Skip to Main Content Portal State Agency Listing Search all of
Ann Marie T. Sullivan, M.D., Acting Commissioner
Governor Andrew M. Cuomo

Information for Counties and Providers
Privacy Rule
What Do You Need to Know?

Q: Does the HIPAA privacy rule apply to my business?

A: The privacy rule applies to your business if you are a covered entity under HIPAA, i.e. you use any of the standard HIPAA electronic transactions.

Tip: To determine if you are a covered entity, go to the Health and Human Services (HHS) 'Covered Entity Decision Tool' at Leaving OMH site

Q: When must covered entities be in compliance with this rule?

A: For most covered entities, April 14, 2003; small health plans have an additional year to come into compliance.

Q: What is Protected Health Information (PHI)?

A: PHI means individually identifiable information relating to the past, present or future physical or mental health condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual. HIPAA privacy standards cover medical records, health care claims and payments, benefit enrollments and disenrollments and any other individually identifiable health information held or disclosed by health plans, health care clearing houses and health care providers that transmit PHI electronically.

Q: What should a covered entity do to achieve compliance by April 14, 2003?

A: A good start are the nine remediation steps suggested below. Importantly, each of these steps must be documented - when it was started, what was achieved and what further remediation activities are needed.

  1. Designate a privacy officer responsible for (a) developing and implementing the HIPAA privacy policies and procedures, and (b) for receiving complaints and providing privacy practice information to consumers.

    Strategy: Identify an appropriate staff member to fill the role of the privacy officer and to address privacy complaints. These two roles can be handled by one or more individuals, depending on the size and complexity of your organization.

  2. Limit the amount of PHI disclosed to the minimum amount necessary to achieve the purpose of the disclosure.

    Strategy: 1. Review information flows within your organization to determine what, how, and to whom, PHI is used and disclosed. 2. Update policies on the disclosure of PHI to ensure the minimum necessary rule is reflected. 3. Increase workforce awareness and understanding of the necessary changes to current disclosure policy in order to meet HIPAA requirements.

  3. Prepare a detailed Notice of Privacy Practices (NPP) which (a) details the intended and permitted use of PHI for treatment, payment and health care operations, and (b) informs patients of their right to request PHI disclosures and, under certain circumstances, object such to such disclosure.

    Strategy: 1. Give a copy of your NPP to each patient at the first time of service delivery. 2. Develop an acknowledgement document that briefly explains your NPP and request signed notice of information from the patient. 3. Document instances where the patient or his/her personal representative refused to sign the acknowledgement document.

  4. Amend business associate contracts to (a) establish the permitted and required uses and disclosures of PHI, and (b) require business associates to safeguard all PHI, report any misuse of PHI, and grant individuals access and ability to amend their PHI.

    Strategy: 1. Modify or add language to existing business associates agreements to incorporate the HIPAA privacy standards. 2. Implement Business Associates Contracts with all outside entities performing services with your organization.

    Tip: To view sample Business Associates Contract provisions, go to the Office of Civil Rights website: Leaving OMH site

  5. Develop procedures to establish rights of individuals to
    • receive a written Notice of Privacy Practice
    • request restriction of PHI use and disclosure
    • inspect, release or amend their PHI
    • file a complaint with the covered entity privacy officer and with HHS
  6. Develop authentication procedures to verify the identity and access authority of the person requesting the PHI.
  7. Maintain documentation of all PHI disclosures for a period of 6 years. Include in the documentation the date, a description of the PHI disclosed and to whom it was disclosed. Exceptions are disclosures (a) for treatment, payment and health care operations; (b) authorized by the individual; (c) to the individual; (d) for the facility director or persons involved in the individual's care; (e) for national security/intelligence;(f) for corrections and law enforcement officials; (g) which occurred prior to April 14, 2003.
  8. Develop and implement administrative, technical and physical safeguards to protect the privacy and security of PHI from any intentional or unintentional use or disclosure violation.

    Strategy: Make security awareness part of initial employee training: 1. Train staff to exercise discretion when using PHI in conversations. 2. Control staff PHI access levels through the use of passwords and/or secure tokens. 3. Install locks on unsecured files containing PHI or store PHI files in a locked room. 4. Develop and implement a system of sanctions for employees and business associates who violate your organization's privacy policies.

  9. Train workforce by April 14, 2003
    Strategy: 1. Conduct PHI training for existing workforce and new employees upon hire. 2. Ask workforce members to sign verification of training and maintain copies in personnel files.

    Tip: Other useful HIPAA Privacy readiness checklists and toolkits are available at the following website: Leaving OMH site

Comments or questions about the information on this page can be directed to the Office of the Counsel.