Outlining HIPAA: What Information Can My Rehab Center Disclose?

When you work for a rehab center, you know that HIPAA is extremely important to your job.

But what information can you really disclose?

We’ll take a look at the important details of HIPAA and what it means for your treatment center.

HIPAA basics

HIPAA stands for Health Insurance Portability and Accountability Act and it became a law in August 1996.

HIPAA is extremely important to rehab facilities for many reasons.

First, many companies, especially healthcare professionals, no longer rely on paper to store records. Instead, they use digital copies.  This creates a need for the HIPAA law, in order to protect all of that personal, digital information.

Another reason HIPAA is important is because often times, since most substance abuse is illegal, clients will refuse treatment because of concerns that their information could be shared and that they could land in jail.

But HIPAA makes it clear that a client’s treatment is 100 percent private when checked into a rehab center, unless the client gives permission to disclose their information—which we’ll discuss in title II.

doctor typing private information

Under all other circumstances, HIPAA declares that the following information is always private:

  • How much care a client received
  • How a client payed for treatment
  • Any medical records
  • Personal information
  • Client disorders, both physical and mental

In protecting this information, there are 5 different titles under HIPAA.

Title I

The first title speaks to health insurance coverage for certain groups of individuals.

Title I ensures that even if an individual loses or changes their job, they will still be covered by health insurance.

Additionally, it states that group health plans cannot deny coverage to individuals that have a disease or a pre-existing condition.

This is especially important to your rehab clients because many may lose or have to quit their jobs in order to attend your center. Title I allows them to still have insurance coverage while they receive treatment.

Title II

Title II covers security measures a medical institution must follow in order to store client records.

It helps to prevent health care fraud and abuse by specifying the privacy that is required when handling a client’s healthcare information.

This title states that treatment facilities do not have the right to use or disclose any personal client information including, but not limited to, treatment and payment.

To release any client records, the client must first sign a form that consents the release of their personal information. There is a list of elements that the consent form must include in order to do so:

  • The name of the client
  • Why they want to disclose this information
  • Specification of who is permitted to make the disclosure
  • The name of who the information is to be disclosed to
  • How much and what information is disclosed
  • Signature of the client
  • The date for which the form is signed
  • A date for which the consent form will expire
  • Signature of recognition that consent can be revoked at any time

image of a paper requiring a signature

In the case of minors, they must always sign to consent the release of their information.

In cases where a parent or guardian has to consent for the minor to receive treatment, they will also have to sign the consent form that releases the minor’s information.

Thinking about the ways that data is recorded and stored today, many companies, especially healthcare professionals, no longer rely on paper–rather a digital copy of their notes and patient information.

For this reason, the second title of the HIPAA law is the most referred, since it has to do with the medical privacy and security of patients.

After all, it’s much easier for a hacker to find documents digitally than it is to get ahold of paper copies.

Title III

This title has to do with tax-related provisions and providing tax deductions for medical insurance.

Simply put, it standardizes that amount of deductions someone can apply before taxes in their medical savings account.

Title IV

Title IV provides extended explanations of insurance reform provisions.

It also covers requirements for clients that have pre-existing conditions and clients that are looking for continued health coverage.

Title V

Title V discusses company-owned life insurance and how to treat cases of individuals who lose their U.S. citizenship.

If a client has an international insurance plan and is transitioning to an insurance plan in the US, the client will be covered on pre-existing conditions, as long as the plan is HIPAA compliant.

There are hundreds of requirements that are included in Title II — all concerning the security of clients.

Many companies, especially healthcare professionals, no longer rely on paper to store records. Instead, they use digital copies.

For this reason, rehab centers reference Title II most often since it concerns medical privacy.

After all, it’s much easier for a hacker to find documents digitally when you don’t have the right security.


Free Marketing Guide

Discover 7 ways to start marketing your rehab center online.


National Provider Identifier Standard

National provider identifier, or NPI for short, is a number that every healthcare provider must have before going into business.

Your rehab center uses this 10-digit number for client paperwork so that you, your clients’ insurance providers, and the government are all on the page about a client’s treatment. Medicare, Medicaid, and private health insurance are all required to use NPIs in their system.

Transactions and Code Sets Standards

This requirement dictates how to safely share documents and data and it’s also known as EDI.

EDI, or electronic data interchange, refers to the sharing of documents across computers or devices in which both the sender and receiver agrees to the same terms — including how and where the information in the document is found.

There are a handful of documents that are covered under this rule including:

  • The status of health care claims
  • Payments of health plan premiums
  • Documents outlining a client’s eligibility for a health plan
  • Health care claims
  • Health care payment advice
  • The coordination of benefits

Standards for Privacy of Individually Identifiable Health Information

Also known as the HIPAA privacy rule, this section sets nationwide standards that protect a client’s health information.

Security Standards for the Protection of Electronic Protected Health Information

This requirement is also known as the HIPAA security rule and client’s lays out how rehab centers must protect client medical data.

HIPAA Enforcement Rule

This requirement outlines how an investigation should be handled if there is a HIPAA violation.

Under this rule, the Department of Health and Human Services is permitted to investigate when a client claims that their privacy was breached. They also have the right to fine the individual if the claim is true.

If an offender refuses to correct the privacy mistake within 30 days of the time they were fined, the Department of Health and Human Services has the right to press criminal charges against that person.

What rights do clients have?

With so many rules and regulations, it’s sometimes hard to pinpoint what rights a client has to their health information.

Here’s a few pieces of information that clients have the right to ask you for:

1.      Their health records

Clients can ask you for their health records at any time, and you must provide them.

2.       How you use their records

You must provide information to a client on how and why their health information can be shared.

image of a doctors stethoscope

3.      Corrections to wrong information

If a client notices wrong information on a health records, they have the right to ask you to change it.

However, you must respond to the request and agree that the information is incorrect, and needs to be changed.

You must correct the health information if it is either proven inaccurate or if it is incomplete.

If you don’t believe that the client is correct, they will have to go through the process of submitting a statement outlining their disagreement and what they believe should be added or taken away from their medical record.

Who sees their information

Clients control their own information. This means that they can decide how their information is used or shared.

Why you shared their information

Clients have a right to know why you shared their information with any entity.

File a complaint

Clients have the right to file a complaint with your rehab center if they believe that their personal information isn’t protected.

When can you share a client’s health information?

There are a few circumstances where you can share a client’s health information.

Protecting the health of the public

Under this circumstance, you issue a general warning to the public about a problem that’s afflicted a group of people. That way, you aren’t directly sharing a client’s health information—you’re combining their information with others that have the same condition for the greater good of the public.

Coordinating a client’s treatment

You can share a client’s condition with other healthcare providers in order to coordinate the best treatment for the client.

For example, any x-ray, laboratory, or pathology reports  can all be shared among you and other medical practices to determine the best course of action for a client.


With a legal guardian or relative

You can share health information with the legal guardian of a child or whoever pays the child’s medical bills, except when:

  • The child is of age to consent to their own medical care
  • The child is obtaining medical care at the discretion of a court
  • The parent agrees that the medical provider and the minor have a confidential relationship

For a police report

You can release a client’s condition to police if it assists them in an investigation.

For example, if there is a sudden influx of heroin addicts checking into your facility, you are able to inform the police.

However, you are not able to share the patient’s identities—just their instance.

What information can’t I share?

There are a few circumstances in which you are not lawfully allowed to share a client’s health information under HIPAA.

Sharing with an employer

You can’t share a client’s medical records with one of their employers.


You can’t share a client’s medical records in order to market or advertise your practice.

It is also against the law to sell a client’s personal medical records to any third party as a form of marketing.

Can I withhold a client’s information under HIPAA?

Yes. You can withhold information when:

Harmful information

You can withhold information if the granted access will endanger the life or safety of the person requesting the information or the person that the information is concerning.

Lawsuit information

If you are compiling information for a lawsuit, you have the right to hold that information, even if it is requested.

Mental health notes

You are able to withhold notes that were taken during a private counselling session with a patient or their family.

Do you have HIPAA tips?

What has helped you understand the HIPAA guidelines? Do you think HIPAA hurts your rehab center’s marketing plan by not being able to share certain information?

We’d love to hear from you! Comment below to tell us what you think!