The HIPAA Privacy Rule covers the use and disclosure of Protected Health Information (PHI). HIPAA also grants individuals the right to understand and control how their health information is used. The HHS Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
As health care increases in efficiency through modernization of record and transactions systems, a major goal of the Privacy Rule is to help find the balance between assuring that individuals’ health information is properly protected, while still allowing the easy flow of health information. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive.
What Information Is Protected?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral, and calls this protected health information (PHI).
Individually identifiable health information is information, including demographic data or genetic information that relates to:
- An individual’s past, present or future physical or mental health or condition.
- The provision of health care to the individual.
- The past, present, or future payment for the provision of health care to the individual.
Individually identifiable health information can be used to identify an individual or could reasonably be assumed to identify an individual, and often includes many common identifiers (e.g., name, address, birth date, Social Security Number).
General Rules for Data Use and Disclosure
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except:
- As the Privacy Rule permits or requires.
- As the individual or their representative authorizes such use or disclosure in writing.
Permitted Uses and Disclosures
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
- A covered entity may disclose protected health information to the individual who is the subject of the information. If the individual requests access or requests an accounting of disclosures of their own PHI; disclosure is then no longer a may, it is a must.
- A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities, where: