Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. Covered Entities and Business Associates
  5. Fast Facts for Covered Entities
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Security Rule NPRM
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and Part 2
    • Change Healthcare Cybersecurity Incident FAQs
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
      • HIPAA and Final Rule Notice
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

Fast Facts for Covered Entities

The Privacy Rule provides federal protections for personal health information held by covered entities, and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The Privacy Rule does not require you to obtain a signed consent form before sharing information for treatment purposes.  Health care providers can freely share information for treatment purposes without a signed patient authorization.

 

The Privacy Rule does not require you to eliminate all incidental disclosures.  The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures.  In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.

 

The Privacy Rule does not cut off all communications between you and the families and friends of patients. As long as the patient does not object, The Privacy Rule permits you to:

  • share needed information with family, friends, or anyone else a patient identifies as involved in his or her care;
  • disclose information when needed to notify a family member or anyone responsible for the patient's care about the patient's location or general condition;
  • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.

 

The Privacy Rule does not stop calls or visits to hospitals by family, friends, clergy or anyone else.  Unless the patient objects, basic information such as phone number, room number and general condition can: 

  • be listed in the hospital directory;
  • be given to people who call or visit and ask for the patient;
  • be given to clergy along with religious affiliation--when provided by the patient--even if the patient is not asked for by name.

The Privacy Rule does not prevent child abuse reporting.  You may continue to report child abuse or neglect to appropriate government authorities. 

The Privacy Rule is not anti-electronic.  You can communicate with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of appropriate safeguards to protect patient privacy. 


Please view our Frequently Asked Questions about the Privacy Rule.

Guidance Materials for Covered Entities

  • Summary of the Privacy Rule
  • Guidance on Significant Aspects of the Privacy Rule
  • Fast Facts for Covered Entities
  • Provider Guide: Communicating With a Patient's Family, Friends, or Other Persons Identified by the Patient
  • Guidance on the Application of FERPA and HIPAA to Student Health Records
  • Sample Business Associate Contract
  • Misleading Marketing Claims
  • Sign Up for the OCR Privacy Listserv


Content created by Office for Civil Rights (OCR)
Content last reviewed June 16, 2017
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy