The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control and the handling of health information within the system.
A primary goal of the Privacy Rule is to assure that individuals’ health information is appropriately protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of data while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to providing addressed.
Who is Covered by the Privacy Rule?
Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government, and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the program is not a covered entity.
Two types of government-funded programs are not health plans:
- Programs whose principal purpose is not providing or paying the cost of health care, such as the food stamps program.
- Programs that provide healthcare to a community health center or providing grants to fund the provision of healthcare.
Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the body concerning the health plan line of business.
Health Care Providers
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other deals for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction.
The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
Health Care Clearinghouses
Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate.
In such instances, only specific provisions of the Privacy Rule apply to the health care clearinghouse’s uses and disclosures of protected health information. Health care clearinghouses include billing services, repricing companies, community health information systems, and value-added networks and switches if these entities perform clearinghouse functions.
In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.
Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.
Business Associate Contract
When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections).
In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule. Covered entities that had an existing written contract or agreement with business associates before October 15, 2002, which was not renewed or modified before April 14, 2003, were permitted to continue to operate under that contract until they replaced the contractor on April 14, 2004, whichever was first.
What Information is protected?
The Privacy Rule protects all individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information protected health information (PHI).
Individually identifiable health information consists of: demographic data that relates to the individual’s past, present or future physical or mental health or condition; provision of health care to the individual, or the past, present or next payment for the provision of health care to the individual; and information that identifies the individual. Individually identifiable health information includes many standard identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and other documents subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either:
- A formal determination by a qualified statistician; or
- Removal of specified identifiers of the individual and the individual’s relatives, household members, and employers is required and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
General Principle for Uses and Disclosures
A significant purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either:
- As the Privacy Rule permits or requires; or
- As the individual who is the subject of the data (or the individual’s representative) authorizes in writing.
A covered entity must disclose protected health information in only two situations:
- To individuals (or their representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information.
- To HHS when it is undertaking a compliance investigation or review or enforcement action.
Permitted Uses and Disclosures
Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
- To the Individual (unless needed for access or accounting of disclosures)
- Treatment, Payment, and Health Care Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for research, public health, or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make. (1) To the Individual. A covered entity may disclose protected health information to the individual who is the subject of the data. (2) Treatment, Payment, Health Care Operations.
A covered entity may use and disclose protected health information for its treatment, payment, and health care operations activities. A covered entity may disclose protected health information: for the treatment activities of any health care provider; payment activities of another covered entity and any health care provider; or health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities. If both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.
Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to receive payment or reimbursed for the provision of health care to an individual.
- Health care operations are any of the following activities:
- Quality assessment and improvement activities, including case management and care coordination
- Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation
- Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs
- Specified insurance functions, such as underwriting, risk rating, and reinsuring risk
- Business planning, development, management, and administration.
- Business management and general administrative activities of the entity, including but not limited to de-identifying protected health information, creating a limited data set, and fundraising for the benefit of the covered entity.
Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require authorization as described below. Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form and the process for obtaining consent are at the discretion of the covered entity.
HIPAA & Patient Records Access
Providers should not be extreme with HIPAA requirements, in limiting patients access to their records. This condition could unintentionally discourage patients from seeking out their healthcare information. HIPAA’s Privacy Rule is explicit and provides patients “a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their healthcare providers and health plans,” according to the U.S. Department of Health and Human Services.
In summary, HIPPA rules allow patients to view or obtain medical and billing records maintained by healthcare providers, payments and claims overseen by a health insurance company, and other data and documents used to make decisions about a person’s care.
HIPAA: Compliance Requirements
The chief HIPAA compliance requirements include:
Administrative Safeguards support the creation and use of policies and procedures to ensure proper employee management, training, and oversight for employees that come into contact or manage protected health information.
Technical Safeguards support encryption and decryption, audit controls, emergency access procedures, and HIPAA file storage.
Physical Safeguards support safeguards around the data security that includes data redundancy and failure requirements, access to servers, and more. Learn more about the physical safeguard requirements of the HIPAA security rule.