This section will cover the HIPAA Privacy Rule which set the standards for the protection of an individual’s identifiable health information while guaranteeing the flow of that information within the healthcare system. This video will discuss who the Privacy Rule applies to, what information is protected by this rule, how this information is authorized to be used and what the minimum necessary standard is. It will also discuss how this rule is enforced, who enforces it and what the potential penalties are for violations.
In this video we will go through everything that you need to know about the first rule addition to HIPAA which was the Privacy Rule. This rule is a set of national standards designed to ensure protection of certain identifiable health information. The privacy rule gives each person rights to their identifiable health information, and provides a framework of rules for who is authorized to view or share that information. A major goal of the Privacy Rule is to ensure that an individual’s health information is adequately protected, while still allowing the necessary flow of health information required to promote high-quality health care.
So you may be wondering who all is covered by the Privacy Rule? HIPAA requires both covered entities and their business associates to comply with the Privacy Rule. A covered entity is any organization that is directly involved with the treatment, healthcare operations or payment processes for healthcare services. On the other hand, business associates are vendors that are hired by covered entities to provide a service or function that requires them to use or disclose personally identifiable health information. Covered entities include health plans, such as health insurers or HMOs, health care providers, such as physicians and dentists, and healthcare clearinghouses. Business associates can be any person or organization that does not work for a covered entity but creates, receives, maintains, or transmits PHI on behalf of a covered entity. Common business associates include shredding companies, lawyers, medical transcription companies and even accountants. All of these organizations have to safeguard PHI, or protected health information.
Protected health information (PHI) is any individually identifiable health information that is sent or kept in any form -- electronic, oral or written -- where the information is created or received by a health care provider, health plan, employer, or health care clearinghouse. This information might relate to the health or condition of an individual, the healthcare treatment that they are given or the payment for any healthcare services. Any health information is considered PHI if there is a reasonable basis to believe that it can be used to identify an individual. Examples of individual identifiers include patient names, geography, such as a street address or city, dates except years, like a birthday or admission date, and even telephone numbers.
Uses and disclosures are another important element of the Privacy Rule. Under the Privacy Rule, covered entities and their business associates can only use protected health information for employment, application, examination, or analysis within their organization. There are only two situations where an organization is required to disclose PHI. First to an individual or their personal representatives when they request access to their PHI, and second, to HHS for purposes of compliance investigation or review. The HIPAA Privacy Rule permits the use or disclosure without the patient’s authorization for the following purposes -- treatment, payment, and health care operations. Treatment involves providing, coordinating, or managing health care and related services. Payment includes billing and collection activities, determining plan eligibility or coverage, and managing claims.
And lastly, health care operations refer to the administrative activities involved in running the business of a covered entity. Covered entities must get an individual’s authorization for uses and disclosures of PHI for any purposes other than these treatment, payment, and health care operations. The authorization must be in writing, and the form must include certain elements required by HIPAA. The Privacy Rule requires covered entities to make reasonable efforts to use, disclose, or request PHI only to the minimum amount necessary to still accomplish the intended purpose of the use, disclosure or request. HIPAA provides individuals with certain rights with respect to their PHI, including the right to access, review, and obtain copies of their PHI, the right to amend or have changes made to errors in their PHI, the right to request a list of disclosures of PHI by covered entities or business associates, and the right to request restrictions on the use or disclosure of PHI.
Organizations are also required to comply with the administrative requirements of the Privacy Rule, including adopting policies and procedures that appropriately protect the privacy of PHI, appointment of a privacy officer who will oversee and be responsible for the organization’s privacy policies and procedures, workforce training on HIPAA compliance, and business associate agreements with any entity that you’re either sharing health information with or receiving health information from. The Office of Civil Rights of HHS is charged with enforcing HIPAA and the Privacy Rule, and they can investigate covered entities and business associates, respond to complaints, and impose penalties for noncompliance. Entities and individuals may be subject to either civil or criminal penalties for violating the HIPAA regulations. Currently, civil penalties can range from $100 to $50,000 per violation, with caps off at $1.5 million for identical violations each year. And that’s all for the Privacy Rule. But get ready, because next up is the Security Rule.