The HIPAA Privacy Rule represents the first complete federal law providing broad protections for the privacy of health information across the entire healthcare industry. All major stakeholders in healthcare have voiced support for the goal of improving privacy safeguards for patients within the healthcare system. The Privacy Rule aims to strike a careful balance between instituting robust safeguards to protect patient privacy while not obstructing patients' access to quality healthcare or the delivery of needed health services. As modified over time, the Rule attempts to establish meaningful standards for keeping patient health information private without disrupting healthcare provision.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 with the aim of reforming the healthcare industry and improving insurance coverage access and affordability. One major provision of HIPAA was requiring the Department of Health and Human Services (HHS) to establish national standards for safeguarding medical information and patient privacy. This led to HHS issuing the HIPAA Privacy Rule in 2000.
Health Plans: This includes health insurance companies, HMOs, company health plans, and government programs that pay for healthcare like Medicare and Medicaid.
Healthcare Providers: Any provider that conducts healthcare transactions electronically is covered, including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
Healthcare Clearinghouses: These are entities that process nonstandard health information from providers into a standard format for insurance claims, such as billing services or community health information systems.
Business Associates: Any person or organization that provides services to a covered entity involving access to protected health information is also covered as a business associate. Examples include IT vendors, accountants, consultants, and medical transcriptionists.
Health Plan Sponsors: An employer is covered by HIPAA if it sponsors a group health plan for its employees.
The main health information that is protected under HIPAA is any information that can identify the individual and relate to their health, healthcare, or payment for care. Healthcare organizations must safeguard this PHI according to the requirements in the Privacy Rule:
Protected health information (PHI) - This includes information that identifies the individual and relates to their past, present, or future physical or mental health conditions, provision of healthcare, or payment for healthcare. This could include names, dates, diagnoses, treatment information, etc.
Individually identifiable health information - This is any information that can be used to uniquely identify the individual and their health information. It covers the same types of information as PHI.
The Privacy Rule establishes both general principles limiting the use and disclosure of PHI, as well as laying out permitted uses and disclosures for treatment, payment, operations, and public interest activities under defined conditions:
General Principle:
PHI cannot be used or disclosed by covered entities except as permitted or required by the Privacy Rule.
Treatment, Payment, Healthcare operations - PHI can be used or disclosed for treatment, payment, and healthcare operations activities without patient authorization.
Disclosures to the individual:
PHI can be disclosed to the individual who is the subject of the information.
Authorized disclosures - PHI can be disclosed with the valid written authorization of the individual. This authorization must include specified elements and the individual can revoke it at any time.
Public interest and benefit permitted disclosures - PHI can be disclosed without authorization for certain public interest activities like public health, research, health oversight, law enforcement, judicial/administrative proceedings, deceased persons, and organ donation. Specific conditions must be met for these disclosures.
Limited data sets - A limited data set (PHI with certain identifiers removed) can be disclosed for research, health oversight, and public health purposes with a data use agreement.
Incidental disclosures - Incidental disclosures related to permitted uses and disclosures are not violations. Reasonable safeguards must limit them.
Minimum necessary standard - When using, disclosing or requesting PHI, covered entities must make reasonable efforts to limit the information to the minimum necessary. Some exceptions apply.