Description
HIPAA PRIVACY RULE | 45 CFR 164.512(b) & STATE HIV CONFIDENTIALITY LAW
HIV/AIDS Confidentiality Policy Supplement
Document ID: HEL-PRIV-010 • Version 1.1
The HIPAA Privacy Rule establishes a baseline floor of protection for all protected health information, including HIV-related information, but does not create federal protections specific to HIV beyond those applicable to all PHI. The significant compliance burden for organizations handling HIV information arises from state HIV confidentiality statutes, which exist in virtually every state and are typically far more restrictive than HIPAA. Under 45 CFR 160.202 and 45 CFR 160.203, HIPAA expressly preserves state laws that provide greater privacy protections. Where state law is more restrictive, the organization must comply with both frameworks simultaneously. Many state HIV confidentiality statutes require written authorization even for treatment, payment, and health care operations disclosures, a requirement that exceeds HIPAA’s standard permission for TPO uses and disclosures without authorization.
This 21-section policy supplement covers the full operational landscape for HIV-related information handling. It addresses the critical distinction between confidential and anonymous HIV testing, mandatory name-based HIV case reporting authorized under 45 CFR 164.512(a) and 164.512(b), partner and contact notification frameworks that vary significantly by state, the intersection of duty-to-warn obligations with the permissive disclosure standard at 45 CFR 164.512(j), HIV-specific authorization requirements that go beyond a standard HIPAA authorization, re-disclosure prohibitions, explanation of benefits disclosure risk for HIV-related services billed to health plans, minors and HIV confidentiality, and record segregation with access controls. Each section includes structured callout boxes identifying required state law insertions and practical workforce guidance for each disclosure scenario.
What Is Included
Framework and Definitions
- Seven defined terms: HIV-Related Information, Confidential HIV Test, Anonymous HIV Test, HIV Case Reporting, Partner Notification, Re-Disclosure, and Ryan White HIV/AIDS Program
- Regulatory foundation covering 45 CFR 164.512(b), 164.512(j), 160.202, 160.203, the Americans with Disabilities Act (42 U.S.C. 12101), and Ryan White Program requirements (42 U.S.C. 300ff)
- State law supremacy section with required citation placeholder for each jurisdiction
Confidentiality and Authorization Requirements
- General confidentiality rule with enumerated categories of disclosures permitted without authorization under HIPAA and state law
- HIV-specific authorization requirements, including the separate-document rule and state law additions to 45 CFR 164.508(c) standards
- Re-disclosure prohibition framework with practical workforce guidance
Testing, Reporting, and Notification Scenarios
- Anonymous vs. confidential HIV testing framework with three operational scenarios: public health site testing, organization-conducted testing, and patient referrals to anonymous sites
- Mandatory public health reporting under 45 CFR 164.512(a) and 164.512(b), including state-specific reporting timelines, required report formats, and documentation obligations
- Partner and contact notification frameworks (voluntary, provider-assisted, and mandatory) with Ryan White Program good-faith notification obligations
- Duty to warn and third-party exposure disclosures under 45 CFR 164.512(j) with state law overlay guidance
Operational and Administrative Provisions
- Occupational exposure disclosure procedures
- Disclosures in the covered entity context, including TPO limitations under state law
- Insurance and explanation of benefits disclosure risk guidance for HIV-related services billed to health plans
- Minors and HIV confidentiality, including state minor consent law interactions
- Record segregation and access control requirements
- Patient rights section covering HIPAA rights in the HIV information context
- Workforce training requirements
- Sanctions, approval and signatures block, related documents table, and revision history
Who This Is For
Privacy Officers, compliance coordinators, and clinical leadership at covered entities providing HIV testing, treatment, counseling, or referral services, including infectious disease practices, federally qualified health centers, sexual health clinics, behavioral health providers, and organizations receiving Ryan White HIV/AIDS Program funding. Also for HIPAA consultants building or auditing HIV-specific compliance programs for clients in jurisdictions with stringent state HIV confidentiality statutes, particularly when preparing for OCR investigations or corrective action plan implementation.
This supplement ships with required state law citation placeholders in the Regulatory Foundation and Partner Notification sections that must be populated with current jurisdiction-specific HIV confidentiality statute citations before the policy is adopted. Legal counsel review is required before implementation. The supplement is designed to work alongside the organization’s base HIPAA Privacy Policy and does not replace it.
Format: Microsoft Word (.docx), fully editable • Delivered as an instant digital download • Document ID: HEL-PRIV-010
Reviews
There are no reviews yet.