the health insurance portability and accountability act of 1996 (hipaa) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge . The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements. the hipaa security rule protects a subset of information covered by the privacy rule.
hipaa privacy rule
The privacy rule standards address the use and disclosure of individuals’ health information (known as protected health information, or PHI) by entities subject to the privacy rule. These individuals and organizations are called “covered entities.”
The Privacy Rule also contains standards for people’s rights to understand and control how their health information is used. one of the primary goals of the privacy rule is to ensure that individuals’ health information is appropriately protected while allowing the flow of health information necessary to provide and promote high-quality health care and protect the health and welfare of the public. the privacy rule allows for important uses of information while protecting the privacy of people seeking care and healing.
covered entities
The following types of individuals and organizations are subject to the Privacy Rule and are considered covered entities:
- Health Care Providers: Any health care provider, regardless of practice size, that electronically transmits health information in connection with certain transactions. These transactions include:
-
- claims
- Benefit Eligibility Inquiries
- reference authorization requests
- other transactions for which hhs has established standards under the hipaa transaction rule.
- Health plans: Health plans include:
-
- health, dental, vision and prescription drug insurers
- health maintenance organizations (hmos)
- medicare, medicaid, medicare+choice and medicare supplemental insurers
- long term care insurers (excluding nursing home fixed indemnity policies)
- employer-sponsored group health plans
- government and church sponsored health plans
- multi-employer health plans
- health care clearinghouses: entities that process non-standard information they receive from another entity into a standard (ie standard format or data content), or vice versa. In most cases, health care clearinghouses will receive individually identifiable health information only when they provide these processing services to a health plan or health care provider as a business associate.
- business associates: a person or organization (other than a member of a covered entity’s workforce) that uses or discloses individually identifiable health information to perform or provide functions, activities or services for a covered entity. these functions, activities or services include:
-
- claims processing
- data analysis
- usage review
- billing
- disclosure to the person (if the information is necessary to access or account for the disclosures, the entity must disclose it to the person)
- treatment, payment and health care operations
- opportunity to agree or oppose disclosure of phi
- an entity may obtain informal permission by asking the individual directly or through circumstances that clearly give the individual an opportunity to agree, consent or object
- incident to a permitted use and disclosure
- limited data set for research, public health or healthcare operations
- activities of public interest and benefit: the privacy rule allows the use and disclosure of phi, without the authorization or permission of a person, for 12 national priority purposes:
- when required by law
- public health activities
- victims of abuse or neglect or domestic violence
- health oversight activities
- judicial and administrative proceedings
- law enforcement
- functions (such as identification) relating to deceased persons
- donation of cadaveric organs, eyes or tissues
- research, under certain conditions
- to prevent or lessen a serious threat to health or safety
- essential government functions
- workers compensation
- ensure the confidentiality, integrity and availability of all e-phi
- detect and protect against anticipated threats to information security
- protect against advance impermissible uses or disclosures that are not permitted by the rule
- certify compliance by your workforce
hipaa security rule
while the hipaa privacy rule protects phi, the security rule protects a subset of information covered by the privacy rule. this subset is all individually identifiable health information that a covered entity creates, receives, maintains, or transmits in electronic format. this information is called electronic protected health information, or e-phi. the security rule does not apply to phi transmitted orally or in writing.
To comply with the hipaa security rule, all covered entities must:
Covered entities must rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office of Civil Rights enforces the HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in monetary or civil criminal penalties.
for more information, visit the hhs hipaa website.
Permitted Uses and Disclosures
The law permits, but does not require, a covered entity to use and disclose Phi, without an individual’s authorization, for the following purposes or situations:
Exception: A group health plan with fewer than 50 participants administered solely by the employer that established and maintains the plan is not a covered entity.
