HIPAA Privacy Rule essentials

Importance of the HIPAA Privacy Rule

If any covered entity or one of their business associates violates the HIPAA Privacy Rule or the HIPAA regulations, they may be investigated by the Department of Health and Human Services. They could be fined up to $1.5 million if the breach was due to willful neglect and they failed to remedy the situation.

Who is covered by the HIPAA Privacy Rule?

The rule applies to covered entities, business associates, and hybrid entities that handle PHI. (Hybrid entities have only certain activities covered by HIPAA). There are exceptions, such as:

• Insurance providers who offer health insurance as a secondary benefit
• Covered entities that bill their clients directly
• Some employers who self-administer a group health plan

What information is protected?

Any information that can be used to identify a patient is protected. This means any individually identifiable health information and any non-health information contained in the same records (called a designated record set). However, the data is only protected when it is in a designated record set.

In other words, a patient’s social security number is not health information, but it is information that could be used to identify the patient. This non-health data is only protected while included in a PHI database. If that social security number is maintained in a record that does not contain individually identifiable health information, it is no longer protected by the Privacy Rule.

In instances when the rule does not apply, state privacy and security rules may come into play to ensure that data is handled securely. The Privacy Rule applies not only to electronic PHI but also to any physical documents that contain individual health data.

PHI uses and disclosures

The Privacy Rule clarifies in what situations protected health information can be used and disclosed. The two instances when uses and disclosures are mandated include:

• When an individual makes an access request for their own PHI records
• When the HHS requires the information for a compliance review or investigation
  
  

Covered entities are permitted to use and disclose PHI to carry out their normal healthcare-related duties. Sometimes, these permitted uses can become required uses and disclosures under state law. For example, to disclose abuse or neglect.

A final way PHI can legally be used or disclosed is if the individual authorizes it. A common example of this is for marketing purposes. It’s important that the authorization wording is easy to understand and that it is clear how the PHI will be used or disclosed. The document should also clarify when the covered entity will no longer have any control over further disclosures. For example, data that will be published on social media.

Remaining compliant with the HIPAA Privacy Rule

Organizations must draw up privacy policies and procedures that align with the HIPAA Privacy Rule. They also need to appoint a Privacy officer who develops these policies, provides info to individuals requesting their PHI, and handles complaints about the organization’s privacy practices.

Organizations should also train their employees, volunteers and contractors on PHI and privacy policies. The entity must maintain the right administration, policies, procedures, and technical safeguards to keep its patients’ sensitive medical information secure. For example, encrypting emails containing PHI or shredding documents that contain PHI.

Balancing cybersecurity and the immediacy of patient care

Covered entities need to access information and respond to critical care issues quickly. At the same time, they should still focus on their data security protocols. The HIPAA Privacy Rule and HIPAA Security Rule help to focus more on cybersecurity and preventing healthcare data breaches.

A recent US government report revealed that many organizations that handle electronic protected health information don’t have dedicated cybersecurity personnel. And often lack enterprise-wide security and expertise. Healthcare providers must adhere to vital regulations like the HIPAA rules. At the same time, they need to recognize the relationship between cybersecurity and the safety of their patients’ private medical information.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.