What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule contains the Standards for the Privacy of Individually Identifiable Health Information, which were originally the Recommendations with Respect to the Privacy of Certain ย Health Information made to Congress by HHS Secretary Donna Shalala in 1997. The Standards were finalized in 2002 after the deadline for Congress to pass separate privacy legislation elapsed.

The Privacy Rule essentially lays out how โ€œProtected Health Informationโ€ can be used and disclosed by HIPAA-Covered Entities (CEs) and their Business Associates (BAs; both of which will be discussed below). One of the primary aims of the HIPAA Privacy Rule is to ensure that PHI can be used in a way that facilitates healthcare operations, including treatment or payment for healthcare while ensuring that only the information required to carry out these services is used or disclosed. Additionally, it stipulates who can access this information. This helps to ensure that patientsโ€™ data is kept private but can also protect against its malicious use for insurance fraud or identity theft.

Essentially, the HIPAA Privacy Rule aims to strike a balance between keeping patient data secure and protected while also allowing for the proper administration of healthcare services.

However, not all data is protected under the HIPAA Privacy Rule. The Rule defines โ€œProtected Health Informationโ€ (PHI) as individually-identifiable health information that is held or transmitted by a CE or BA in any format (physical, electronic, or verbal). The information must be related to one of the following:

  • A past, present, or future mental or physical condition,
  • The provision of healthcare, or
  • The past, present, or future payment for the provision of healthcare.

In addition, and identifying information that is maintained in the same designated record set as Protected Health Information assumes the same protections. For this reason, any names (including family or employer names), email addresses, social media aliases, and information relating to emotional support animals is considered protected Health Information when it is maintained in the same designated record set as protected Health Information.

As we stated earlier, the HIPAA Privacy Rule relates to Covered Entities and their Business Associates. CEs are broadly defined as health plans, healthcare clearinghouses, and healthcare organizations. Often, CEs will engage with a third party to carry out certain practices; these are called โ€œBusiness Associatesโ€. As BAs will be handling PHI, they must also be HIPAA-compliant. The HIPAA Privacy Rule is enforced by the Office for Civil Rights (OCR) within the Department for Health and Human Services (DHSS).

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

There are two key principles that govern the correct use and disclosure of PHI.

  • The Basic Principle is that CEs should limit the disclosure of PHI unless the disclosure meets the definition of the HIPAA Privacy Rule or if proper authorization has been obtained
  • Required Disclosures are when individuals (or their representatives) request access to their PHI or when the HHS’ Office for Civil Rights is undertaking a compliance investigation.

There are several cases where disclosure is permitted under the HIPAA Privacy Rule.

  • To the individual (or their representative)
  • For treatment, payment, or other healthcare operations,
  • If required for the public interest (e.g. if needed by law, for public health activities, to investigate cases of abuse)
  • As part of a limited data set for research activities.

Patients may also give authorization for their data to be used outside of these specific activities. For example, if a hospital wants to use a patientโ€™s case as part of a marketing campaign, they must seek authorization from the patient. Additionally, explicit authorization must be obtained before any psychotherapy notes are disclosed.

A key component of the HIPAA Privacy Rule is the Minimum Necessary Rule. As we have previously discussed, the CE should ensure that only the required information to carry out a particular task is disclosed. This is the central tenet of the Minimum Necessary Rule: CEs should undertake โ€œreasonable effortsโ€ to ensure that only the most relevant information is disclosed for certain transactions.

  • There are exceptions to this rule if:
  • The information is required to provide treatment,
  • The information is being provided to the individual or their representative,
  • Correct authorization has been obtained,
  • The data is being disclosed during a HHS investigation,
  • The disclosure is required by law,
  • The information is required for compliance with the HIPAA Transaction Rule or other HIPAA Administration Rules.

The Privacy Rule stipulates that all patients must receive a Privacy Practice Notice when they are first serviced by the CE. This Privacy Notice must stipulate how the CE will use and disclose PHI, alongside the following:
Describe CEโ€™s duties to protect privacy
Describe the individualโ€™s rights (including their right to complain)
Must contain details of a contact in the CE to whom the individual can make complaints (usually the Privacy Officer).

To facilitate the activities of the Privacy Officer, CEs should ensure that they have an established and easy-to-access system in place to handle complains and requests for access. Under the Privacy Rule, patients have the right to access and amend their data if they believe that it is inaccurate or incomplete. CEs should facilitate this request, and keep track of any alterations to PHI that are made.

There are a number of other administrative requirements that must be implemented under the HIPAA Privacy Rule:

  • Privacy Policies and Procedures: the CE must develop and implement privacy policies and procedures
  • Privacy Personnel: CEs must designate privacy officers who is responsible for the above, who also act as a point of contact within the CE
  • Workforce training and management
  • Mitigation: the CE must mitigate, as much as possible, the negative effects it learns were the result of improper use or disclosure
  • Employ Data Safeguards that will help to protect against the improper use and disclosure of PHI
  • There must be a complaints procedure such that individuals can voice any concerns they have with a CEโ€™s privacy policy
  • The CE must not retaliate against an individual for exercising their rights, and it cannot require that an individual waive any of their rights under the privacy rule to obtain treatment
  • All CEs must maintain copies of their policy procedures, privacy practice notices, and disposition of complaints for at least six years after their creation (or its last effective date)

We have used the term โ€œrepresentativeโ€ continuously throughout this article. But what is a representative? Essentially, if an individual appoints a representative, under the Privacy Rule, they must be treated in the same manner as the individual themself. Usually, parents will act as the personal representatives of minors, though in other cases, the State can appoint a representative.

The Privacy Rule is a federal law, meaning that it preempts any contrary State laws. There are some exceptions; for example, if the information is needed for the reporting of health care delivery or operations, State law can preempt the Privacy Rule.

So, what is the HIPAA Privacy Rule? As we have outlined above, it is a comprehensive piece of legislation aimed at protecting patient rights while ensuring that the people who need to access their data can. The Rule stipulates a number of requirements that CEs and BAs must carry out to ensure that the integrity of patient data is maintained. Violations of the HIPAA Privacy Rule can attract large fines or even criminal protection, so it is essential that all CEs and BAs train their employees in HIPAA compliance.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/