Practice Tips

Online library

Medical Records: Privacy and Confidentiality of Protected Health Information

Maintaining the privacy and confidentiality of health information has been an expectation for decades and a regulatory requirement since the mid-1990s. Since the inception of the original privacy regulations, there have been significant advances in technology, particularly in the area of information management. The advent of electronic health records, health information exchanges, e-prescribing, patient portals and social networking (among many others) forces us to relook at not only patient privacy, but what constitutes "health information."

Basic Confidentiality Risk Management:

  • Develop health information management policies that include confidentiality, release of information and security (paper, images and electronic).
  • Review your policies and revise them as necessary based on what is happening in your organization (i.e., new electronic health record) and/or state or federal regulatory changes.
  • Distribute notice of privacy practices to your patients.
  • Use an Authorization for Release of Protected Health Information (PHI). PHI is defined as "individually identifiable health information."
  • Information regarding mental health, substance abuse and HIV is subject to more stringent privacy protections. The patient has the option to restrict the release of this information. The Authorization to Release Protected Health Information must specify whether or not release of such information is permitted.
  • Define what is included in the patient record, also known as the legal health record:
    • Patient information on paper and patient information stored electronically.
    • Authorizations and consents.
    • Patient e-mails regarding clinical care.
    • Copies of letters to and from the patient or on behalf of the patient regarding patient care and treatment.
    • Telephone messages/triage paper and/or electronic.
    • Diagnostic test results (final report signed off by provider).
    • Consult reports.
    • Old records from other providers.
  • Define what will not be included in the patient record (for example):
    • Administrative data such as incident reports and communications that do not relate directly to patient care such as a legal request for information.

For more information on the legal health record, please see the American Health Information Management Association website at

  • Include patients in the process:
    • Include your HIPAA compliant process for appointment reminders and communication of clinical information such as test results in your notice of privacy practices or welcome brochure.
    • Update patient contact information at every visit.
    • If e-mail or texting is used to exchange information with patients, establish a policy including documenting patient consent to exchange information in this manner (see Practice Tip e-Communication: Using email, texting, recordings, and portals to promote patient communication.
    • When care is provided to minors, assure information protected by state or federal regulations is not released without their permission and plan ahead for when they reach 18 years of age and are able to control access to all of their health information (see our Practice Tip Minors and the Right to Consent to Health Care Treatment).
    • Remember patients have a right to restrict the release of their protected health information. Develop a process to identify information that is restricted to prevent inadvertent release.
  • Use caution when faxing.
    • Avoid faxing PHI if possible
    • Use a cover sheet
    • Ensure the number is correct before faxing. If you use pre-programmed fax numbers, assign a staff member to periodically confirm numbers are current.
    • Do not fax extremely sensitive information such as HIV results.
    • If a sent fax is misdirected:
      • Ask that the documents be returned via mail.
      • If PHI is involved, conduct a risk assessment (see below).
    • If a received fax is misdirected:
      • Contact the sender and notify them of the error.
  • Educate staff upon hire and at least annually regarding patient privacy and protected health information. Include:
    • Office policies and procedures.
    • Identification of the Patient Privacy Officer (name and contact information).
    • Patients' rights under HIPAA (review your notice of privacy practices).
    • How to respond to requests for records.
    • Minors’ rights.
    • Password and computer security.
    • What is meant by "need to know" and "protected health information" in terms of each job position.
    • Who to ask if they have questions (identification of the privacy officer).
    • How to report a breach or potential breach of confidentiality.
    • Document staff education.

Breach Notification Final Rule: Risk Assessment

The Breach Notification Final Rule, as part of the HIPAA Omnibus Rule, replaces the "harm threshold" requirement with the requirement to determine the "risk of compromise."

  1. To follow the new process, first determine if the information in question meets the definition of protected health information (PHI) under HIPAA.
  2. A breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI and is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
    1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
    2. The unauthorized person who used the protected health information or to whom the disclosure was made;
    3. Whether the protected health information was actually acquired or viewed; and
    4. The extent to which the risk to the protected health information has been mitigated. 1
  3. Breach excludes:
    1. Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
    2. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
    3. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.2
  4. Follow your policy regarding notification requirements if it is determined that the PHI has been compromised beyond what is considered a low probability.
  5. For MMIC policyholders, online cyber resources are available by logging in to our website.


1. 45 CFR 164.402
2. ARRA/HITECH Title XIII Section 13400; 164.402

American Health Information Management Association. (2008). Defining and Disclosing the Designated Record Set and the Legal Health Record. Available at

Federal Regulations

Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations; 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule

State Regulations

Maine Confidentiality Law 22 MRSA 1711-C

Patients' Bill of Rights RSA 151:21 Medical Records RSA 332-I

Patient Privilege Statute, 12 V.S.A. 1612
Patients' Bill of Rights, 18 V.S.A. 1852(7)
Nursing Home Bill of Rights, 33 V.S.A. 7301(8)

Patient Rights Law, MGL c.111,s.70E