What is the HIPAA privacy rule?

This rule, designed by the U.S. Department of Health and Human Services (HHS), implements the requirement of HIPAA in addressing the use and disclosure of individuals' health information called protective health information, or PHI by organizations who use and transmit this information.

One of the goals of the privacy rule is to ensure the health information is properly protection while allowing the flow of that health information between covered entities to provide quality health care while protecting their health and well-being.

What are the covered entities?

This applies to health plans, healthcare clearinghouses and any health care provider transmitting health information in electronic form.

  • Health plans include the following: insurers of vision, health, dental and prescription drugs. HMOs, Medicaid, Medicare and supplement insurers and long-term care insurers. This could include any health plans sponsored by employers, churches, government agencies and multi-employers.
  • Healthcare providers include all providers regardless of size who electronically transmits health information.
  • Healthcare clearinghouses who process nonstandard information received from another entity in a standard format or data content. This includes repricing companies, billing services and other networks.
  • Business Associates, such as persons or organizations other than the employees of the covered entity performing specific functions or actions on behalf of covered entities involving the use or disclosure of PHI. They must have a business associates contract in place.

What information is specifically protected?

PHI, or protected health information includes all individually identifiable health information held or transmitted by a covered entity or business associate in any form. This includes demographic data; the past, present or future physical or mental health or condition of an individual; the health care provisions granted to that individual, or the past, present or future payment for that provision of health care. Anything that identifies the individual where it can be used to identify them is off limits.