What is the HIPAA privacy rule?

Have you ever wondered how your personal health information is protected when you visit a doctor or hospital? The HIPAA Privacy Rule is the cornerstone of healthcare data security. It outlines specific guidelines and regulations that healthcare providers must follow to safeguard sensitive information. In this blog post, we'll dive into the details of the HIPAA Privacy Rule and explore its importance in today's digital age.

What Is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. This is landmark legislation consisting of federal guidelines for protecting patient information and privacy. The term HIPAA has become shorthand for the HIPAA Privacy Rule and patient privacy in general.

What Is the Privacy Rule?

The Privacy Rule implements privacy protections under HIPAA. The purpose of the Privacy Rule is that only those who need access to medical information can access it, but such information can move as needed to those who do: for example, between insurers and providers or between providers and pharmacies.

This balance is essential to HIPAA. Information must move, but not improperly, and not in a way that violates patient privacy. Information that remains static and doesn’t reach the necessary healthcare providers harms patients. Information that moves too freely violates patient privacy, harming patients. The goal of the HIPAA Privacy Rule is to reduce or eliminate both harms.

However, HIPAA applies only to covered entities and their use of protected health information. These concepts are key to understanding the Privacy Rule.

What Are Covered Entities?

A covered entity is an individual, institution, or organization that transmits protected health information (PHI) electronically in connection with certain transactions for which the Department of Health and Human Services (HHS) has published standards.  

Essentially, any entity in the healthcare industry that uses electronic records and transmits them for billing, insurance claims, or other related purposes is considered a covered entity under HIPAA.

Covered entities include:

Health plans. This includes general health plans as well as plans for vision and dental, plus government entities such as Medicaid and Medicare. This is a very inclusive category. Only very small health plans, such as those limited to one employer with a small enrollment of 50 or fewer, would not fit under the category of covered entities.

Healthcare providers. This category includes your family doctor, hospitals, specialists, dentists, ophthalmologists, and anyone else providing healthcare. As the HHS states,

“Every healthcare provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a healthcare provider is a covered entity; the transmission must be in connection with a standard transaction” (1).

So it’s the nature of the transaction, not whether or not it’s electronic, that activates the Privacy Rule.

Healthcare clearinghouses. The HSS defines healthcare clearinghouses as,

“…entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the healthcare clearinghouse's uses and disclosures of protected health information. Healthcare clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions” (1).

Business associates. Business associates are any people or businesses that provide a service to a covered entity—but the business associates themselves are only considered covered entities if they receive protected health information. Business associates may provide billing, clerical, or other services to a covered entity.

What Is Protected Health Information?

The HHS defines protected health information as information, including demographic data, that relates to (1):

  • the individual's past, present, or future physical or mental health or condition,
  • the provision of healthcare to the individual, or
  • the past, present, or future payment for the provision of healthcare to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Whether such information is in print or electronic, if it can identify a patient, it’s protected health information and thus covered by the HIPAA Privacy Rule.

What About De-Identified Health Information?

There are no restrictions on the use of de-identified health information. If there is no means to identify the person, then the HIPAA Privacy Rule and HIPAA compliance guidelines do not apply.

What Is the Basic Principle of HIPAA?

In understanding HIPAA privacy regulations, it helps to keep in mind their larger purpose. As the HHS says, the Privacy Rule acts,

“…to define and limit the circumstances in which an individual's protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.”

By defining and limiting the spread of protected health information, HIPAA protects patients.

Who Is in Charge of Enforcing the Privacy Rule?

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for enforcement of the privacy rule. As part of its administration and enforcement of the standards of the privacy rule, OCR can conduct investigations and reviews into compliance. As the HSS states,

“Consistent with the principles for achieving compliance provided in the Privacy Rule, OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.”

What Uses and Disclosures of Protected Health Information Are Permitted?

Quite a few, actually. Naturally, such information can be disclosed to the individual upon request. A covered entity can also disclose such information if it involves the treatment, payment, or healthcare operations. There are a plethora of other situations that may permit disclosure, such as requests from law enforcement, organ donation, or research.

However, to stay in accordance with the healthcare privacy laws, such disclosures should always be as minimal as possible. As the HHS states,

“A central aspect of the Privacy Rule is the principle of ‘minimum necessary’ use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”

For a lengthier explanation of the rules and standards of HIPAA, see the HHS’s page.

Need to polish or renew your HIPAA certification? We offer a plethora of courses that can be taken seamlessly online at your convenience. Elevate your healthcare career and ensure compliance with our specialized HIPAA and OSHA courses tailored for professionals like you. From HIPAA refreshers to advanced cybersecurity, our CEU-accredited programs cover everything you need to excel in your role. Start your journey to excellence—Enroll Now!

References:

"Summary of the HIPAA Privacy Rule." HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.