The HIPAA Privacy Rule establishes a set of national standards for the use and disclosure of individually identifiable health information - often referred to as protected health information - by covered entities, as well as standards for providing individuals with privacy rights and helping individuals understand and control how their health information is used. HIPAA Privacy Rule requirements:
- Apply to most healthcare providers, including those who do not have EHRs or do not participate in a CMS EHR incentive program;
- Set a federal floor for protecting individually identifiable health information across all mediums (electronic, paper, and oral);
- Limit how covered entities may use and disclose individually identifiable health information they receive or create;
- Give individuals rights with respect to their protected health information, including a right to examine and obtain a copy of information in their medical records, and the right to ask covered entities to amend their medical record if information is inaccurate or incomplete;
- Impose administrative requirements for covered entities, such as training of employees with regard to the Privacy Rule; and
- Establish civil and criminal penalties.
Several central tenets of the Privacy Rule are:
- In general, you may use or disclose protected health information for treatment, payment, and healthcare operations without obtaining a patient's written permission. For other purposes, such as marketing, you may need to obtain an individual's authorization to use or disclose the patient's protected health information.
- Your agreements with business associates must explicitly require them to comply with HIPAA, including breach notification requirements.
- Generally, you and your business associates must limit your access to, use of, and disclosure of protected health information to the minimum necessary to carry out an action. This is called the "minimum necessary rule." There are several exceptions to this rule. For example, generally, you do not have to limit the disclosure of protected health information to the minimum amount necessary when you are disclosing the information for treatment of the individual.
Patients' Rights and The Medical Practice's Responsibilities
Under HIPAA, patients have legal, individual rights to access their health information and learn about disclosures of their health information. As their healthcare provider, you are responsible for respecting these rights.
As a covered entity, you have responsibilities to patients under the HIPAA Privacy Rule, including:
- Notice of Privacy Practices: Under the HIPAA Privacy Rule, covered entities must provide patients with full information on how their protected health information is used and disclosed. This is accomplished by giving patients a Notice of Privacy Practices that describes how an individual's information may be used or shared, specifies an individual's legal rights with respect to their protected health information held by the covered entity, and the covered entity's legal duties.
- Patient access to their information: Patients have the right to inspect, review, and receive a copy of health information about themselves held by covered entities or business associates in a designated record set, which includes a healthcare provider's medical and billing records. Generally, these health plans and providers have to comply with requests for access within 30 days.
- Amending patient information: Patients have the right to request that covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete. If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendments to persons identified by the individual as having received the original information and in need of the amendment(s) as well as those entities that the covered entity itself identified as having received the original information who would be in need of the amendments due to their prior or foreseeable reliance on the original information to the detriment of the individual. If the request is denied, covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record.
- Accounting of disclosures: Individuals have a right to receive an accounting of disclosures, which is a listing of when a HIPAA covered entity has shared the individual's PHI with a person or organization outside of the entity. Accounting is only required for certain disclosure purposes. A covered entity must provide an accounting of disclosures made during the accounting period, which is six years immediately preceding the accounting request, but a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.
- Rights to restrict information: Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or health care operations, disclosure to persons involved in the individual's healthcare or payment for healthcare, or disclosure to notify family members or others about the individual's general condition, location, or death. A covered entity is under no obligation to agree to requests for restrictions; however, a covered entity must have a procedure to evaluate all requests. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.
The HIPAA Security Rule
The HIPAA Security Rule establishes national standards to protect individuals' electronic protected health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The HIPAA Security Rule requires providers to implement security measures, which help protect patients' privacy by creating the conditions for patient health information to be available, but not be improperly used or disclosed. These requirements apply only to e-PHI.
All healthcare providers considered "Covered Entities" under HIPAA (most are) are responsible for complying with the two related rules of HIPAA: Privacy and Security. The HIPAA Security Rule sets out specific protections that all covered providers must follow to protect health information. These practices include administrative, technical, and physical safeguards. These safeguards, when applied well, can help practices avoid some of the common security gaps that lead to cyber-attack or data loss. They can protect the people, information, technology, and facilities that health care providers depend on to carry out their primary mission: helping their patients.
The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical.
Michelle Bilsky is a medical malpractice insurance specialist with Danna-Gracey. She can be reached at Michelle@dannagracey.com.