Departments & Programs,UW Hospital and Clinics,Compliance,Privacy,HIPAA

Privacy Rule

Privacy Rule - Departments & Programs, UW Hospital and Clinics, Compliance, Privacy, HIPAA

The HIPAA Privacy Rule affects everyone who works at UWHC and we all must understand what it requires. Learn more about the HIPAA Privacy Rule.


The HIPAA Privacy Rule requires UWHC to protect patients’ health information and gives patients certain rights with respect to their information. HIPAA requires UWHC to keep all protected health information (PHI) confidential unless HIPAA provides an exception to the rule, such as for treatment, payment or operational purposes, or the patient gives permission.

If you have any questions about what HIPAA requires or are concerned that HIPAA may be being violated, do not hesitate to contact the UWHC Privacy Officer.


Why do I need to know the HIPAA Privavy Rules?

Any worker could walk by a wastebasket with patients' documents inside, or could overhear patients talking about their health in a public area. If any of us read patient documents taken from a wastebasket, or told a friend what we overheard patients saying, then we would be violating patient privacy. Because any worker could violate patient privacy, the government requires all of us to learn HIPAA's privacy rules.

Take Common-Sense Steps (Safeguards) Around Patient Information

 he first thing you must do is take common-sense steps to protect patient information in your work area. HIPAA says you must "safeguard" patient information in your work area, so others won't come into contact with it. If patients or others see information that is not protected, they can file a formal HIPAA complaint.

Here are some "safeguards" you should take to avoid HIPAA complaints:

If you have questions about the safeguard requirement, please contact your supervisor or a HIPAA Privacy Officer.

Use or Disclose Only the Minimum Necessary Patient Information

 If you use patient information, or disclose it to others outside the UW Health system, it's important you know about HIPAA's minimum necessary rule. Under the minimum necessary rule, you must ask yourself this: Am I using or disclosing more patient information than I need to do my job?

If you use or disclose more patient information than you need, then you have violated the minimum necessary rule. Here are some examples of how the minimum necessary rule affects workers.

Example 1: A custodian sees a patient's medical documents in a shredder bin.

Example 2: A receptionist is asked to schedule an appointment for a patient, and the receptionist recognizes the patient is a neighbor.

You may find more complicated examples in your work duties. Please contact your supervisor or a HIPAA Privacy Officer if you have questions about the minimum necessary rule.

Know What Work Activities Require Patient Permission

 HIPAA has specific rules for workers who deal with patient information all the time. One rule says that workers- especially clinical staff - must get patients' permission to do certain activities.

Work Activities That Require Written Permission (Authorization)

There are certain activities that workers cannot do with patient information, unless the patient signs a special HIPAA authorization form. Workers must get a patient's HIPAA authorization before doing the following activities:

If you perform these activities, you will need to get patient authorizations. Some of you are currently getting signed forms for other activities as well, however. And this brings up an important point about HIPAA. HIPAA sets a minimum standard for patient privacy. If state law or UW Health's own policies require us to do more for patients, then we must do more. If you are already getting written permission for an activity, keep it up: HIPAA does not remove any of our current patient permission and signature rules.

Workers affected by HIPAA's written permission rules will receive additional training.

Work Activities That Require Spoken Permission (i.e., Patient Must be Given a Chance to Object)

There are certain activities that workers cannot do unless you get the patient's spoken permission. The patient must be given a chance to object to the activity, i.e., a chance to say yes or no.

Please contact your supervisor or a HIPAA Privacy Officer if you have questions about the activities above that require permission (authorizations, or chance to object).

Know What Work Activities Don't Require Patient Permission

As just discussed, workers need to get patients' permission to do certain activities. However, there are many, many activities you can do with patient information that don't require permission.

Workers Don't Need Permission to Do Everyday Health Care Activities (Also Called "TPO")

Workers - especially clinical staff - should know HIPAA doesn't require patient permission for many everyday health care activities. HIPAA says that no patient permission is needed for you to perform the everyday functions of "Treatment," "Payment," and "health care Operations," which are together called "TPO."

HIPAA does not require permission for these everyday "TPO" activities. But once again, if you are already getting written permission for an activity - even a TPO activity - you must keep it up. Workers involved with TPO will receive additional HIPAA training.

Workers Don't Need Permission to Do Certain Activities that Benefit the Public

In addition to everyday/TPO activities, there are other activities workers can do without getting patients' permission. No patient permission is needed for the following activities, which all benefit the public.

It is important for workers - especially clinical staff - to know that these activities don't require permission. Please contact your supervisor or a HIPAA Privacy Officer if you have questions about TPO activities or activities that benefit the public (i.e., activities that don't require patient permission).

Know Patients' Privacy Rights

 HIPAA gives patients certain rights that workers must know and follow.

A patient may ask workers - including yourself - about these rights. Please contact your supervisor or the UWHC Privacy Officer if you have questions about patient rights. Also see UWHC Policy 6.23: Accounting for Protected Health Information Disclosures.

Make Sure Our "Associates" Are Following HIPAA Rules

The next HIPAA rule tells you to make sure outsiders are following the rules you learned above. During your workday, you may run into outside businesses and individuals ("associates") who provide services to UW Health providers. Some of our associates need to see patient information in order to provide their services.

You may recognize these examples of associates who see patient information when performing services for us:

UW Health providers are making our associates follow the same HIPAA rules that you've just learned to follow. If you have reason to believe an associate is not following the privacy rules, please notify your supervisor, or a HIPAA Privacy Officer.

Know the Administrative Rules

 The last basic thing you should know about HIPAA, is it requires UW Health providers to follow several administrative rules.