• UNM
  • >HSC Administration
  • >HSC Privacy Office

HSC Privacy Office

The federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects the privacy and confidentiality of an individual’s health information.

Disclosure of PHI

Known as “protected health information” or “PHI”, the health information generally cannot be used or disclosed unless the individual who is the subject of the PHI has given prior written authorization or permission.

Examples

  1. Prior Written Authorization to Employer

    The individual* requests that a copy of the individual’s PHI or health records be sent the individual’s employer.  The individual must provide prior written authorization before the records can be sent.

  2. Prior Written Authorization - Interview

    The individual would like a third party, not a treatment provider, to interview the individual’s treatment provider.  The individual must provide prior written authorization that allows the treatment provider to discuss the individual’s treatment PHI with the third party.

Breach of PHI

HIPAA requires that an individual’s PHI is reasonably safeguarded.  (Learn more about record disposal.)  Loss of hard copy PHI or unencrypted electronic PHI can result in a breach of PHI that will require a breach notification letter to be sent to the affected individual.

Examples

  1. Safeguarding Health Records

    Medical record documents left unattended in the cafeteria constitute a breach of PHI.

  2. Encrypted Laptop

    A laptop containing unencrypted PHI is stolen from a car.  The loss of the laptop constitutes a breach of PHI.

  3. Workforce Curiosity - Data Breach

    A workforce member** accessing PHI for information about co-workers, friends, or family members out of curiosity (i.e., without a medical or business-related purpose).  This unauthorized access constitutes a breach of PHI.

Individual Rights

An individual has several basic rights associated with their Protected Health Information.

The Right to...



* Under HIPAA,"individual" means the person who is the subject of the protected health information.

** Under HIPAA, "workforce member" means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity.

Privacy Words



THE IMPORTANCE
OF PRIVACY

"Privacy is a fundamental right. As such it must be viewed differently than any ordinary economic good. . . 

In 1890 Louis D. Brandeis and Samuel D. Warren defined the right to privacy as 'the right to be let alone.'
(See L. Brandeis, S. Warren, 'The Right To Privacy', 4 Harv.L.Rev. 193.)

More than a century later, privacy continues to play an important role in Americans' lives."

~ Preamble, Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82464, 82465 (Dec. 28, 2000).