The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. In addition, it issued the HIPAA Security Rule to protect the integrity of patient health information in electronic form by preventing improper access, exfiltration, modification or deletion.
HIPAA Privacy Rule
The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information” or “PHI”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
Covered Entities under HIPAA Privacy Rule
The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:
- Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare Advantage HMOs, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans
- Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
In addition, HIPAA imposes special duties on so-called “business associates,” which are any person or organization that contracts to provide services to a covered entity that require it to have access to individually identifiable health information held by the covered entity in order to provide the services. Services performed by business associates include claims processing, data analysis, utilization review, and billing.
Permitted Uses and Disclosures under HIPAA Privacy Rule
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
- Treatment, payment, and healthcare operations
- Incident to an otherwise permitted use and disclosure
- Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes:
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Functions (such as identification) concerning deceased persons
- Cadaveric organ, eye, or tissue donation
- Research, under certain conditions
- To prevent or lessen a serious threat to health or safety
- Essential government functions
- Workers compensation
- Limited dataset for research, public health, or healthcare operations
Covered entities should rely on professional ethics and best judgment when considering requests for these permitted uses and disclosures.
Patient Rights under Privacy Rule
In addition, a patient has the following rights under the HIPAA Privacy Rule:
- The right to receive a notice of the covered entity’s privacy practices
- The right to request that health information not be disclosed in certain circumstances
- The right to have access to the patient’s own health information
- The right to amend the patient’s health information in certain circumstances
- The right to an accounting of disclosures of the patient’s health information
HIPAA Security Rule
While the HIPAA Privacy Rule safeguards the confidentiality of PHI, the Security Rule protects the integrity of PHI that is in electronic form (“ePHI”). To comply with the HIPAA Security Rule, all covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all ePHI
- Detect and safeguard ePHI against anticipated threats to the security of the information
- Protect ePHI against anticipated impermissible uses or disclosures
- Certify compliance by workforce with requirements for the protection of ePHI
The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.
For more information, visit the Department of Health and Human Services HIPAA website.