Table 1.

HIPAA’s Four Tiers of Privacy Protection

Tier	Data Uses that Fall in Each Tier	How HIPAA Protects Individuals’ Privacy
1	Any data use that an individual has authorized, for example, a research study where people gave their permission to share their data with researchers. Individuals’ access to and use of their own data under HIPAA’s individual access right	Individuals control the use and disclosure of their data. The individual, rather than the minimum necessary standard, decides how much data can be used or disclosed.
2	Ten enumerated data uses12, including three that are important in genomics: Research uses of data under HIPAA’s waiver provision at 45 C.F.R. Sec. 164.512(i), which allows data to be used in research without the individual’s authorization under certain circumstances Public health uses of data Healthcare billing and operations, including quality improvement activities	Individuals do not control access to their data (i.e., individual authorization is not required). The minimum necessary standard applies and limits how much data can be requested, used, or disclosed.
3	Three types of legally required data uses Reporting of abuse, neglect, and domestic violence Data required for judicial and regulatory proceedings Data requested by law enforcement agencies	Individuals do not control access to their data (i.e., individual authorization is not required). The minimum necessary standard also does not apply, but HIPAA sets other limits on how much data can be requested, used, or disclosed.
4	Disclosures of existing data to healthcare providers for use in treating patients Uses of PHI by covered entities and HHS to ensure compliance with the Privacy Rule	Individuals do not control access to their data, and HIPAA sets no limits on how much data can be requested, used, or disclosed. Neither the minimum necessary standard nor an alternative standard applies.