HIPAA for dermatology practices

By Jane Sitorius, JD, January 1, 2026

Every month, DermWorld covers legal issues in “Legally Speaking.” This month’s author Jane Sitorius, JD, is a health care attorney with Barnes & Thornburg LLP in Washington, D.C.

Data privacy and security have always been an important issue for medical practices, but there were no specific standards regarding health information until the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted. HIPAA sets out the requirements and restrictions regarding the use and disclosure of protected health information (PHI), imposes requirements with respect to security measures to protect electronic PHI (ePIH), and sets out the notification requirements in the event of a data breach. Due to the increasing frequency of data breaches, particularly with respect to health care data, as well as a recent proposed rule that would tighten the HIPAA security requirements, this is a great time to provide a reminder of the current privacy and security requirements under HIPAA.

Proposed changes

The last major update to the HIPAA rules was in 2013 when the HIPAA Omnibus Rule expanded compliance requirements and added new restrictions and penalties. New HIPAA Security Rule changes for 2026 will take away some of the flexibility that covered entities currently have by imposing stricter and more specific requirements on covered entities with respect to ePHI. For example, the new rules would require all entities to encrypt ePHI, whereas HIPAA currently allows covered entities to determine whether encryption is reasonable for that entity or if there is a different mechanism that the entity can use to protect ePHI without encryption. In addition, the proposed rule sets out specific requirements of security policies and procedures, whereas HIPAA currently permits covered entities to develop policies and procedures that make sense for each entity and does not take a “one-size-fits-all” approach.

Current HIPAA requirements

HIPAA is a law that protects the privacy and security of PHI that a covered entity, which includes dermatology practices, creates, receives, or otherwise possesses. PHI is individually identifiable health information relating to an individual’s past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for health care by an individual.

Not all patient information is considered PHI. A patient’s demographic information (e.g., name, address, contact information) is only considered PHI if that information is tied to the individual’s health information in some capacity. For example, patient appointment scheduling is not subject to HIPAA because there is no health information tied to the appointment.

However, once the prospective patient becomes a patient and the individual’s health information becomes tied to the demographic information, the information becomes PHI and is subject to HIPAA. Similarly, HIPAA is not automatically triggered when a dermatology practice communicates with a prospective patient via email or sends information regarding a medical treatment. If the only information transmitted in the email is a brochure or a description of the treatment, then the information would not be considered PHI. Although the prospective patient’s name and email address are identifiers for purposes of HIPAA, no health or medical information would be tied to the prospective patient.

HIPAA has three parts:

1. The Privacy Rule

2. The Security Rule

3. The Breach Notification Rule

Privacy Rule

The HIPAA Privacy Rule sets out requirements for covered entities and provides rights for individuals with respect to PHI in any form, whether paper, electronic, or oral.

Covered entity requirements:

• Providing a Notice of Privacy Practices to patients, which explains to patients their privacy rights and how you use their information with or without patient authorization.

• Adopt and implement privacy policies and procedures.

• Enter into business associate agreements with all vendors or other third parties who will have access to PHI in order to perform the contracted services.

• Identify a Privacy Officer who oversees compliance with the privacy policies and procedures.

• Regular employee training, at hiring and annually thereafter.

• Respond to patient requests for access and amendments to the patient’s medical record and provide an accounting of all disclosures of the patient’s information in a timely manner.

Patient rights:

• Right to access and view the patient’s medical record and obtain a copy of the medical record.

• Request amendments to the patient’s record, to correct an error or provide additional information.

• Request restrictions on how a covered entity uses the patient’s information without the patient’s authorization.

The Privacy Rule generally requires a covered entity to obtain patient authorization prior to using or disclosing the patient’s PHI. However, there are exceptions that permit a covered entity to use and disclose PHI without authorization for purposes of treatment, payment, and health care operations. For example, a physician is not required to obtain patient authorization prior to disclosing a patient’s PHI to another physician when making a referral or obtaining a consultation.

Unless a patient objects, HIPAA also permits a covered entity to disclose information regarding a patient, including information regarding the patient’s condition, to the patient’s family, friends, or other individuals involved in the patient’s care if those individuals are listed on the patient’s form that they are allowed to receive patient information.

Security Rule

The Security Rule sets out requirements to protect the confidentiality, integrity, and availability of patients’ electronic PHI (ePHI):

• Develop and implement reasonable and appropriate security policies and procedures with respect to ePHI.

• Conduct regular security risk assessments to analyze risks in the covered entity’s environment and develop solutions to address any weaknesses or vulnerabilities identified in the assessment.

• Identify a Security Officer to implement and oversee compliance with the security policies and procedures.

• Implement administrative, physical, and technical safeguards.

• Regularly review and modify security measures to protect ePHI in compliance with changing security threats.

• Ensure employee compliance with all security policies and procedures.

HIPAA takes a flexible approach for compliance with these requirements, allowing a covered entity to develop security measures that make sense for the covered entity, after taking into account the entity’s size, complexity, and capabilities; the cost of the security measures; and the entity’s technical, hardware, and software infrastructure. Thus, a small dermatology practice would not be required to implement the same types of security measures as a large hospital with a bigger IT budget.

Breach Notification Rule

The Breach Notification Rule sets out the requirements and procedures for notifying patients, the U.S. Department of Health and Human Services (HHS), and other parties, in the event of a data breach. In general, a breach is an unpermitted use or disclosure of PHI under the Privacy Rule that compromises the privacy or security of PHI.

Any unpermitted use or disclosure of PHI is deemed to be a breach, unless a covered entity reasonably determines that there is a low probability the PHI has been compromised, based on a risk assessment using the following four factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

2. The identity of the unauthorized person who used the PHI or obtained the disclosed PHI (e.g., an internal employee vs. an unrelated/external party).

3. Whether the PHI was actually acquired or viewed.

4. The extent to which the covered entity has mitigated the risk of further use or disclosure of the PHI.

If a covered entity determines that a breach has occurred, the covered entity must notify affected individuals as soon as possible, but no later than 60 days after the covered entity discovers the breach. The covered entity must also notify HHS of the breach. If the breach involves fewer than 500 patients, notice may be provided to HHS annually. If, however, the breach involves 500 or more individuals, the covered entity must notify HHS within 60 days after discovering the breach.

State law considerations

Although HIPAA imposes certain requirements for covered entities, it is important to review your state’s data privacy and security laws because HIPAA only preempts state law to the extent that HIPAA imposes stricter requirements than the requirements under state law. If a state imposes additional requirements beyond what is required under HIPAA, then you are required to follow the stricter requirements in the state law. For example, HIPAA does not require covered entities to encrypt PHI at all times, whether at rest or in transit. If a specific state’s data privacy laws require encryption to a greater extent than HIPAA requires, then the covered entity must comply with the stricter requirements under HIPAA. Alternatively, if a state’s data privacy law permits a covered entity to use or disclose PHI, without patient authorization, for a purpose not permitted under HIPAA, HIPAA would preempt that law and the covered entity must comply with the stricter patient authorization requirement under HIPAA. In addition, most states have data breach notification laws that impose additional notification requirements on an entity following a data breach, including a data breach involving PHI. Thus, it is very important to understand the data privacy and security requirements under HIPAA, as well as the state laws where your dermatology practice is located.

This article is provided for informational and educational purposes and is not intended to provide legal advice and should not be relied upon as such. Readers should consult with their personal attorneys for legal advice regarding the subject matter of this article.

Additional DermWorld Resources