Use this button to switch between dark and light mode.

8 Keys for Health Plans to Satisfy Data Privacy Rules

June 02, 2022 (4 min read)

The U.S. Department of Health and Human Services’ Office for Civil Rights made headlines last month when it issued a Request for Information (RFI), seeking input from the public on how the HIPAA Rules — specifically the HIPAA Privacy Rule — could be modified.

The announcement noted that the original HIPAA Rules were developed to protect individuals’ health information privacy and security, while still permitting information to be shared for important purposes, but is responding to concerns raised about how certain provisions may no longer be achieving those dual goals.

“We look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Lisa J. Pino, director of the Office for Civil Rights.

Health care organizations of all types and sizes should take note of this action as it may well portend changes in data privacy and security regulations under HIPAA that will impact their compliance plans, contract negotiations and product development initiatives.

HIPAA’s Privacy Rules are designed to ensure confidentiality and integrity of protected health information, including electronic health information. A health plan — or other covered health entity — has a number of obligations under those rules. These rules are complex, detailed and come with serious enforcement implications.

To help navigate these requirements, the LexisNexis Practical Guidance team has created a Health Information Privacy and Security Resource Kit, which is designed to help in-house counsel and other attorneys locate essential resources addressing health information privacy and security issues.

One of the components of this resource kit is a comprehensive practice note from Gabriel Marinaro, partner at Akerman LLP, which combs through HIPAA’s privacy, security, breach notification and other administrative simplification rules.

Here are eight keys for health plans to satisfy HIPAA Privacy Rules, excerpted from Marinaro’s practice note on Lexis+:


The plan must have appropriate administrative, technical and physical safeguards to: (1) reasonably protect Protected Health Information (PHI) from any intentional or unintentional use or disclosure in violation of the Privacy Rule, and (2) limit incidental uses or disclosures arising from an otherwise permitted use or disclosure. These safeguards should be designed to protect PHI throughout its handling by the plan, from receipt or creation to destruction or disposal. Guidance for the disposal of PHI can be found in this practice note regarding the Disposal of Protected Health Information under HIPAA.

Written privacy policies and procedures

The plan must implement and maintain up-to-date written policies and procedures setting forth in detail privacy and security practices reasonably designed to ensure compliance with the Privacy Rule, taking into account the size and type of activities relating to PHI undertaken by the plan. The privacy policies and procedures provide detailed instructions for those members of the employer's workforce tasked with handling PHI.

Privacy officer

The plan must appoint a privacy official who is responsible for the development and implementation of the privacy policies and procedures and designate a contact person or office for receiving complaints under the Privacy Rule.


The plan must train members of the employer's workforce on PHI privacy procedures as necessary and appropriate for them to carry out their functions for the plan. Each employee who will have access to PHI must receive training within a reasonable period of time after obtaining the relevant position. If there is a material change in the policies or procedures, additional training is required within a reasonable period of time after the material change becomes effective. See this HIPAA Privacy and Security Training Presentation for a possible template.


The plan must provide a process for individuals to make complaints concerning the plan's privacy policies and procedures and document all complaints received and their disposition, if any.


The plan must apply and document sanctions against workforce members who fail to comply with the privacy policies and procedures of the group health plan.

Duty to mitigate

The plan must mitigate any use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the group health plan or any of its business associates.


The plan must maintain written records of its policies and procedures and any communications, actions, activities, or designations required to be in writing under the Privacy Rule for a period of no less than six years. Documentation standards also apply to hands-off plans, but only with respect to specific plan document requirements identified in the rules.

In addition to these eight keys, it is important to note that all group health plans are prohibited from intimidating, coercing, discriminating against, or taking other retaliatory action against an individual for filing a complaint under the Privacy Rule or for exercising any other right granted to the individual under the Privacy Rule or Breach Notification Rule. Moreover, no plan may require an individual to waive his or her HIPAA rights under the HIPAA Privacy Rule or Breach Notification Rule as a condition to receiving treatment or benefits under a plan or eligibility or participation in the plan.

LexisNexis has created a free resource to help guide in-house counsel through the process of satisfying HIPAA’s data privacy and security rules. You can check it out here.

Practical Guidance now features a new Healthcare module, which contains valuable tools and resources necessary to practice with confidence and efficiency. Experience it for yourself by signing up for a free 7-day trial of Lexis+ General Counsel Suite.