How the HIPAA Privacy Rule Protects PHI

How the HIPAA Privacy Rule Protects PHI

  • August 11, 2022

If you’re pursuing HIPAA compliance for the first time, you’ve likely come across its Privacy, Security, Breach Notification, Enforcement, and Omnibus rules. These rules detail how covered entities should properly use and disclose protected health information (PHI). 

Of these, the most commonly discussed are the Privacy, Security, Enforcement, Omnibus, and Breach Notification Rules. After all, HIPAA’s central purpose is to protect the privacy and security of a patient's personal health information. 

Navigating these rules can be tricky, especially when it comes to understanding what they cover and what’s considered a violation. This post explains everything you need to know about the HIPAA Privacy Rule. 

To start, here is a short and sweet HIPAA Privacy Rule summary: 

  • HIPAA Privacy Rule definition: The Privacy Rule regulates the use and disclosure of protected health information (PHI). 
  • What does the HIPAA Privacy Rule do?: Requires covered entities to establish privacy practices that safeguard PHI. It also gives patients greater control over who can access and share their health records. 
  • When the HIPAA Privacy Rule went into effect: April 14, 2003
  • HIPAA Privacy Rules are enforced by: Department of Health and Human Services Office of Civil Rights; State Attorneys General, Centers for Medicare and Medicaid Services (CMS) 

What is the HIPAA Privacy Rule?

HIPAA legislation was passed in 1996 to address key issues with the US healthcare system. Also known as the Health Insurance Portability and Accountability Act of 1996, it was designed to make healthcare more accessible, efficient, and secure. 

HIPAA includes a set of national standards to help healthcare organizations and their business associates protect the privacy and security of patient data. One of those rules is the Privacy Rule. 

What is the purpose of the HIPAA Privacy Rule? To protect (you guessed it) patient privacy. 

The HIPAA Privacy Rule is a federal law that gives patients individual rights over their protected health information and limits who can access and disclose PHI. It’s designed to ensure that organizations take the proper steps to secure health information while allowing that information to be shared in a way that promotes high-quality healthcare.

Who must comply with the HIPAA Privacy Rule?

Pop quiz! The HIPAA privacy rule applies to which of the following: 

  1. Healthcare providers
  2. Health insurance companies and employer-sponsored health plans
  3. Healthcare clearinghouses
  4. Third-party medical service providers (Business Associates)
  5. All of the above

If you chose ‘All of the above’ you earn an A+. 

The HIPAA Privacy Rule applies to any entity that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud. 

What are the HIPAA Privacy Rule exceptions?

Under very specific circumstances, the HIPAA Privacy Rule does allow covered entities to use and/or disclose health information without a patient’s authorization. Typically these situations involve either a healthcare provider’s treatment, payment, and healthcare operations (TPO) or the public interest. 

For example:

  • Healthcare regulations and licensing 
  • Public health (such as reporting to a state health department or the CDC) 
  • Medical research
  • Workers compensation 
  • Legal proceedings and law enforcement
  • Inform next of kin, identify a body or determine cause of death, or for a medical examiner/coroner

Even in these situations, disclosures must be documented in an Accounting of Disclosures log. 

ebook-logo

The Ultimate Guide to HIPAA

This guide covers everything you need to know about safeguarding sensitive healthcare information and achieving HIPAA compliance. 

Download ebook

Who enforces the HIPAA Privacy Rule?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the main enforcer of the HIPAA Security Rule and Privacy Rule. State attorneys general and the Centers for Medicare and Medicaid Services (CMS) also have some authority to enforce HIPAA rules, although they do so less commonly. 

OCR investigates complaints, conducts compliance reviews, and educates covered entities about compliance requirements. It also investigates any data breaches that affect 500+ people as well as organizations that have had multiple smaller breaches. 

If organizations don’t resolve HIPAA violations voluntarily, OCR may pursue legal action and/or issue a fine. Violations range in severity based on the level of noncompliance and willful neglect shown by the organization. 

Was the organization aware of the issue? Could they have prevented it from happening? Did they take steps to correct it? 

Fines vary from $100-$50k+ per violation, maxing out at $1.5M per violation, per year. 

Download: HIPAA Privacy Rule Fact Sheet

Keep track of the essential details of the HIPAA Privacy Rule with this downloadable fact sheet. It’s an easy way to reference what the rule covers, who it applies to, its exceptions, and criminal penalties for violations. 

Get your copy of the HIPAA Privacy Rule PDF here.  

How to comply with the HIPAA Privacy Rule

The Privacy Rule establishes a set of requirements for HIPAA covered entities to protect PHI. The first step is defining what kind of patient health information should be protected. 

Defining PHI

PHI extends beyond individually identifiable health information like medical diagnoses and procedures to include personally identifiable information like addresses, social security numbers, credit card information, and even electronic signatures. The Privacy Rule details 18 identifiers that indicate protected information:

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • Fax numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers, including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • IP addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e., retinal scan, fingerprints)
  • Any unique identifying number or code

Videos and images containing PHI are also protected by the Privacy Rule, as is PHI that’s stored electronically. 

For example, say a healthcare provider has a digital photograph of a patient’s wound, and their identity could be determined by a tattoo that’s visible in the photograph. That image is protected by the Privacy Rule. 

The Minimum Necessary Rule

While it’s common for a healthcare provider to request access to a patient’s entire medical history to provide quality care, at times non-routine disclosure requests are submitted. 

The Minimum Necessary Rule states that covered entities should only disclose PHI that’s directly relevant to the request. 

In every case, PHI can only be disclosed to a third-party with patient authorization, unless directly related to healthcare treatment, payment, or operations. 

Verify and maintain HIPAA compliance with Secureframe

To ensure your organization’s HIPAA compliance, consider security and compliance software. Secureframe’s platform and team of HIPAA compliance experts can help streamline your annual HIPAA audits, keep you compliant, and protect you from potential HIPAA violation fines.

Learn more by scheduling a demo with one of our product experts.