If you’re pursuing HIPAA compliance for the first time, you’ve likely come across its Privacy, Security, Breach Notification, Enforcement, and Omnibus rules. These rules detail how covered entities should properly use and disclose protected health information (PHI).
Of these, the most commonly discussed are the Privacy and Security Rules. After all, HIPAA’s central purpose is to protect the privacy and security of a patient's personal health information.
Navigating these rules can be tricky, especially when it comes to understanding what they cover and what’s considered a violation. This post explains everything you need to know about the HIPAA Privacy Rule.
To start, here is a short and sweet HIPAA Privacy Rule summary:
HIPAA legislation was passed in 1996 to address key issues with the US healthcare system. Also known as the Health Insurance Portability and Accountability Act of 1996, it was designed to make healthcare more accessible, efficient, and secure.
HIPAA includes a set of national standards to help healthcare organizations and their business associates protect the privacy and security of patient data. One of those rules is the Privacy Rule.
What is the purpose of the HIPAA Privacy Rule? To protect (you guessed it) patient privacy.
The HIPAA Privacy Rule is a federal law that gives patients individual rights over their protected health information and limits who can access and disclose PHI. It’s designed to ensure that organizations take the proper steps to secure health information while allowing that information to be shared in a way that promotes high-quality healthcare.
Pop quiz! The HIPAA privacy rule applies to which of the following:
If you chose ‘All of the above’ you earn an A+.
The HIPAA Privacy Rule applies to any entity that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud.
Under very specific circumstances, the HIPAA Privacy Rule does allow covered entities to use and/or disclose health information without a patient’s authorization. Typically these situations involve either a healthcare provider’s treatment, payment, and healthcare operations (TPO) or the public interest.
For example:
Even in these situations, disclosures must be documented in an Accounting of Disclosures log.
This guide covers everything you need to know about safeguarding sensitive healthcare information and achieving HIPAA compliance.
Download ebookThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the main enforcer of the HIPAA Security Rule and Privacy Rule. State attorneys general and the Centers for Medicare and Medicaid Services (CMS) also have some authority to enforce HIPAA rules, although they do so less commonly.
OCR investigates complaints, conducts compliance reviews, and educates covered entities about compliance requirements. It also investigates any data breaches that affect 500+ people as well as organizations that have had multiple smaller breaches.
If organizations don’t resolve HIPAA violations voluntarily, OCR may pursue legal action and/or issue a fine. Violations range in severity based on the level of noncompliance and willful neglect shown by the organization.
Was the organization aware of the issue? Could they have prevented it from happening? Did they take steps to correct it?
Fines vary from $100-$50k+ per violation, maxing out at $1.5M per violation, per year.
Who Enforces HIPAA + How to Make Sure Your Business is Compliant
Read articleKeep track of the essential details of the HIPAA Privacy Rule with this downloadable fact sheet. It’s an easy way to reference what the rule covers, who it applies to, its exceptions, and criminal penalties for violations.
Get your copy of the HIPAA Privacy Rule PDF here.
The Privacy Rule establishes a set of requirements for HIPAA covered entities to protect PHI. The first step is defining what kind of patient health information should be protected.
Defining PHI
PHI extends beyond individually identifiable health information like medical diagnoses and procedures to include personally identifiable information like addresses, social security numbers, credit card information, and even electronic signatures. The Privacy Rule details 18 identifiers that indicate protected information:
Videos and images containing PHI are also protected by the Privacy Rule, as is PHI that’s stored electronically.
For example, say a healthcare provider has a digital photograph of a patient’s wound, and their identity could be determined by a tattoo that’s visible in the photograph. That image is protected by the Privacy Rule.
The Minimum Necessary Rule
While it’s common for a healthcare provider to request access to a patient’s entire medical history to provide quality care, at times non-routine disclosure requests are submitted.
The Minimum Necessary Rule states that covered entities should only disclose PHI that’s directly relevant to the request.
In every case, PHI can only be disclosed to a third-party with patient authorization, unless directly related to healthcare treatment, payment, or operations.
To ensure your organization’s HIPAA compliance, consider security and compliance software. Secureframe’s platform and team of HIPAA compliance experts can help streamline your annual HIPAA audits, keep you compliant, and protect you from potential HIPAA violation fines.
Learn more by scheduling a demo with one of our product experts.
