HIPAA Privacy Rule basics
The Privacy Rule is an important part of HIPAA that helps healthcare organizations protect data. Before we explain the Privacy Rule and how to follow it, here is some background on HIPAA:
HIPAA is a federal law. It was created to:
- Improve continuity and portability of health insurance coverage. Portability means insurance coverage is maintained when an individual takes a job with a new employer.
- Combat waste, fraud, and abuse in health insurance and health care delivery. This includes implementing the Privacy Rule, Security Rule, and Breach Notification Rule (links).
- Promote the use of medical savings accounts by standardizing the amount a person may save in a pre-tax savings account.
- Improve access to long-term care services and coverage. This includes coverage of individuals with pre-existing conditions.
- Clarify tax deductions for employers and other tax revenue items.
SEE ALSO: HIPAA FAQs
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191). It has five parts, or titles. These go along with the above-mentioned purposes of HIPAA:
- Title I: Health Care Access, Portability, and Renewability
- Title II: Preventing Health Care Fraud and Abuse, Administrative Simplification, Medical Liability Reform
- Title III: Tax-Related Health Provisions
- Title IV: Application and Enforcement of Group Health Plan Requirements
- Title V: Revenue Offsets
What is the HIPAA Privacy Rule?
The Privacy Rule establishes standards to protect an individual’s medical records and other protected health information (PHI). It concerns the uses and disclosures of PHI and defines an individual’s rights to access, and regulates how their medical information is used.
The HIPAA Privacy Rule is described in the following locations in the CFR:
- Part 160 – General Administrative Requirements
- Part 164 – Security and Privacy
- Subpart A - General Provisions (§§ 164.102 - 164.106)
- Subpart E - Privacy of Individually Identifiable Health Information (§§ 164.500 - 164.534)
The Privacy Rule strives to assure that an individual’s health information is properly protected. At the same time, it allows access to the information needed to ensure high-quality health care for patients and to protect the public. The Privacy Rule strikes a balance that permits important usage of information, while protecting the privacy of people who require health care services.
The HIPAA Privacy Rule:
- Clarifies and supports patient rights in regards to their health information
- Spells out administrative responsibilities
- Examines the need for and implementation of privacy policies and procedures
- Details the permissible uses and disclosures of patient data
- Discusses written agreements between covered entities and business associates
- Describes a covered entity’s responsibilities to train workforce members and implement requirements regarding their use and disclosure of PHI
- Applies to all forms of individuals' protected health information, whether electronic, written, or oral
HIPAA Privacy Rule Gaps
When it comes to the HIPAA Privacy Rule, healthcare organizations might think they have everything covered. You likely have your privacy practices posted throughout your workplace and believe that instances where employees leak PHI to the public are rare.
However, finding where PHI exists in an organization can be a complex effort, especially when that information is digital. Making sure PHI is secured from improper disclosure often requires expert help. For example, it’s not uncommon for healthcare providers to leave out the following in their policies, procedures, or risk analyses:
- Social media: Employees should never post patient photos or any patient information on any social media platform (e.g., Twitter, Facebook, LinkedIn)
- Employees illegally accessing PHI: Employees should not be able to access PHI that they don’t need to know about for patient care (e.g., accessing celebrity PHI)
If covered entities or their employees do intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule, penalties are serious. Organizations can be assessed civil monetary penalties up to $50,000 per violation with a penalty cap of $1.5 million for multiple violations of an identical requirement in a calendar year.
Criminal penalties are also possible. A person who knowingly obtains or discloses PHI may face a criminal penalty of up to $50,000 and up to one-year imprisonment. These increase to $100,000 and up to five years imprisonment if PHI is obtained or disclosed in circumstances involving false pretenses, and they increase to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.
How to legally share PHI
First, make sure you have policies and procedures established that clearly describe how you share PHI. And you are required to disclose PHI under some circumstances, for instance:
- The individual themselves or their representative request the information
- The Department of Health and Human Services (HHS) performs a compliance investigation or review
You’re allowed (but not required) to use and disclose PHI without an individual’s authorization under the following situations:
- PHI is disclosed to the patient (except as described under required disclosures)
- PHI is used for treatment, payment, or healthcare operations
- PHI is shared when the individual has the opportunity to agree or object
- PHI is incidentally used and disclosed—for example, during lobby communication with patients in emergency situations
- PHI is used or disclosed for one of the 12 “national priority” purposes
- Required by law
- Public health activities
- Victims of abuse, neglect, or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Cadaveric organ, eye, or tissue donation
- Serious threat to health or safety
- Essential government functions
- Workers’ Compensation
There are some exceptions to these rules. For example, disclosures of psychotherapy notes require written authorization from patients. Also, you typically must receive patient authorization to use and disclose PHI for marketing purposes, unless it fits within HIPAA exceptions.
Other tips for following the HIPAA Privacy Rule
Understand “Minimum Necessary.” The Minimum Necessary requirement is a core principle of the Privacy Rule. It states that only those who need to see PHI to do their jobs should get to see it, and unless you have a specific need for the information, access must be restricted. For example, a receptionist probably doesn’t need to see the X-rays of a patient to do their job.
Limit access to PHI. This should be accomplished through a combination of policies (describing intent), procedures (outlining how access should take place), and tools that restrict access to electronic PHI.
Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.