Privacy and Security of Health Information

The Health Information Portability and Accountability Act (HIPAA) and other state privacy and security laws create a right to privacy and protect personal health information. These laws help shape an environment where patients are comfortable with the electronic sharing of health information. Ultimately, developing public trust in health care professionals to adhere to privacy and security laws is needed to realize the full benefit of health information technology-enabled health information exchange.

Sharing Protected Health Information Electronically

Privacy and security are important health care topics. It is essential health care providers have online access to patient health information while, at the same time, protecting it from privacy violations and security breaches. Achieving the right balance is the key to privacy and security in the electronic health care environment.

We know that patients can be just as concerned about quality of care as they are about the privacy and security of health information. Importantly, HIPAA not only protects health information from misuse, but also enables protected health information (PHI) to be accessed, used, or disclosed when and where it is needed for patient care. For example, in certain treatment cases, health care professionals are permitted to use and disclose PHI without first obtaining an individual’s authorization.

Source: The Office of the National Coordinator for Health Information Technology (ONC), Protecting Your Privacy and Security

HIPAA Permitted Uses and Disclosures of Health Information

eHealth Privacy Security HIPPA

For more information, providers can read these Understanding Some of HIPAA's Permitted Uses and Disclosures fact sheets on permitted uses and disclosures.

Health Care Consumers and Professionals' Role in Protecting Health Information

Read below to better understand the different roles that health care consumers and professionals play in protecting health information.

Health Care Consumers

The HIPAA Privacy and Security Rules provide individuals with health information privacy rights and safeguard the health information. These rights are important for you to know so you can take charge of protecting your health information and know if your rights are being denied.

Health information rights include, but are not limited to:

  • Your right to access your health information.
  • Your right to correct or amend your health information.
  • Your right to file a complaint.

HIPAA balances the seamless electronic disclosures of your health information with technological safeguards. To make sure that your health information is protected in a way that does not interfere with your health care, information can be used and shared for your treatment and care coordination without waiting for consent.

Your health information cannot be used or shared without written permission unless HIPAA allows it. For example, without authorization, providers cannot:

  • Give your information to your employer.
  • Use or share your information for marketing or advertising purposes or sell your information.
  • Share psychotherapy notes or information related to alcohol and substance abuse treatment that is received at federally supported treatment centers. For guidance about the confidentiality of behavioral health information and the HIPAA Privacy Rule, please see the Substance Abuse and Mental Health Services Administration (SAMHSA) webite and this 42 CFR Part 2 FAQ.

Source: ONC, Protecting Your Privacy and Security

Additional Resources:

Health Care Professionals

The HIPAA Privacy and Security Rules contain detailed requirements regarding both privacy and security.

  • The Privacy Rule covers protected health information in any medium.
  • The Security Rule covers electronic protected health information.
  • The Security Rule also covers instructions for a required security risk assessment.

Importantly, the HIPAA Privacy Rule is not a list of requirements that limit the disclosure of information. HIPAA supports information sharing by:

  • Permitting disclosure of PHI to another provider for treatment, billing, or operations without first obtaining an individual’s authorization if a relationship exists (with some special considerations applied).
  • Requiring providers to provide individuals with a copy of their health information.

Source: ONC, Protecting Your Privacy and Security

With the introduction of more electronic health information, these rules have been updated to accommodate new situations. Please see the resources below for more information about how to effectively disclose and protect electronic health information.

Additional Resources:

Additional State and Federal Privacy and Security Resources

State privacy and security legislation and resources

DHS HIPAA Notices of Privacy. The Wisconsin DHS ForwardHealth Program is committed to protecting the privacy of medical information. These notices describe how medical information may be used and disclosed and how enrollees can get access to this information.

HIPAA Collaborative of Wisconsin

Wisconsin HIPAA Harmonization, 2013 Wisconsin Act 238

Federal privacy and security legislation and resources

Health Information Security and Privacy Collaborative (HISPC)

The Health Information Security and Privacy Collaborative (HISPC) was established in June 2006 by RTI International through a contract with the U.S. Department of Health and Human Services. The goal of HISPC is to identify and solve privacy and security barriers to health information exchange (HIE) and create a knowledge base to inform of future HIE activities. It has grown from 34 to 42 U.S. states and territories. Most recently, in 2008, the HISPC divided into seven multistate collaboratives, each focused on a specific project designed to develop common, replicable multistate solutions that could help reduce variation in and harmonize privacy and security laws, policies, and practices. Wisconsin participated in the 11-state Interstate Disclosure and Patient Consent Requirements Collaborative (IDPCRC), which documented state law requirements for disclosure of health information for treatment purposes within and across state lines.

Wisconsin's IDPCRC Scenario 1 and 2 Template (PDF) September 2008

Wisconsin's IDPCRC Scenario 3 Template (PDF) September 2008

Wisconsin's Assessment of Variation and Analysis of Solutions Report (PDF) March 2007

Wisconsin's Implementation Plan Report (PDF) April 2007

HISPC Reports on State Law, Business Practices, and Policy Variations

Final HISPC Deliverables for the seven multistate collaborative privacy and security projects completed in Phase III of HISPC. These projects focused on education , state law and consent policy, and organizational policy. June 4, 2009

HIPSC's Action and Implementation Manual June 2009

Last Revised: October 12, 2017