In a Nutshell: What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule, or the Standards for Privacy of Individually Identifiable Health Information as it is formally known, is enacted under Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a part of its Administrative Simplification rules. Enforcement of the HIPAA Privacy Rule is governed by the Office of Civil Rights (OCR), an arm of the U.S. Department of Health and Human Services (HHS).
The HIPAA Privacy Rule details regulations that health care/plan entities must follow in order to balance the protection of health information of individuals with the ability to obtain that information to provide high quality health care.
Before the HIPAA Privacy Rule was enacted, there was no comprehensive federal protection for the privacy of health information.
HIPAA was enacted on August 21, 1996; the HIPAA Privacy Rule was published on December 28, 2000, with compliance required by April 14, 2001. After HHS received over 52,000 comments on the confusion and complexity of complying with the Privacy Rule, a modified HIPAA Privacy Rule was published on August 14, 2002, with compliance required by April 14, 2003. For small health plans, compliance was required by April 14, 2004.
HIPAA is sometimes referred to as the Kassebaum-Kennedy Act, or the Kenndy-Kassebaum Act, in reference to the two Senators who lead the sponsoring of the Act.
Why does the HIPAA Privacy Rule exist?
The Health Portability and Accountability Act of 1996 (HIPAA) was enacted on August, 21, 1996. The goal of HIPAA was to achieve the following in the realm of health care:
- improve portability and continuity of health insurance coverage in group and individual markets
- combat waste, fraud, and abuse in health insurance and health care delivery
- maintain the privacy and security of health information of individuals
- increase the efficiency of the health care system by standardizing the use and dissemination of health information of individuals
- promote the use of medical savings accounts
- improve access to long-term care services and coverage
- simplify the administration of health insurance
Prior to HIPAA, health information was essentially free to be distributed amongst a variety of different entities – many of which had nothing to do with your health – without neither notice nor consent of the individual the health information belonged to. While some individuals may be okay with the idea that their health information is distributed, even without consent, amongst doctors who are in charge of their health, almost all individuals would have a problem with the idea that their health information would be shared with their home mortgage lender so that the lender can make a decision as to whether or not to approve a mortgage loan.
In the post-HIPAA age, the idea of sharing health information with a home mortgage lender so that the lender could use that information to make a decision on whether or not to approve a mortgage loan seems rather insane – but that is exactly the type of activity that was legally allowed before HIPAA was enacted. And so, legislators found value in passing legislation that protected the health information of individuals.
In order to achieve the third and fourth goals on the list above, HIPAA mandated that the U.S. Department of Health and Human Services (HHS) issue Administrative Simplification provisions. Because health information was being shared electronically more and more, the issuance of the provisions included the need for the standardization of the electronic exchange, privacy, and security of individually identifiable health information within 3 years of HIPAA enactment.
The goal of the standardization was to:
- protect and secure health information of individuals
- allow for the efficient sharing of health information of individuals in order to provide high quality healthcare
The responsibility of issuing this standardization fell to Congress. In the event that Congress did not issue this standardization in time, the responsibility of doing so was to fall on the Secretary of the HHS.
After Congress failed to issue the standardization of the electronic exchange, privacy, and security of individually identifiable health information in time, the HHS issued the Privacy Rule, implementing the standardization, on December 28, 2000 as a part of the Administrative Simplification provisions. Compliance was required by April 14, 2001.
After receiving over 52,000 public comments over the confusing nature of how to comply with the complex Privacy Rule, the HHS issued a modified Privacy Rule on August 14, 2002. Compliance for the modified Privacy Rule was required by April 14, 2003.
To be thorough, there are 6 standards and rules that are included within HIPAA’s Administrative Simplification provisions:
- Privacy Rule
- Security Rule
- Enforcement Rule
- Breach Notification Rule
- Identifier Standards
- Transactions and Code Set Standards
The HIPAA Privacy Rule is what most people are referring to when talking about HIPAA. Although the rest of the Administrative Simplification provisions as well as the rest of HIPAA are important and necessary, the Privacy Rule contains the majority of compliance regulations, which is why the Privacy Rule is being discussed on this page.
In order to comprehensively protect the health information of individuals, the following are regulated by the HIPAA Privacy Rule:
- appropriate safeguards to protect the privacy of personal health information
- limits and conditions on the uses and disclosures that may be made of personal health information without patient authorization
- patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections
- civil and criminal penalties imposed on violators if they violate patients’ rights
- the disclosure of some forms of health data when it is required for public responsibility – for example, to protect the health of the general public
The Details: HIPAA Privacy Rule Requirements & Compliance
The HIPAA Privacy Rule can be broken down into two main parts:
- WHO NEEDS TO COMPLY: covered entities
- HOW TO COMPLY: by protecting all protected health information (PHI)
The businesses that need to comply with the HIPAA Privacy Rule are considered ‘covered entities’. What a covered entity is and how to determine whether or not your business is a covered entity is discussed in the section below.
This section will discuss how to successfully comply with the HIPAA Privacy Rule by protecting all PHI.
Protecting PHI can be broken down into two steps:
- Determining what PHI is
- Knowing when + to whom PHI can be disclosed
What is protected health information (PHI)?
Protected health information (PHI) is defined as any information, including demographic data, that identifies or has a reasonable basis to identify an individual and relates to the individual’s:
- past, present, or future physical or mental health or condition
- provision of health care
- past, present, or future payment for the provision of health care
The HIPAA Privacy Rule requires that all PHI that is held or transmitted, in any form or media, whether electronic, paper, or oral, to be protected. The term ‘protected health information’ is often used interchangeably with the term ‘individually identifiable health information’. To be safe, just about anything related to a patient’s medical history should be considered PHI.
Examples of PHI include:
- Social Security number
What health information is not protected by the HIPAA Privacy Rule?
The following lists the types of health information and the types of situations health information is not protected by the HIPAA Privacy Rule:
- De-identified health information: health information that neither identifies nor provides a reasonable basis for which to identify an individual; health information can be de-identified by:
∙ a formal determination by a qualified statistician
∙ the removal of specified identifiers of the individual, the individual’s relatives, household members, and employers
- Employment records, education, and certain other records that are maintained under the capacity of an employer and are subject to the Family Educational Rights and Privacy Act
When + to Whom can Protected Health Information (PHI) be disclosed?
Covered entities are not permitted to share PHI without the written authorization of the individual to which the PHI belongs. However, under the following 6 circumstances, PHI can be disclosed without the written authorization of the individual:
- When PHI is disclosed to the individual whom PHI belongs
- If covered entities have or had a relationship with the individual to whom PHI belongs, PHI pertaining to the treatment, payment, and health care operations activities may be disclosed between the covered entities
- If an individual is incapacitated or in an emergency situation, covered entities are allowed to disclose PHI if, in their professional judgement, such a disclosure is in the best interest of the individual. In addition, for certain situations, such as maintaining a patient’s contact information directory, covered entities may disclose the individual’s PHI if informal permission is obtained by:
• asking the individual outright, or
• clearly giving the individual the opportunity to agree, acquiesce, or disagree
- In the event a covered entity implemented all reasonable safeguards to protect PHI but PHI nonetheless was disclosed to unauthorized parties, any incidental disclosure of PHI is permitted as long as the amount of PHI disclosed was limited to the ‘minimum necessary’ amount; visit the HHS website to learn more about what constitutes an incidental disclosure
- There are 12 national priority purposes for which PHI, with certain limitations, can be disclosed; each of the following national priority purposes strives to balance the privacy of the individual with the public interest:
A. Required by Law: to comply with statutes, regulations, or court orders
B. Public Health Activities:
• to prevent or control disease, injury, or disability
• to report adverse events, track products and product recalls, or conduct post-marketing surveillance to entities subject to FDA regulation in regards to FDA regulated products and/or activities
• to notify individuals who may have contracted or been exposed to a communicable disease
• to employers, at the employer’s request, on information pertaining to work-related illness, injury, or medical surveillance, in order to comply with the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MHSA), or another similar state law
C. Victims of Abuse, Neglect, or Domestic Violence: PHI can be disclosed to appropriate government authorities in regards to abuse, neglect, or domestic violence
D. Health Oversight Activities: In the event of an audit or investigation pertaining to the oversight of the health care system and government benefits programs, PHI can be disclosed to health oversight committees
E. Judicial and Administrative Proceedings: If a court, administrative tribunal, subpoena, or another lawful process requests PHI for a judicial or administrative proceeding, PHI may be disclosed as long as a protective order or certain assurances of notification to the individual are given
F. Law Enforcement Purposes: There are 6 circumstances for which PHI may be disclosed to law enforcement:
a. to comply with court orders, court-ordered warrants, subpoenas, and administrative requests
b. to identify or locate a suspect, fugitive, material witness, or missing person
c. to respond to a request for information on a victim or a suspected victim of a crime
d. to notify law enforcement about an individual’s death if it is suspected that criminal activity caused the death
e. if PHI is suspected to contain evidence of a crime that occurred on a covered entity’s premises
f. to provide information about the commission of a crime, its victim(s), and perpetrator(s) in a medical emergency that did not occur on a covered entity’s premises
G. Decedents: PHI can be disclosed to funeral directors, coroners, and medical examiners in order to:
• identify a deceased person
• determine cause of death
• perform other functions authorized by law
H. Cadaveric Organ, Eye, or Tissue Donation: PHI can be disclosed to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue
I. Research: Research is defined as any systematic investigation designed to develop or contribute to generalizable knowledge; PHI can be disclosed for the following research purposes:
• when documented approval of an alteration or waiver of individuals’ PHI authorization by an Institutional Review Board or a Privacy Board is given
• if a researcher assures that PHI:
a. will solely be used to prepare a research protocol or for a similar purpose preparatory to research
b. is necessary for the researchc. will not be removed
• if a researcher assures that PHI:
a. will solely be used to research health information of decedents
b. is necessary for the research
c. belongs to a decedent; documentation of the death needs to be provided at the request of the covered entity
J. Serious Threat to Health or Safety: if PHI is able to prevent or lessen a serious and imminent threat to a person or to the public, it can be disclosed to law enforcement or to anyone else who has the ability to prevent or lessen the serious and imminent threat
K. Essential Government Functions: PHI can be disclosed for the following essential government functions so far as authorized by law:
• properly executing a military mission
• conducting intelligence and national security activities
• providing protective services to the President
• making medical suitability determinations for US State Department employees
• protecting the health and safety of inmates and/or employees in a correctional institution
• determining eligibility for or conducting enrollment in certain government benefits programs
L. Workers’ Compensation: PHI can be disclosed if needed to comply with workers’ compensation laws and other similar programs that provide benefits for work-related injuries or illnesses
- If certain specified direct identifiers of individuals, their relatives, their household members, and their employers have been removed from PHI, and if specified safeguards are promised for this PHI, it can be disclosed for research purposes, to health care operations, and for public health purposes; this type of PHI is known as a limited data set
In order to disclose PHI outside of the circumstances listed above, i.e. outside of the HIPAA Privacy Rule, covered entities must obtain the written authorization of the individual to whom the PHI belongs.
To reiterate, compliance with the HIPAA Privacy Rule requires the following:
- Knowing what PHI is
- Knowing when to disclose/when not to disclose + knowing to whom to disclose PHI
Does the HIPAA Privacy Rule affect your business?
Covered entities are affected by the HIPAA Privacy Rule.
If your business is categorized as one of the following, your business is considered a covered entity and needs to take the appropriate steps to protect PHI:
- health plans
- health care clearinghouses
- health care providers (that conduct certain health care transactions electronically)
What is a Health Plan?
Health plans are defined as individual and group plans that provide or pay the cost medical care. The following lists the types of businesses that are considered health plans:
- health insurers
- dental insurers
- vision insurers
- prescription drug insurers
- health maintenance organizations (HMOs)
- Medicare+Choice and Medicare supplement insurers
- long-term care insurers
- employer-sponsored group health plans
- multi-employer health plans
- government-sponsored health plans
- church-sponsored health plans
Health Plan Exceptions
The following lists the types of business that, although similar to health plans, are not considered a covered entity under the HIPAA Privacy Rule:
- a group health plan with less than 50 participants that
∙ is administered solely by the employer
∙ was established and is maintained by the employer
- a government-funded program whose principal purpose is neither providing nor paying the cost of health care
∙ ex: food stamps program
- a government-funded program whose principal activity is either
∙ directly providing health care, such as a community health center, or
∙ making grants that fund the direct provision of health care
- entities providing only workers’ compensation
- entities providing only auto insurance
- entities providing only property and casualty insurance
What is a Health Care Clearinghouse?
A health care clearinghouse is a business that processes nonstandard PHI given by a health plan or a health care provider into a standardized format, or vice versa. Health care clearinghouses almost always provide PHI processing services as a business associate of a health plan or a health care provider; as a business associate, health care clearinghouses need to comply with just some HIPAA Privacy Rule regulations. The following lists the types of businesses that are considered a health care clearinghouse:
- billing services
- repricing companies
- community health management information systems
- value-added networks and switches that perform clearinghouse functions
What is a Health Care Provider?
A health care provider is technically defined as an entity that provides medical or health services. Under the HIPAA Privacy Rule, however, a health care provider is not considered a covered entity unless it electronically transmits PHI in connection with certain established standard transactions:
- claims transactions
- benefit eligibility inquiries
- referral authorization requests
- other transactions for which HHS has established standards under the HIPAA Transactions Rule
It should be noted that simply using electronic technology, such as email, as a means of communicating information does not mean a health care provider is considered a covered entity – a health care provider needs to make electronic transmissions in connection with standard transactions to be considered a covered entity. If a health care provider uses a third party on its behalf to conduct those standard transactions, it is still considered a covered entity.
The following lists the types of businesses that are considered a health care provider:
- providers of services: institutional providers such as hospitals
- providers of medical or health services: non-institutional providers such as physicians, dentists, and other practitioners
- any other person or organization that furnishes, bills, or is paid for health care
To be clear, a health care provider is not a covered entity if it does not electronically transmit PHI in connection with the transactions described above.
If you are unsure as to whether or not your business would be considered a covered entity, the Centers for Medicare & Medicaid Services (CMS) created a flowchart that will help you determine whether or not your business is a covered entity; the flowchart can be accessed by clicking here.
To reiterate, if your business is a covered entity, it will need to comply with the HIPAA Privacy Rule, and if your business is not a covered entity, it will not need to comply with the HIPAA Privacy Rule.
HIPAA Privacy Rule Violations
A covered entity can violate the HIPAA Privacy Rule by intentionally and/or negligently not using appropriate administrative, technical, and security measures to protect PHI. In other words, if a covered entity does not use common sense measures to make a genuine effort to protect and defend PHI, it may be subject to HIPAA Privacy Rule Violation penalties.
In the event PHI was unintentionally disclosed but the covered entity took all available and necessary steps to protect the PHI, it is unlikely that the covered entity will be charged with a HIPAA Privacy Rule violation.
The following lists examples of common HIPAA Privacy Rule violations:
- Having a patient sign-in sheet with a ‘reason for visit’ section visible to everyone
- Leaving patient information, such as a patient’s chart, anywhere it can be easily read by an unauthorized party
- Using patient information for marketing purposes
HIPAA Privacy Rule Violation Penalties
The following lists the monetary and incarceration penalties that are issued for HIPAA Privacy Rule violations:
- Minor violation
∙ Monetary penalty: $100, not to exceed $25,000 per year
∙ Incarceration penalty: None
- Knowingly obtaining and releasing PHI without authorization
∙ Monetary penalty: $50,000, and/or
∙ Incarceration penalty: 1 year in prison
- Deceitfully obtaining and releasing PHI under false pretenses
∙ Monetary penalty: $100,000, and/or
∙ Incarceration penalty: 5 years in prison
- Attempting to or successfully selling PHI for profit, gain, or malicious intent
∙ Monetary penalty: $250,000, and/or
∙ Incarceration penalty: 10 years in prison
HIPAA Privacy Rule Resources
Although most of the details surrounding the HIPAA Privacy Rule have been covered above, there are some nuances that have not been covered. To learn more about the HIPAA Privacy Rule in detail, please use the following resources: