and a third party is involved, that third party is also not subject to HIPAA. 70
2. The HIPAA Privacy Rule
The HIPAA Privacy Rule enforces the privacy concepts of collection,
notice, consent, and authorization to use or disclose PHI. HIPAA restricts
collection or subsequent use of PHI to the “minimum necessary.” 71 To this
end, CEs must implement policies and practices to reasonably limit PHI
collected, used, or disclosed to only what is necessary for personnel to
perform their job duties. 72 Even though a CE may have access to a significant
amount of PHI, it may not disclose unrestricted copies of this information to
third parties, except at the direction and authorization of the individual or as
previously communicated and authorized. 73
HIPAA provides precise requirements of how an individual must receive
notice about a CE’s privacy practices. Individuals must receive a Notice of
Privacy Practices before a CE collects PHI, and be informed that updates to
this notice are distributed every three years or within 60 days of material
changes. 74 The Notice of Privacy Practices includes an effective date;
information about use, such as third party use and data transfer; what type of
PHI may be collected; identity of the CE; and information about how to file
a complaint. 75 The privacy notice must be provided upon request, posted in
an easily accessible location, written clearly and in an easy to read style,
provided on demand, and the notice must be complete with respect to CE and
BA practices. 76 The individual then consents to the notice by written consent
(electronic or in paper form). 77
(providing the definition of breach and its exceptions).
70. 45 C.F.R. § 160.103; Health Insurance Technology for Economic and Clinical Health
Act § 17921.
71. 45 C.F.R. § 164.502(b), 164.514(d) (2013).
72. 45 C.F.R. § 164.502(b), 164.514(d).
73. 45 C.F.R. § 164.502(b), 164.514(d). The minimum necessary rule does not apply
when disclosed to a health care provider for treatment, payment, for operational purposes, or
to the individual, pursuant to authorization, for Office for Civil Rights (OCR) complaint
investigation, or pursuant to a legal demand; see SUMMARY OF THE HIPAA PRIVACY RULE,
U.S. DEP’T HEALTH & HUMAN SERVS. 4–11, https://www.hhs.gov/sites/default/files/privacy
summary.pdf (last revised May 2003) (explaining the instances when a CE is permitted to use
and disclosures protected health information, the authorization requirements a CE must obtain
before any use or disclosure of protected health information, and when the minimum necessary
requirement is not imposed on a CE).
74. 45 C.F.R. § 164.520. The three-year distribution depends on material changes not
being made. If material changes are made to the notice, the notice must be posted and
distributed within 60 days.
75. 45 C.F.R. § 164.520(b).
77. 45 C.F.R. § 164.506, 164.510, 164.512; Standards for Privacy of Individually
Identifiable Health Information, U.S. DEP’T HEALTH & HUMAN SERVS. (July 6, 2001),