­

HIPAA Privacy Rule

The HIPAA Privacy Rule covers the use and disclosure of Protected Health Information (PHI). HIPAA also grants individuals the right to understand and control how their health information is used. The HHS Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

As health care increases in efficiency through modernization of record and transactions systems, a major goal of the Privacy Rule is to help find the balance between assuring that individuals’ health information is properly protected, while still allowing the easy flow of health information. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive.

What Information Is Protected?

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral, and calls this protected health information (PHI).

Individually identifiable health information is information, including demographic data or genetic information that relates to:

  • An individual’s past, present or future physical or mental health or condition.
  • The provision of health care to the individual.
  • The past, present, or future payment for the provision of health care to the individual.

Individually identifiable health information can be used to identify an individual or could reasonably be assumed to identify an individual, and often includes many common identifiers (e.g., name, address, birth date, Social Security Number).

General Rules for Data Use and Disclosure

A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except:

  • As the Privacy Rule permits or requires.
  • As the individual or their representative authorizes such use or disclosure in writing.

Permitted Uses and Disclosures

A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:

  1. A covered entity may disclose protected health information to the individual who is the subject of the information. If the individual requests access or requests an accounting of disclosures of their own PHI; disclosure is then no longer a may, it is a must.
  2. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities, where:

All-in-One HIPAA Compliance
and Risk Management Solution

VIEW MEMBERSHIP BENEFITS & PRICING

Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.

Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

Health care operations are any of the following activities:

  • Quality assessment and improvement activities, including case management and care coordination. This includes patient safety activities (as defined in 42 CFR 3.20).
  • Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation.
  • Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs.
  • Specified insurance functions, such as underwriting purposes, risk rating, and reinsuring risk.
  • Business planning, development, management, and administration.
  • Business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.

A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.

Why HIPAA Compliance Training is Important

By |October 21st, 2015|Categories: HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

Comments Off on Why HIPAA Compliance Training is Important

HIPAA Rules: Back to the Basics

By |October 7th, 2015|Categories: HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

Comments Off on HIPAA Rules: Back to the Basics

HIPAA Privacy Rule: Reviewing the Fundamentals

By |October 7th, 2015|Categories: HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]

Comments Off on HIPAA Privacy Rule: Reviewing the Fundamentals