HIPPA Privacy Rule: Reviewing the Fundamentals

Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase the efficiency of the health care system. Over that time, much attention has been focused on the HIPAA Privacy Rule.

Let’s take a moment to review the basics of the Privacy Rule, so you can ensure you have all your bases covered.

Who must adhere to the HIPAA Privacy Rule?

Covered Entities (health care providers, health insurance plans, and health care clearinghouses) and their Business Associates must comply with HIPAA requirements to protect an individual health information, or PHI.

When can PHI be used and disclosed?

PHI can be used and disclosed only as the Privacy Rule permits. This includes:

  • For treatment, payment and health care operations
  • To this individual in regards to their own PHI
  • In situations where the individual has the opportunity to agree or object
  • Incidental to another use or disclosure
  • For special circumstances, such as suspected abuse or as requested by the court.

The Minimum Necessary principal always applies, meaning that only the minimum amount of PHI that is needed to accomplish the job should be used or disclosed.

When is an authorization required to release PHI?

An authorization in writing must exist to release an individual’s PHI for:

  • Psychotherapy notes
  • Marketing and fundraising  purposes
  • Sale of PHI
  • Research

What are an individual’s rights under the Privacy Rule?

Individuals are afforded the following rights:

  • To be provided with a Notice of Privacy Practices at the first encounter with a Covered Entity
  • To request an accounting of to whom their PHI has been disclosed
  • To request inaccurate or incomplete information in their PHI be changed. (Covered Entities are not required to do this if they do not agree)
  • To request an alternate means to location to receive their PHI, i.e at a different phone number
  • To request that their PHI is not used or disclosed for treatment, payment or operations if they have paid out of pocket.
  • To be notified if a breach of unsecured PHI has occurred.

What else are Covered Entities required to do to stay in compliance?

  • Have written policies and procedures regarding the use and disclosure of PHI
  • Designate a person to be a Privacy Officer  who will oversee this
  • Train all workforce members on the proper use and disclosure of PHI, as appropriate for their job function
  • Mitigate and harmful effects caused by a violation of the Privacy Rule
  • Utilize physical, technical and administrative safeguards to protect PHI
  • Have a procedure in place for individuals to complain about the Covered Entity’s compliance with the Privacy Rule

What are some ways to follow the HIPAA Privacy Rule in daily practice?

  • Use low voices when discussing patient’s information with other health care workers. Consider moving to a separate room or area away from others if possible.
  • Don’t share details of a patient’s case with friends or family members.
  • Make sure PHI is not left in view of others. Do not leave charts sitting out or computer screens visible. Shred PHI when disposing of it.
  • Store PHI in secure or locked locations.

The goal of the Privacy Rule is to protect a patient’s health information while still allowing for the exchange of information as needed to deliver high quality health care. Spending a few moments to re-examine the main points of the Privacy Rule will help ensure your continued compliance.