The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is providing this technical assistance, not to supplant training required by the Privacy Rule, but as a resource tool to help individuals understand the importance of a carefully designed, delivered, and monitored HIPAA Privacy Rule compliance program.
The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) establish a set of national standards for the protection of certain health information. The US Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rule addresses the use and disclosure of individuals’ health information — called protected health information (PHI) — by organizations subject to the Privacy Rule — called covered entities — as well as standards for the rights of individuals to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. Enforcement of the Privacy Rule began April 14, 2003, for most HIPAA-covered entities.
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and protect the publics health and well-being. The Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing. Given that the healthcare marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
Covered Entities and Business Associates
Covered entities must follow the HIPAA Privacy Rule. Covered entities include:
Protected Health Information
The Privacy Rule applies to all protected health information, which includes, when held or transmitted by a covered entity, information that:
- Relates to the individuals past, present, or future physical or mental health or condition; to the provision of health care to an individual; or to past, present, or future payment for the provision of health care to the individual; and
- Identifies the individual or is information for which there is a reasonable basis to believe it can be used to identify the individual.
Protected health information can be in any form — electronic, paper, or oral. It can include financial and demographic information collected from patients.
With the changes as part of the Health Information Technology for Economic and Clinical Health Act (HITECH), it’s probably good to do a HIPAA spring cleaning. The privacy regulation went into effect in 2003, and everybody jumped on the notice. Many have never looked at it since. You probably learned a lot since 2003 and now the time to revamp the policies, to retrain the staff. — Robert M. Tennant, Medical Group Management Association (MGMA) Senior Policy Advisor
The Privacy Rule does not govern the use or disclosure of health information that does not identify an individual (which can include “de-identified” information). Also, the Privacy Rule does not apply to a covered entity’s own employment records or to education-related and certain other records covered by the Family Educational Rights and Privacy Act (FERPA).
Under the Privacy Rule, covered entities must provide patients with a full notice on how their protected health information is used, disclosed, and protected. This Notice of Privacy Practices specifies patients’ rights and covered entities’ responsibilities.
The notice should include the header required by the Privacy Rule, and should explain, in plain language:
- How the covered entity may use and disclose protected health information about the individual;
- The individuals rights with respect to the information and how the individual may exercise these rights, including how to file a complaint with the covered entity or with HHS;
- The covered entitys legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information; and
- How the individual can get more information about the covered entitys privacy policies.
In addition to providing this notice at the initial visit, a covered entity must make its notice available to any patient upon request. This is only a general summary of some of HIPAA’s requirements. Providers must refer to the Rule for more specific information.