Although CEs must adhere to the minimum necessary requirement when
handling PHI, CEs may use, transfer, or disclose PHI pursuant to individual
authorization. 78 When a CE uses an individual’s PHI for purposes beyond the
scope of necessity outlined in the privacy notice, written consent
(authorization) communicating the details of this use is required from the
3. The HIPAA Security Rule
In contrast to the HIPAA Privacy Rule, which relies on standard privacy
principles and clear rules, the HIPAA Security Rule applies risk management
techniques to manage data confidentiality, integrity and availability for
PHI. 80 Risk management techniques typically offer more overall flexibility
for an organization to choose a particular solution to comply with the HIPAA
Security Rule. 81
The HIPAA Security Rule organizes implementation specifications into
two categories: addressable and required. 82 In contrast with a required
https://aspe.hhs.gov/basic-report/standards-privacy-individually-identifiable-health-information. Individuals can also use electronic signatures. Although the use of electronic
signatures is not definitely prescribed under HIPAA, the Electronic Signatures in Global and
National Commerce (E-SIGN) would apply to the Notice of Privacy Practices; see Kathy
Bakich & Kaye Pestaina, Security and Electronic Signature Standards, EMPLOYER’S GUIDE
TO HIPAA PRIVACY REQUIREMENTS ¶ 1030 (Kathryn Bakich & Joanne Hustead eds., 2015),
Westlaw (database updated 2016) (explaining that the standard for electronic signatures were
never finalized in the security rules).
78. 45 C.F.R. § 164.506.
79. 45 C.F.R. § 164.506, 164.508. CEs must receive authorization before collecting data
beyond the minimum necessary rule. A hallmark of HIPAA, the minimum necessary rule
ensures limitations on abuse of data collection, such as transfer to third parties or gathering of
data not pertinent to the administration of treatment or procurement of other health services
like insurance. HITECH, which amended and updated HIPAA provisions in 2009 explicitly
established that CEs may not sell an individual’s PHI without additional authorization. See
Schick, supra note 62, at 408–18. HITECH also provided additional enhancements, such as
explicit obligations for BAs to follow HIPAA, a co-extensive responsibility to sign a Business
Associate Agreement (BAA), and authorization for the Office for Civil Rights to audit CEs
and BAs to ensure compliance; see also Howard Anderson, The Essential Guide to HITECH
Act, HEALTHCARE INFO SECURITY (Feb. 8, 2010), http://www.healthcareinfosecurity.
com/essential-guide-to-hitech-act-a-2053 (summarizing the major data security components
of the HITECH Act).
80. 45 C.F.R. § 160, 164; see generally U.S. DEP’T HEALTH & HUMAN SERVS., 2 HIPAA
SECURITY SERIES 3 (2004), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/admini
strative/securityrule/security101.pdf (explaining how the Security Rule applies to CEs and
providing assistance with implementation of the security standards).
81. U.S. DEP’T HEALTH & HUMAN SERVS., supra note 80, at 8.
82. 45 C.F.R. § 164.306(d); What is the Difference Between Addressable and Required
Implementation Specifications in the Security Rule?, U.S. DEP’T HEALTH & HUMAN SERVS.,
addressable-and-required-implementation-specifications/ index.html (last visited Nov. 8,
2016) [hereinafter Addressable and Required Implementation].