Module Privacy Risk Trust

To obtain an overview of HIPAA, to understand the scope, mechanics, and basic rights and obligations under the HIPAA Privacy Rule, to learn about the HIPAA Security Rule and Breach Notification Rule, to understand how state law regulates health data beyond HIPAA.


Length: Approximately 1 hour

Written by: Professors Daniel J. Solove and Paul M. Schwartz

Instructor: Professor Daniel J. Solove


This course provides an overview of the regulation of health privacy in the United States. The course explains the basic structural elements of HIPAA – how it applies, what types of entities it regulates, how it defines protected health information (PHI), and how it regulates business associates. It discusses the responsibilities of organizations under HIPAA, the rules governing the use and disclosure of PHI, and patient rights.  The course also provides an introduction to the HIPAA Security Rule as well as the Breach Notification Rule. Additionally, the course covers the enforcement of HIPAA by the HHS’ Office for Civil Rights. Beyond HIPAA, the course discusses the role in regulating health care privacy and security by state tort law and statutory law, as well as the protections in the U.S. Constitution for health data.

To obtain a broad overview of privacy law, to understand the key issues involved, to learn how privacy law works, and to understand the differences and similarities between various privacy laws.


About this Course
State Tort Law

Breach of Confidentiality Tort
Duty to Notify Torts

HIPAA’s Applicability and Scope

Covered Entities
Hybrid Entities

Definition of PHI
De-Identification: The 18 HIPAA Identifiers

Business Associates

Definition of a Business Associate
Data Protection Along the Chain of Custody
Business Associate Agreements

Responsibilities of Organizations Under HIPAA

Governance Provisions

Privacy Official
Policies and Procedures
Workforce Training

Notice of Privacy Practices
The Minimum Necessary Rule

Use and Disclosure of PHI Under HIPAA

Mandatory and Permitted Disclosures

Mandatory Disclosures
Permitted Disclosures
Disclosures for Marketing and Fundraising
Accounting for Disclosures


HIPAA Patient Rights

Right of Access
Right of Amendment
Right to File a Complaint
The Right to Request Restrictions

HIPAA Security Rule

Administrative, Physical, and Technical Safeguards
HIPAA Breach Notification Rule

Definition of a “Breach”

HIPAA Enforcement

HIPAA Enforcement Measures and Penalties
OCR Monetary Penalties
Private Common Law Lawsuits

Health Privacy Beyond HIPAA

State Statutes
Constitutional Law


Course Outline PDF