HIPAA Compliance in Patient Advocacy: What Advocates Need to Know

Patient advocates help people navigate complex care decisions, insurer rules, and medical records. To do that safely, you must understand HIPAA—especially how the Privacy Rule, Security Rule, and Breach Notification Rule govern access to and sharing of Protected Health Information (PHI). This guide explains what applies to advocates and how to operationalize compliance in daily work.

HIPAA Overview

HIPAA is a U.S. federal law that sets standards for protecting PHI—any individually identifiable health information related to health status, care, or payment. It applies to covered entities (health plans, providers, clearinghouses) and their business associates, including advocacy organizations or independent advocates when they receive PHI on behalf of a covered entity.

Core rules that affect advocates

• Privacy Rule: Limits uses and disclosures of PHI and requires the “minimum necessary” standard.
• Security Rule: Requires safeguards for electronic PHI, including Administrative Safeguards and Technical Safeguards.
• Breach Notification Rule: Establishes duties to notify individuals, regulators, and in some cases the media after certain security incidents.

Independent advocates engaged directly by a patient (not by a covered entity) may not be HIPAA-regulated themselves. However, providers still cannot disclose PHI to you without proper patient authorization, and you should handle any PHI you receive with the same rigor you would if HIPAA applied.

Patient Authorization Requirements

HIPAA allows disclosures for treatment, payment, and health care operations without an authorization, but most advocacy work is outside those purposes. In practice, obtaining a HIPAA-compliant authorization from the patient is essential to request records, discuss care with providers, or appeal coverage decisions.

HIPAA authorization vs. consent

• Authorization: A formal, written permission for a specific use or disclosure of PHI. It lists what will be shared, with whom, for what purpose, expiration, and a signature/date, plus statements about revocation and potential re-disclosure.
• Consent: Some providers use general consent forms for routine care, but these usually do not permit advocacy-related disclosures. Robust Consent Management means tracking which authorizations exist, for what scope, and when they expire.

When you need an authorization

• To obtain or discuss medical records with a provider, hospital, or insurer.
• To share PHI with third parties such as legal counsel, community resources, or family members not otherwise involved in care.
• To receive ongoing updates from a care team or to participate in case conferences.

State laws and certain federal rules (for example, 42 CFR Part 2 for substance use disorder records) may impose stricter requirements. When laws conflict, apply the most protective standard for the patient.

Ensuring Data Security

Strong data security protects clients and demonstrates professionalism. Even if HIPAA does not technically apply to your role in every case, adopting its safeguards is the safest approach.

Administrative Safeguards

• Perform a written risk analysis covering how you collect, use, transmit, and store PHI.
• Create policies for access control, device use, data retention, and incident response.
• Train anyone supporting your work (staff or subcontractors) on Privacy Rule requirements and secure handling of PHI.
• Use Business Associate Agreements (BAAs) with vendors that handle PHI on your behalf (e.g., secure email, e-fax, EHR portals).

Technical Safeguards

• Encrypt devices and storage; enable MFA on email, portals, and file systems.
• Use secure messaging or encrypted e-fax for PHI; avoid standard SMS and unencrypted email.
• Apply role-based access; store files in a secure repository with audit logging.
• Patch systems promptly; use endpoint protection and automatic screen locks.

Practical handling tips

• Follow the minimum necessary standard—collect only what you need, for as long as needed.
• De-identify notes whenever possible; keep separate files for PHI and general advocacy notes.
• Secure paper records in locked storage; avoid mixing client PHI with personal devices or accounts.

Breach Notification Procedures

The Breach Notification Rule requires action when unsecured PHI is accessed, acquired, used, or disclosed in a manner not permitted by the Privacy Rule. Start with a documented risk assessment, considering the type of data, who viewed it, whether it was actually acquired, and mitigation taken.

What to do if you suspect a breach

• Contain and mitigate: recover data, change credentials, and stop further exposure.
• Document: who, what, when, where, systems involved, and steps taken.
• Notify: If you are a business associate, notify the covered entity without unreasonable delay as required by your BAA. The covered entity is responsible for notifying individuals, HHS, and possibly the media.
• Timelines: Individuals must be notified without unreasonable delay and no later than 60 calendar days after discovery. Breaches affecting 500+ residents of a state/jurisdiction also require media notice; smaller breaches are reported to HHS annually.
• Improve: update policies, strengthen Technical Safeguards, and retrain as needed.

Role of Patient Advocates

Advocates translate medical jargon, coordinate care, and align decisions with patient goals. Within HIPAA, your role centers on clarifying authorizations, limiting disclosures to the minimum necessary, and acting as a privacy steward for any PHI you handle.

High-impact responsibilities

• Set up clear Consent Management workflows so providers can speak with you confidently.
• Verify identity before discussing PHI and use secure channels for all communications.
• Maintain an access log of records requested, from whom, and why, to support Compliance Audits.
• Advocate for privacy in care settings—close curtains, ask for private spaces, and limit who is present during sensitive discussions.

Risks of Non-Compliance

Non-compliance can lead to civil monetary penalties (tiered by level of culpability), contractual consequences such as BAA termination, and—in cases of willful misuse or fraud—criminal liability. Equally serious are reputational damage, loss of client trust, and potential exclusion from provider networks.

OCR enforces HIPAA through investigations and Compliance Audits. Gaps commonly cited include weak risk analysis, poor access controls, inadequate training, and delayed breach reporting. Proactive governance avoids these pitfalls and strengthens your advocacy practice.

Best Practices for Advocates

• Formalize a privacy and security program aligned to the Privacy Rule, Security Rule, and Breach Notification Rule.
• Standardize authorizations and renewals; keep a central register to manage expirations.
• Adopt secure tools with encryption and MFA; avoid consumer-grade apps for PHI.
• Run periodic Compliance Audits and remediate findings; document everything.
• Use the minimum necessary PHI; de-identify working notes and set retention limits.
• Execute BAAs with any service that may touch PHI and verify their safeguards.
• Maintain a tested incident response plan so you can meet timelines under the Breach Notification Rule.

This material is for educational purposes and is not legal advice. When in doubt, consult counsel or a privacy officer.

FAQs.

What are the key HIPAA requirements for patient advocates?

Know what counts as Protected Health Information, obtain and track written authorizations, use the minimum necessary PHI, and protect ePHI with Administrative Safeguards and Technical Safeguards. Keep audit-ready documentation, follow secure communication practices, and be prepared to support breach response under the Breach Notification Rule.

How should patient advocates handle data breaches?

Act quickly to contain the issue, document the event, and assess risk. If you are a business associate, notify the covered entity without unreasonable delay as specified in your BAA. Support individual notifications, regulator reporting, and remediation steps, then update policies, training, and controls to prevent recurrence.

When is patient authorization required?

Any time a disclosure falls outside treatment, payment, or health care operations, you should obtain a HIPAA-compliant authorization. Common advocacy scenarios include requesting medical records, discussing care with providers or insurers, and sharing PHI with family members or third parties. Apply stricter state or federal rules when they provide greater privacy protection.