Go to AAD Home
Donate For Public and Patients Store Search
Go to AAD Home
Main menu
Membership
Meetings & Education
Practice management
Clinical & quality
Publications & apps
Career development
Advocacy
Back
Account
Pay dues
Member ID
Join the AAD
Member benefits
Find a member
AAD governance
Support AAD
Community Programs
AAD Help Center
2026 Annual Meeting
2026 Innovation Academy
Academy meetings archive
Professional education
Claim CME & view transcript
Upcoming events
Residents & medical students
Patient education materials
DataDerm
Coding Resource Center
MIPS & fee schedule
Teledermatology
EHR & health tech
Insurance & drugs
Compliance & practice scope
Managing your practice
Contact PM staff
Clinical guidelines
Quality measures
DataDerm
Quality & patient safety
Clinical Community
Clinical care resources
Position statements
JAAD
JAAD International
JAAD Case Reports
Dermatology World
DermWorld Insights & Inquiries
Derm Coding Consult
DermWorld Meeting News
Impact Report
Other publications
Academy Apps
Career launch
Job board
Burnout & wellness
Diversity
Awards, grants, and scholarships
Leadership Institute
Volunteer opportunities
Ethics & professionalism
Take action
Advocacy priorities
State advocacy resources
Legislative Conference
Position statements
Promote the specialty
Key Contacts
Patient advocate resources
SkinPAC
Advocacy Update
Welcome!
Facebook Twitter Instagram
Advertisement
Advertisement

HIPAA resource center

Protecting privacy

Image representing protecting patient's privacy

Physicians and other clinicians have both ethical and legal obligations to protect patient privacy. Patient privacy is protected both by state laws and by the federal Health Insurance Portability and Accountability Act (HIPAA). Any physician that electronically transmits billing information in the U.S. must comply with HIPAA.

Protecting patient privacy is at the heart of HIPAA. To comply, you must:


Icon for identifying PHI

Identify protected health information (PHI)

HIPAA applies only to protected health information (PHI). Not all health information is PHI. For information to be PHI, it must contain both a) an identifier tying it to the patient, and b) clinical or diagnostic information. Clinical or diagnostic information simply refers to the type of information you find in a health record, such as vitals and physician notes, but also labs and radiology results. An identifier is any piece of information that could uniquely identify an individual patient.

icon depicting protecting patient confidentiality

Protect patient confidentiality

Under federal law, patients have a civil right to privacy. As a result, all staff must take care to protect patient privacy. Patient confidentiality must be protected whether in electronic, physical, or verbal communications.

Generally, patients have to give their permission for PHI to be disclosed, but PHI may be shared from physician to physician without explicit consent if it is for treatment, payment, or operations. To give an example, if one doctor consults with another about a patient’s treatment, they do not need the patient’s written consent. However, marketing materials or social media posts must never disclose PHI without the patient’s explicit consent.

Icon depicting access to health records

Provide patients prompt access to their health records

If patients request a copy of their health records, clinicians must provide the copy as soon as possible, but always within 30 days. Providers are allowed to charge for copies of health records. However, they can only charge for the actual costs of reproduction. The laws for copying medical records vary by state. Check the most current fees for each state. 

Icon depicting informing patients of their privacy rights

Inform patients of their privacy and access rights

The first time a patient visits a provider, they should receive a Notice of Privacy Practices (NPP). The NPP explains when and how patient information will be used, identifies the organization’s privacy officer, and explains how to contact HHS with complaints. HHS has provided free NPP templates.  

Icon depicting privacy officer

Designate a privacy officer to oversee compliance

Your practice must also designate a privacy officer to oversee compliance and serve as a point of contact on privacy matters, both for patients and staff. In smaller organizations, this role is usually assigned to a staff member who has other responsibilities. The privacy officer should receive some additional training in HIPAA requirements and their role.


AAD compliance products

Get expert compliance help

Find training guides to help you and your staff comply with HIPAA, CLIA, and more in the AAD Store.

Shop now

Related Academy resources

eCompliance Certification

Ideal for educating new hires or for annual recertification of current staff on HIPAA, OSHA, and CLIA.

OSHA compliance guide

Learn how to comply with OSHA, the policies required, and how to handle an inspection.

CLIA compliance guide

Learn how to comply with CLIA regulations and how to handle an inspection.

Contact practice management

Use our online form to contact practice management staff with questions or concerns.

Advertisement
Advertisement
Advertisement