of confidentiality and access to such information would be reasonably likely to reveal the source of the information, your patient cannot require you to review your decision to deny the original request.

Conversely, if you denied the request to inspect and/or receive a copy of PHI because you have determined that (1) the access requested is reasonably likely to endanger the life or physical safety of the patient or another person; (2) the PHI makes reference to another person who is not a health care provider and accessing the PHI is reasonably likely to cause substantial harm to such other person; or, (3) granting access of the patient's PHI to the patient's personal representative is reasonably likely to cause substantial harm to the patient or some other person, your patient can request that your decision to deny the request be reviewed. For a sample Request for Review form, please click here (Request for Review).

If your patient requests that your decision to deny the patient's request to inspect and/or receive a copy of PHI be reviewed, you must designate a licensed health care professional, who was not directly involved in the denial, to review your decision, and you must promptly refer the patient's request for review to the designated reviewer. The regulations are not clear as to whether the patient needs to be informed of the reviewer's identity, whether the reviewer is compensated by the patient or practitioner, if anyone, or whether the patient can even contact the reviewer. Until we receive clarification on these issues, we recommend shielding the reviewer's identity from the patient.

Once the designated reviewer has received the requisite information from you, the designated reviewer has a reasonable period of time to decide whether to allow the patient access to the patient's PHI, or whether to deny the patient access to the PHI. Once the designated reviewer informs you of his/her decision, you must then notify your patient of the designated reviewer's decision, which is final. For a sample Notification of Designated Reviewer's Decision, please click here (Notification of Designated Reviewer's Decision).

Complying with this aspect of the Privacy Rule involves you understanding that patients can request to inspect and/or receive a copy of their PHI and that you can either accept or deny such requests. You also need to understand the grounds upon which you can deny requests and which decisions to deny can then be reviewed. You are also going to have to have the requisite forms to address these issues.

The Right to Receive an Accounting of Disclosures of PHI
The Right to Receive an Accounting of Disclosure is subject to two rules: One for paper records and one for records maintained electronically. For paper records, the Privacy Rule grants your patients the right to receive from you an accounting of certain, but not all, disclosures you have made of their PHI within six years of the date that the patient makes the request for the accounting. For records maintained electronically, however, patients have a right to receive an accounting of disclosure made of their PHI within three years of the date of the request and the accounting must include disclosure made for treatment, payment ande healthcare operation purposes. This rule is designed to apprise patients of who is receiving their health information.

This requirement is not as broad, however, as it appears to be because you do not have to keep track of everything. First, it applies only to "disclosures" of health information and not to "uses" of information. Remember, information is "disclosed" when it goes outside your practice, group, or organization, and it is "used" when it stays inside your practice, group, or organization. Hence, you do not have to track "uses" of health information.

Secondly, the accounting requirement does not apply to all disclosures. It only applies to some disclosures. For instance, the accounting requirement does not apply to:

  1. disclosures made for treatment, payment, or health care operation purposes; (unless the records are being maintained electronically);
  2. disclosures made pursuant to an individual's express authorization;
  3. disclosures made to law enforcement;
  4. disclosures made to individual patients; or,
  5. disclosures made before April 14, 2003.

The disclosures listed above are not all inclusive, but they appear to be the ones that therapists are most likely to encounter in their practices. These exclusions cut out a lot of disclosures that you do not have to track. But, with so much excluded from being tracked, what's left to track? Not much really for therapists because therapists do not routinely make disclosures of patient information to public health authorities, researchers, or health oversight agencies, all of which are disclosures that some physicians have to make without the knowledge of their patients.

In general, the disclosures that you need to track are ones that have been made by you without your patient's authorization and that do not fit into one of the categories that have been excluded from the disclosure requirements. For therapists, as compared with physicians, this will entail minimal tracking, but it would presumably include tracking disclosures made pursuant to section 1024 of the California Evidence Code (danger to self or others), or to disclosures made without a patient's consent pursuant to a court order. We don't think that child, elder or dependent adult abuse reports need to be tracked because such reports are supposed to be confidential, and allowing patients to access otherwise prohibited information would defeat the confidentiality provisions of the child, elder and dependent adult abuse statutes.

Understanding how to comply with this aspect of the Privacy Rules involves knowing that patients can request from you an accounting of disclosures; that you have to maintain an accounting of disclosures of PHI on each patient for at least six years; that certain information is excluded from the accounting requirement; that you have 60 days to process a patient's request for an accounting of disclosures, except that if you cannot process such request within 60 days you are allowed one extension of up to 30 days to process the request if you provide the patient with a written statement of the reason for the request and the expected completion date; and, that you must provide your patient with one free accounting of disclosures requested within any 12 month period, but that you may charge a reasonable fee for additional requests made during that same 12 month period.

Complying with this aspect of the Privacy Rule also entails that you have certain forms available to process patient requests for accountings of disclosures. For a sample Request for an Accounting of Disclosures form, please click here (Request for an Accounting of Disclosures). For a sample Response to Request for Accounting of Disclosures form, please click here (Response to Request for Accounting of Disclosures). For a sample Disclosure Tracking Log, please click here (Disclosure Tracking Log).

The Right to Amend PHI
The right to amend PHI is also an area where applicable California law conflicts with HIPAA, and the State of California's Office of HIPAA Implementation tentatively believes that is also an area in which HIPAA preempts California law. Consequently, our analysis assumes that HIPAA's regulations will control.

Under the Privacy Rule, your patients have the right to request that you amend their PHI. And, once a patient has submitted such a request, you then have to decide whether you are going to accept (make the requested change) or deny the request.

You can deny the request to make the amendment if you determine that the:

  1. Information was not created by you and the creator is available to make the amendment;
  2. information is not part of a designated record set, which basically means the patient's clinical file;
  3. information would not be available for inspection because the information is psychotherapy notes or prepared for some sort of legal or administrative proceeding; or,
  4. information is accurate and complete.

Complying with this aspect of the Privacy Rule requires you to understand what you need to do if you decide to accept the patient's request to amend the patient's record and what you need to do if you decide to deny the patient's request to amend his record.

Initially, the patient's request to amend PHI should be made to you in writing, and, once made, you then have 60 days to respond to the request. If you cannot respond within 60 days, you can get a one-time extension of up to 30 days to respond if you notify your patient in writing of the reasons for the delay and you give your patient a date by which you will respond to the request. For a sample Request to Amend PHI form, please click here (Request to Amend Protected Health Information).

If you decide to accept the request to amend the patient's PHI, you must make the amendment and notify the patient that you have made such amendment. For a sample form that will enable you to do so, please click here (Response to Request to Amend Protected Health Information). You must also send the amended information to persons or entities identified by the patient, and you must also send the amended information to persons or entities that you know have received the information and relied upon it before it was amended. For a sample form that will enable you to do so, please click here (Notification of Amendment to Protected Health Information).

If you decide to deny the request to amend the patient's PHI, you must give the patient a timely, written denial that includes the following information:

  1. the basis for your denial;
  2. the patient's right to submit to you a written statement disagreeing with your decision to deny the request to amend the PHI;
  3. a statement that the patient can request that you include the patient's request to amend the PHI and your denial with any future disclosures of the patient's PHI; and,
  4. a description of how the patient can file a complaint with you or the Secretary of Health & Human Services.

For a sample form, please click here (Response to Request to Amend Protected Health Information).

If the patient submits to you a Statement of Disagreement, you are entitled to, but you do not have to, prepare a Rebuttal to the patient's Statement of Disagreement. This rebuttal must be given to the patient, and it must be provided with any subsequent disclosures of the patient's protected health information. For a sample Statement of Disagreement form, please click here (Statement of Disagreement).

The Right to Receive a Notice of Privacy Practices
Under the Privacy Rule, health care providers who are covered entities must give their patients a written notice, which describes the privacy practices of such providers. This notice is referred to as the Notice of Privacy Practices ("Notice"). This Notice must be given to patients on or before the first time they receive treatment after April 14, 2003. Moreover, a copy of this Notice must also be posted on the premises of providers. HIPAA does not require the Notice to be posted in any specific place in your office; however, the spirit of the regulation suggests that it be posted in a place where it can be readily observed by your patients.

The Privacy Rule has detailed requirements for the information that goes into the Notice. In general, the Notice must be written in plain language; contain a prominent statement about how you will use and disclose your patient's PHI; describe how you protect health information under the Privacy Rule; specify when health information may be used or disclosed without the patient's consent or authorization, i.e., mandated or permitted exceptions to confidentiality; describe the uses and disclosures that you are allowed to make for treatment, payment, and health care operation purposes; describe the rights that your patients have with respect to their PHI; notify your patients of how they may obtain access to their PHI; and, provide the name of a contact person for additional information, with such contact person being you.

You must also receive some sort of acknowledgement from your patients that they have received a copy of your Notice of Privacy Practices. This acknowledgement can be handled by including the acknowledgement in your informed consent document, or by having a separate form for the acknowledgement. For a sample Acknowledgement of Receipt of Notice of Privacy Practices, please click here (Acknowledgement of Receipt of Notice of Privacy Practices).

Consequently, complying with this aspect of the Privacy Rule involves you understanding what the Notice of Privacy Practices is and being able to give a copy of it to your patients.  Notice of Privacy Practices .

Miscellaneous Information
Complying with the Privacy Rule also entails designating a Privacy Officer and a Contact Person. The Privacy Officer is responsible for ensuring that the practice is compliant with applicable privacy rules & regulations. The Contact Person is the person who fields complaints concerning privacy violations from patients. For sole-practitioners, the Privacy Officer and the Contact Person will undoubtedly be the same person. Designation of Privacy Officer & Contact Person).

Complying with the Privacy Rule also entails training employees about the Privacy Rule and documenting such training in the employee@zzsquo;s file. Basically, a covered entity must train all members of its workforce on the entity@zzsquo;s privacy policies and procedures as necessary for such members to carry out their respective functions. The level of training will be dependent upon the employee@zzsquo;s position and duties, and whether access to PHI is necessary for the employee to carry out such duties.

Complying with the Privacy Rule also entails refraining from conducting intimidating or retaliatory acts against patients who exercise their privacy rights and not requiring patients to waive their rights under the Privacy Rule as a condition of receiving care from you.


The information contained in this article is intended to provide guidelines for addressing difficult legal dilemmas. It is not intended to address every situation that could possibly arise, nor is it intended to be a substitute for independent legal advice or consultation. When using such information as a guide, be aware that laws, regulations, and technical standards change over time, and thus one should verify and update any references or information contained herein.