The Standards for Privacy of Individually Identifiable Health Information, known as the HIPAA Privacy Rule, established the first national standards for the protection of patient health information. The U.S. Department of Health and Human Services (HHS) updated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with the Privacy Rule in 2003.
The Privacy Rule addresses the use and disclosure of Protected Health Information (PHI) by covered entities under the rule. It sets forth standards for patients’ rights to understand and control how their health information is being used. The rule ensures that individuals’ health information is properly protected while allowing the flow of health information needed to enable high-quality health care.
The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers who transmit health information in electronic form. It also applies to business associates, persons, or organizations performing or providing functions, services, or activities to a covered entity involved in the use or disclosure of individually identifiable health information. Such activities might include claims processing, data analysis, utilization review, or billing.
The Privacy Rule also specifies that covered entities must include particular protections for identifiable health information in their business associate agreements. This contract designates how PHI will be used, disclosed, and protected by the business associate. Plus, if a security breach occurs, the same penalties apply to business associates as covered entities.
The Privacy Rule secures all protected health information held or transmitted by a covered entity or its business associate. The rule covers all forms of information and media types including electronic, paper, video, or audio. Individually identifiable health information includes such things as name, address, phone number, birth date, social security number, and any patient information that could be used to identify a specific person.
Not only does the HIPAA Privacy Rule define which health information is protected, it designates when and how it should be shared. The disclosure of PHI should only occur for treatment, payment, or health care purposes. Aside from that, any protected health information pertaining to a patient’s past, present, or future physical or mental health cannot be disclosed without authorization by the patient or their legal representative unless it is:
- Required by law
- In the patient’s or public’s best interest
- Being communicated to another HIPAA covered entity who has an existing relationship with the patient.
Regardless of the situation, covered entities are required to comply with the Minimum Necessary Rule. This designates that the minimum amount of protected health information is shared for the specific purpose.
For HIPAA compliance, Federal law requires that all covered entities adhere to not only the HIPAA Privacy Rule but the Security Rule as well as the HITECH Act. If found to be non-compliant with these HIPAA rules by the HHS Office for Civil Rights (OCR)—responsible for implementing and enforcing the Privacy Rule—these entities could face serious fines and penalties. According to the HIPAA Journal, civil penalties range from $100 per violation to $50,000 per violation based on a tiered structure. The annual maximum penalty is $1.5 million. Criminal penalties include fines up to $250,000 up to 10 years in prison, also based on a tiered structure.