What is the HIPAA Privacy Rule?

What is the HIPAA Privacy Rule?

by Yenny (SU)

Part of the Heath Insurance Portability and Accountability Act (HIPAA) that became law in 1996, the HIPAA Privacy Rule defined the part of the law that protects patients’ protected health information (PHI). Among organizations this rule applies to are health plans and providers who use electronic medical records (EMR) either internally or to invoice insurance companies. The Privacy Rule defines safeguards to protect patient privacy, whether it is disclosed intentionally or not. What does that mean for you? 

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established, for the first time, a set of national standards for the protection of certain health information. Before 1996, states had their own laws in place for patient information. Laws could vary in stringency and penalties for non-compliance were not equally severe. There were also some federal privacy laws in place, but it was a gray area, especially since the use of computers for holding the data of patient files or sending it to insurance companies for claims was not at all widespread until the late 90s.

With new uses for electronic media, storage, and transmission, there was a need for new rules that every healthcare practitioner or institution would adhere to. Some doctors or health insurance companies were selling and distributing patients’ private health histories or medical records. HIPAA changed the rules to protect patient privacy; there must be a valid medical reason to transmit patient information and the patient must be informed of the intent and give permission in each case. It also mandates that a patient may access his or her own medical files at any time.

What is protected health information?

The Privacy Rule protects all individually identifiable health information (IIHI) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information (PHI). This includes:

·       the individual’s past, present or future physical or mental health or condition

·       the provision of health care to the individual, or

·       the past, present, or future payment for the provision of health care to the individual

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. IIHI includes many common identifiers such as name, address, birth date, Social Security Number, and not so common identifiers like IP or URL addresses.

Who needs to comply?

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.  This includes Business Associates of those entities, which is any company or organization that may have access to PHI in the course of its business with the healthcare provider.  Business Associates must also comply with HIPAA rules. The laws regarding compliance are complex and the procedures and policies that are required should be reviewed every year. Even the smallest HIPAA violation may result in initiating a compliance investigation which can lead to civil and criminal penalties or the need for government imposes corrective action plans.  The government will not except any excuses for failing to comply with HIPAA.

How to protect yourself

Navigating and complying with HIPAA Privacy Rules takes serious resources. Rules can and do change as the landscape of electronic security evolves. Protecting patient data requires a forward-thinking and broad perspective. To mitigate risk of a data breach or accidental non-compliance, it makes sense to trust experienced experts who will guide you in all aspects of HIPAA compliance. 

Colington Consultants will help you implement and maintain a comprehensive HIPAA compliance program. We offer cost-effective consulting services for HIPAA Security and Privacy Rule compliance. Email or call us at (800) 733-6379 today to schedule a free, initial consultation.