If you’re pursuing HIPAA compliance for the first time, you’ve likely come across its Privacy, Security, Breach Notification, Enforcement, and Omnibus rules. These rules detail how covered entities should properly use and disclose protected health information (PHI). 

Of these, the most commonly discussed are the Privacy and Security Rules. After all, HIPAA’s central purpose is to protect the privacy and security of a patient's personal health information. 

Navigating these rules can be tricky, especially when it comes to understanding what they cover and what’s considered a violation. This post explains everything you need to know about the HIPAA Privacy Rule. 

To start, here is a short and sweet HIPAA Privacy Rule summary: 

  • HIPAA Privacy Rule definition: The Privacy Rule regulates the use and disclosure of protected health information (PHI). 
  • What does the HIPAA Privacy Rule do?: Requires covered entities to establish privacy practices that safeguard PHI. It also gives patients greater control over who can access and share their health records. 
  • When the HIPAA Privacy Rule went into effect: April 14, 2003
  • HIPAA Privacy Rules are enforced by: U.S. Department of Health and Human Services Office of Civil Rights; State Attorneys General, Centers for Medicare and Medicaid Services (CMS) 

What is the HIPAA Privacy Rule?

HIPAA legislation was passed in 1996 to address key issues with the US healthcare system. Also known as the Health Insurance Portability and Accountability Act of 1996, it was designed to make healthcare more accessible, efficient, and secure. 

HIPAA includes a set of national standards to help healthcare organizations and their business associates protect the privacy and security of patient data. One of those rules is the Privacy Rule. 

What is the purpose of the HIPAA Privacy Rule? To protect (you guessed it) patient privacy. 

The HIPAA Privacy Rule is a federal law that gives patients individual rights over their protected health information and limits who can access and disclose PHI. It’s designed to ensure that organizations take the proper steps to secure health information while allowing that information to be shared in a way that promotes high-quality healthcare.

Who must comply with the HIPAA Privacy Rule?

Pop quiz! The HIPAA privacy rule applies to which of the following: 

  • Healthcare providers
  • Health insurance companies and employer-sponsored health plans
  • Healthcare clearinghouses
  • Third-party medical service providers (Business Associates)
  • All of the above

If you chose ‘All of the above’ you earn an A+. 

The HIPAA Privacy Rule applies to any entity that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud. 

What are the HIPAA Privacy Rule exceptions?

Under very specific circumstances, the HIPAA Privacy Rule does allow covered entities to use and/or disclose health information without a patient’s authorization. Typically these situations involve either a healthcare provider’s treatment, payment, and healthcare operations (TPO) or the public interest. 

For example:

  • Healthcare regulations and licensing 
  • Public health (such as reporting to a state health department or the CDC) 
  • Medical research
  • Workers compensation 
  • Legal proceedings and law enforcement
  • Inform next of kin, identify a body or determine cause of death, or for a medical examiner/coroner

Even in these situations, disclosures must be documented in an Accounting of Disclosures log. 

Who enforces the HIPAA Privacy Rule?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the main enforcer of the HIPAA Security Rule and Privacy Rule. State attorneys general and the Centers for Medicare and Medicaid Services (CMS) also have some authority to enforce HIPAA rules, although they do so less commonly. 

OCR investigates complaints, conducts compliance reviews, and educates covered entities about compliance requirements. It also investigates any data breaches that affect 500+ people as well as organizations that have had multiple smaller breaches. 

If organizations don’t resolve HIPAA violations voluntarily, OCR may pursue legal action and/or issue a fine. Violations range in severity based on the level of noncompliance and willful neglect shown by the organization. 

Was the organization aware of the issue? Could they have prevented it from happening? Did they take steps to correct it? 

Fines vary from $100-$50k+ per violation, maxing out at $1.5M per violation, per year. 

Download: HIPAA Privacy Rule Fact Sheet

Keep track of the essential details of the HIPAA Privacy Rule with this downloadable fact sheet. It’s an easy way to reference what the rule covers, who it applies to, its exceptions, and criminal penalties for violations. 

Get your copy of the HIPAA Privacy Rule PDF here.  

How to comply with the HIPAA Privacy Rule

The Privacy Rule establishes a set of requirements for HIPAA covered entities to protect PHI. The first step is defining what kind of patient health information should be protected. 

Defining PHI

PHI extends beyond individually identifiable health information like medical diagnoses and procedures to include personally identifiable information like addresses, social security numbers, credit card information, and even electronic signatures. The Privacy Rule details 18 identifiers that indicate protected information:

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • Fax numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers, including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • IP addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e., retinal scan, fingerprints)
  • Any unique identifying number or code

Videos and images containing PHI are also protected by the Privacy Rule, as is PHI that’s stored electronically. 

For example, say a healthcare provider has a digital photograph of a patient’s wound, and their identity could be determined by a tattoo that’s visible in the photograph. That image is protected by the Privacy Rule. 

The Minimum Necessary Rule

While it’s common for a healthcare provider to request access to a patient’s entire medical history to provide quality care, at times non-routine disclosure requests are submitted. 

The Minimum Necessary Rule states that covered entities should only disclose PHI that’s directly relevant to the request. 

In every case, PHI can only be disclosed to a third-party with patient authorization, unless directly related to healthcare treatment, payment, or operations. 

Verify and maintain HIPAA compliance with Secureframe

To ensure your organization’s HIPAA compliance, consider security and compliance software. Secureframe’s platform and team of HIPAA compliance experts can help streamline your annual HIPAA audits, keep you compliant, and protect you from potential HIPAA violation fines.

Learn more by scheduling a demo with one of our product experts.

FAQs

What is the HIPAA Privacy Rule?

The Standards for Privacy of Individually Identifiable Health Information, also known as the HIPAA Privacy Rule or Privacy Rule, address the use and disclosure of individuals' health information by covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used.

Why does the HIPAA Privacy Rule exist?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) did not include detailed privacy requirements. Instead, it required the Secretary of the U.S. Department of Health and Human Services (HHS) to issue privacy regulations governing individually identifiable health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA. Since Congress did not enact privacy legislation, HHS developed a proposed rule, released it for public comment, and published the final regulation in 2000. A proposed modification reopened the rulemaking process and the final version of the Privacy Rule, which is current today, was issued in 2002. This rule established, for the first time, a set of national standards for the protection of certain health information known as protected health information (PHI).

What is the purpose of the HIPAA Privacy Rule?

A major purpose of the Privacy Rule is to assure that covered entities are taking the necessary steps to protect individuals' health information while also allowing that information to be shared when required to provide and promote high-quality health care and to protect the public's health and well-being.

Who enforces the Privacy Rule?

Within the HHS, the Office for Civil Rights (OCR) is responsible for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

What is considered a violation of privacy under HIPAA?

A covered entity must obtain the individual's written authorization for any use or disclosure of their protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. So disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes without the individual's written authorization would all be considered violations of that individual's privacy under HIPAA.

What to do when there is an alleged violation to the HIPAA Privacy Rule?

If you believe that a HIPAA-covered entity or its business associate committed a violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities and their business associates. At the end of the investigation, OCR issues a letter describing the resolution of the investigation. If OCR determines that a covered entity or business associate may not have complied with the HIPAA Privacy Ryle, that entity or business associate must voluntarily comply with the HIPAA Privacy Rule, take corrective action, and agree to a settlement.