Summary of the HIPAA Privacy Rule
Summary of the HIPAA Privacy Rule
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including the rights to examine and obtain a copy of their health records, and to request corrections.
The HIPAA Privacy Rule not only applies to healthcare organizations. It applies to any entity that may encounter personal information about a patient that – if it were disclosed to malevolent third party – could present a risk of harm to the patient ́s finances or reputation. Therefore “covered entities” include health insurers, healthcare clearinghouses, employer-sponsored health plans and third party medical service providers to covered entities – generally known as “Business Associates”.
Statutory and Regulatory Background
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.
HIPAA required the Secretary to issue privacy regulations governing individually identifiable health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA. Because Congress did not enact privacy legislation, HHS developed a proposed rule and released it for public comment on November 3, 1999. The Department received over 52,000 public comments. The final regulation, the Privacy Rule, was published December 28, 2000.2
In March 2002, the Department proposed and released for public comment modifications to the Privacy Rule. The Department received over 11,000 comments.The final modifications were published in final form on August 14, 2002.3 A text combining the final regulation and the modifications can be found at 45 CFR Part 160 and Part 164, Subparts A and E.
Who is Covered by the Privacy Rule
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). For help in determining whether you are covered, use CMS’s decision tool.
Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multiemployer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: (1) those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program; and (2) those programs whose principal activity is directly providing health care, such as a community health center,5 or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business.
Health Care Providers:
Every health care provider, regardless of size, who electronically transmit health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.6 Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
Health Care Clearinghouses
Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.7 In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information.8 Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9 Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be a business associate of another covered entity.
Business Associate Contract. When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.10 Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule. Covered entities that had an existing written contract or agreement with business associates prior to October 15, 2002, which was not renewed or modified prior to April 14, 2003, were permitted to continue to operate under that contract until they renewed the contract or April 14, 2004, whichever was first.11 See additional guidance on Business Associates and sample business associate contract language.
Does the Privacy Rule Apply to You?
The HIPAA Privacy Rule applies to covered entities and their business associates (BA). A covered entity is a health plan, a healthcare clearinghouse or a healthcare provider. Subcontractors, or business associates of business associates, must also be in compliance. In other words, if your organization might have access or the ability to access PHI, HIPAA applies to you.
If you’re a covered entity and you use a vendor or organization that will have access to PHI, you need to have a written business associate agreement (BAA). A BAA states how PHI will be used, disclosed and protected. If a breach occurs, BAs are directly liable to the same penalties as covered entities.
PHI and the Minimum Necessary Rule
In addition to establishing what constitutes Protected Health Information, the HIPAA Privacy Rule also determines when and how it should be disclosed. With the exception of disclosure for the purpose of treatment, payment or healthcare operations, any PHI relating to a patient’s past, present or future physical or mental health, the provision of healthcare, or payment for healthcare can only be disclosed without authorization from the patient to the patient’s legal representative or descendants:
- When the disclosure is required by law.
- When it is in the patient’s or the public’s interest.
- To another HIPAA covered entity when a relationship exists between the other covered entity and the patient.
Irrespective of the circumstances, covered entities must abide by the “Minimum Necessary Rule”. This rule stipulates that the disclosure of PHI must be limited to the minimum necessary for the stated purpose. Exceptions to the rule exist in a healthcare environment – where it may be necessary for a healthcare provider to access a patient’s complete medical history – but non-routine disclosure requests must be reviewed on a case-by-case basis, even when the patient has given their authorization for their medical records to be made available for research, marketing or fundraising purposes.
What Information is Protected in HIPAA
Protected Health Information
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
General Principle for Uses and Disclosures
Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Required Disclosures. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.
Permitted Uses and Disclosures
Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
(1) To the Individual (unless required for access or accounting of disclosures);
(2) Treatment, Payment, and Health Care Operations;
(3) Opportunity to Agree or Object;
(4) Incident to an otherwise permitted use and disclosure;
(5) Public Interest and Benefit Activities; and
(6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
(1) To the Individual. A covered entity may disclose protected health information to the individual who is the subject of the information.
(2) Treatment, Payment, Health Care Operations. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship. See additional guidance on Treatment, Payment, & Health Care Operations.
Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.
Health care operations are any of the following activities:
(a) quality assessment and improvement activities, including case management and care coordination;
(b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation;
(c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs;
(d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk;
(e) business planning, development, management, and administration; and
(f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization as described below. Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent.
HIPAA Privacy Rules Summary
- The HIPAA Privacy Rule was first enacted in 2002 with the goal of protecting the confidentiality of patient healthcare information.
- The HIPAA Privacy Rule not only applies to healthcare organizations, but also healthcare plans, healthcare clearinghouses, and Business Associates with access to Protected Health Information.
- Protected Health Information consists of eighteen “Individually Identifiable Health Information” which individually or together could reveal the identity of a patient, their medical history or payment history.
- The HIPAA Privacy Rule not only applies to data in written format. Videos and images containing any individually identifiable health information are also protected by the HIPAA Privacy Rule.
- PHI can only be disclosed to a third-party with the authorization of the patient, unless the disclosure is related to healthcare treatment, payment for healthcare or healthcare-related operations.
- Even when these conditions are met, and irrespective of the circumstances, Covered Entities and Business Associates must abide by the “Minimum Necessary Rule”.
- There are many different types of threats to the integrity of PHI. Measures that can be taken to mitigate both internal and external threats to PHI are discussed below.
What Are the Purpose of HIPAA Privacy Rule?
The purpose of the Privacy Rule is to establish minimum Federal standards for safeguarding the privacy of individually identifiable health information. Covered entities, which must comply with the Rule, are health plans, health care clearinghouses, and certain health care providers. Covered entities may not use or disclose PHI except as permitted or required under the provisions of the Privacy Rule. The Rule also confers certain rights on individuals, including rights to access and amend certain health information and to obtain a record of when and how their PHI has been shared with others for certain purposes. In addition, the Rule establishes administrative requirements for covered entities. Covered entities that fail to comply with the Privacy Rule may be subject to both civil monetary penalties, criminal monetary penalties, and/or imprisonment.
Sorry, there were no replies found.