From healthcare-privacy-skills
Guides HIPAA Privacy Rule (45 CFR §164.500-534) compliance for covered entities and business associates handling PHI, covering minimum necessary standard, TPO exceptions, authorizations, and opt-outs.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin healthcare-privacy-skillsThis skill uses the workspace's default tool permissions.
The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information — Protected Health Information (PHI) — held by covered entities and their business associates. Enacted under the Health Insurance Portability and Accountability Act of 1996 and finalized in the Privacy Rule of 2000 (with major modifications in 2002 and 2013 under HITECH/Omnib...
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information — Protected Health Information (PHI) — held by covered entities and their business associates. Enacted under the Health Insurance Portability and Accountability Act of 1996 and finalized in the Privacy Rule of 2000 (with major modifications in 2002 and 2013 under HITECH/Omnibus), the rule balances patient privacy rights with the practical needs of healthcare delivery. The Privacy Rule applies to health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically in connection with a HIPAA-covered transaction.
Under 45 CFR §160.103, covered entities include:
| Entity Type | Definition | Examples |
|---|---|---|
| Healthcare Provider | Any provider who transmits health information electronically in connection with a covered transaction | Hospitals, physician practices, pharmacies, laboratories, dentists, chiropractors |
| Health Plan | Individual or group plan that provides or pays for medical care | Health insurers, HMOs, employer-sponsored health plans, government programs (Medicare, Medicaid, TRICARE) |
| Healthcare Clearinghouse | Entity that processes nonstandard health information into standard format | Billing services, repricing companies, community health management information systems |
Asclepius Health Network operates as a covered entity comprising 12 hospitals, 85 outpatient clinics, and an affiliated health plan. Every workforce member — from attending physicians to front desk staff — must comply with the Privacy Rule. Asclepius designates its Chief Privacy Officer to manage rule implementation across all facilities.
PHI is individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate. Under 45 CFR §160.103, individually identifiable health information is information that:
PHI encompasses information in any form — electronic (ePHI), paper, or oral. The 18 identifiers defined in §164.514(b)(2) include:
PHI does not include:
The Privacy Rule permits uses and disclosures of PHI without individual authorization in the following circumstances:
TPO is the primary exception enabling routine healthcare delivery:
Treatment (§164.501): The provision, coordination, or management of healthcare and related services by one or more healthcare providers. Includes consultation between providers, referrals, and provider-to-provider communication about a patient.
At Asclepius Health Network, a cardiologist may share a patient's echocardiogram results with the referring primary care physician without patient authorization because this constitutes treatment.
Payment (§164.501): Activities by a covered entity or its business associate to obtain or provide reimbursement for healthcare. Includes eligibility determinations, billing, claims management, utilization review, and collection activities.
Asclepius Health Network's billing department may submit a patient's diagnosis codes and procedure codes to the patient's health insurer for claim adjudication without patient authorization.
Healthcare Operations (§164.501): Activities including quality assessment, competency assurance, conducting or arranging medical review, legal services, auditing, business planning, customer service, resolution of internal grievances, compliance activities, and limited de-identified data analysis.
| Activity | CFR Section | Requirements |
|---|---|---|
| Required by law | §164.512(a) | Disclosure compelled by statute, regulation, or court order |
| Public health | §164.512(b) | To public health authorities for disease prevention, FDA reporting, workplace safety |
| Victims of abuse/neglect | §164.512(c) | To government authority authorized to receive reports |
| Health oversight | §164.512(d) | To health oversight agencies for audits, investigations, inspections |
| Judicial proceedings | §164.512(e) | In response to court order or qualified protective order with subpoena |
| Law enforcement | §164.512(f) | Pursuant to process, limited circumstances (identification, crime on premises, emergency) |
| Decedents | §164.512(g) | To coroners, medical examiners, funeral directors |
| Organ donation | §164.512(h) | To organ procurement organizations |
| Research | §164.512(i) | With IRB/Privacy Board waiver of authorization, preparatory to research, or decedent research |
| Serious threat | §164.512(j) | To prevent or lessen serious and imminent threat to health or safety |
| Essential government functions | §164.512(k) | Military, veterans, national security, intelligence, protective services |
| Workers' compensation | §164.512(l) | As authorized by workers' compensation laws |
An authorization is required for:
A valid authorization under §164.508(c) must contain:
Required statements on the authorization form:
Covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This is one of the most frequently cited and enforced provisions.
The minimum necessary standard does NOT apply to:
Asclepius Health Network implements the minimum necessary standard through:
Workforce Access: Role-based access controls defining the categories of PHI each workforce member role needs. Emergency department nurses access current visit records, vital signs, allergies, and medication lists. Billing staff access demographic information, insurance details, diagnosis codes, and procedure codes — not clinical notes.
Routine Disclosures: For routine, recurring disclosures, Asclepius maintains standard protocols limiting information provided. For insurance eligibility verification, only the patient name, date of birth, insurance ID, and requested service dates are transmitted.
Non-Routine Disclosures: For non-routine disclosures, each request is reviewed on a case-by-case basis by the Privacy Office. The reviewer applies the minimum necessary principle and documents the rationale for the scope of disclosure.
Individuals have the right to inspect and obtain a copy of PHI maintained in a designated record set, with limited exceptions:
Asclepius Health Network provides patient portal access to electronic health records. Patients who request additional records receive them within 15 business days. Asclepius charges $6.50 per electronic copy (flat fee covering labor and transmission).
Individuals may request amendment of PHI in a designated record set. The covered entity may deny if the information:
If denied, the individual may submit a statement of disagreement appended to the record.
Individuals have the right to receive an accounting of disclosures made by the covered entity in the six years prior to the request. Exceptions include disclosures:
Individuals may request restrictions on uses and disclosures for TPO. The covered entity is NOT required to agree to the restriction, except:
Individuals may request that communications be sent by alternative means or to alternative locations. Healthcare providers must accommodate reasonable requests. Health plans must accommodate when the individual states that disclosure could endanger them.
Covered entities must provide a Notice of Privacy Practices (NPP) that describes:
Distribution: Healthcare providers with a direct treatment relationship must provide the NPP at first service delivery and make a good faith effort to obtain written acknowledgment. Health plans must provide at enrollment and within 60 days of material revision.
Covered entities that maintain a facility directory may include limited PHI (patient name, location in facility, general condition, religious affiliation) for directory purposes. The individual must be:
If the individual is incapacitated or unavailable, the covered entity may include directory information if consistent with any prior expressed preference and if disclosure is in the individual's best interest as determined by professional judgment.
At Asclepius Health Network, patients are asked at registration whether they wish to be listed in the facility directory. Those who opt out are flagged in the admissions system, and all staff are instructed that no information may be provided to callers or visitors.
A personal representative must be treated as the individual for purposes of the Privacy Rule if the representative has authority under applicable law to act on behalf of the individual in making healthcare decisions:
| Individual | Personal Representative | Authority Basis |
|---|---|---|
| Adult | Person with healthcare power of attorney | State healthcare POA statute |
| Minor (general) | Parent, guardian, or person acting in loco parentis | State law on parental authority |
| Minor (exceptions) | Minor acts as own representative | State law permitting minor consent (STI treatment, substance abuse, reproductive health) |
| Deceased individual | Executor, administrator, or person with legal authority over estate | State probate law |
| Adult lacking capacity | Court-appointed guardian or person authorized under state law | State guardianship statute |
Abuse/neglect exception: A covered entity may decline to treat a person as a personal representative if the covered entity reasonably believes the individual has been or may be subject to domestic violence, abuse, or neglect by the representative, and treating them as representative is not in the individual's best interest.
The HHS Office for Civil Rights (OCR) enforces the Privacy Rule through:
| Tier | Culpability Level | Per Violation | Annual Maximum |
|---|---|---|---|
| 1 | Did not know (and would not have known with reasonable diligence) | $137–$68,928 | $2,067,813 |
| 2 | Reasonable cause, not willful neglect | $1,379–$68,928 | $2,067,813 |
| 3 | Willful neglect, corrected within 30 days | $13,785–$68,928 | $2,067,813 |
| 4 | Willful neglect, not corrected | $68,928–$2,067,813 | $2,067,813 |
Penalty amounts are adjusted annually for inflation per 45 CFR §160.404.