The Standards for Privacy of Individually Identifiable Health Information (the “HIPAA Privacy Rule”) were introduced in 2002. They provided a set of standards on how a defined set of health information would be protected. But what were these standards? That is, what exactly is the HIPAA Privacy Rule? We will examine that here.
The Privacy Rule essentially lays out how “Protected Health Information” can be used and disclosed by HIPAA-Covered Entities (CEs) and their Business Associates (BAs; both of which will be discussed below). One of the primary aims of the HIPAA Privacy Rule is to ensure that PHI can be used in a way that facilitates healthcare operations, including treatment or payment for healthcare while ensuring that only the information required to carry out these services is passed on. Additionally, it stipulates who can access this information. This helps to ensure that patients’ data is kept private but can also protect against its malicious use for insurance fraud or identity theft.
Essentially, the HIPAA Privacy Rule aims to strike a balance between keeping patient data secure and protected while also allowing for the proper administration of healthcare services.
However, not all data is protected under the HIPAA Privacy Rule. The Rule defines “Protected Health Information” (PHI) as Individually-identifiable health information that is held or transmitted by a CE or BA in any format (physical, electronic, or verbal). The information must contain one of the 18 HIPAA identifiers – demographic and other information that can be used to trace the identity of the individual – and be related to one of the following:
- A past, present, or future mental or physical condition,
- The provision of healthcare, or
- The past, present, or future payment for the provision of healthcare.
PHI can be “de-identified”, meaning that it can be sufficiently stripped of information such that it is no longer possible to identify the patient to which the data relates. At this point, the data is no longer considered to be PHI.
As we stated earlier, the HIPAA Privacy Rule relates to Covered Entities and their Business Associates. CEs are broadly defined as health plans, healthcare clearinghouses, and healthcare organizations. Often, CEs will engage with a third party to carry out certain practices; these are called “Business Associates”. As BAs will be handling PHI, they must also be HIPAA-compliant. The HIPAA Privacy Rule is enforced by the Office for Civil Rights (OCR) within the Department for Health and Human Services (DHSS).
There are two key principles that govern the correct use and disclosure of PHI.
- The Basic Principle is that CEs should limit the disclosure of PHI unless the disclosure meets the definition of the HIPAA Privacy Rule or if proper authorization has been obtained
- Required Disclosures are when individuals (or their representatives) request access to their PHI or when the DHSS is undertaking a compliance investigation.
There are several cases where disclosure is permitted under the HIPAA Privacy Rule.
- To the individual (or their representative)
- For treatment, payment, or other healthcare operations,
- To give an individual (or their representative) the opportunity to agree or object to their PHI
- If required for the public interest (e.g. if needed by law, for public health activities, to investigate cases of abuse)
- As part of a limited data set for research activities.
Patients may also give authorization for their data to be used outside of these specific activities. For example, if a hospital wants to use a patient’s case as part of a marketing campaign, they must seek authorization from the patient. Additionally, explicit authorization must be obtained before any psychotherapy notes are disclosed.
A key component of the HIPAA Privacy Rule is the Minimum Necessary Rule. As we have previously discussed, the CE should ensure that only the required information to carry out a particular task is disclosed. This is the central tenet of the Minimum Necessary Rule: CEs should undertake “reasonable efforts” to ensure that only the most relevant information is disclosed for certain transactions.
- There are exceptions to this rule if:
- The information is required to provide treatment,
- The information is being provided to the individual or their representative,
- Correct authorization has been obtained,
- The data is being disclosed during a DHSS investigation,
- The disclosure is required by law,
- The information is required for compliance with the HIPAA Transaction Rule or other HIPAA Administration Rules.
The Privacy Rule stipulates that all patients must receive a Privacy Practice Notice when they are first serviced by the CE. This Privacy Notice must stipulate how the CE will use and disclose PHI, alongside the following:
Describe CE’s duties to protect privacy
Describe the individual’s rights (including their right to complain)
Must contain details of a contact in the CE to whom the individual can make complaints (usually the Privacy Officer).
To facilitate the activities of the Privacy Officer, CEs should ensure that they have an established and easy-to-access system in place to handle complains and requests for access. Under the Privacy Rule, patients have the right to access and amend their data if they believe that it is inaccurate or incomplete. CEs should facilitate this request, and keep track of any alterations to PHI that are made.
There are a number of other administrative requirements that must be implemented under the HIPAA Privacy Rule:
- Privacy Policies and Procedures: the CE must develop and implement privacy policies and procedures
- Privacy Personnel: CEs must designate privacy officers who is responsible for the above, who also act as a point of contact within the CE
- Workforce training and management
- Mitigation: the CE must mitigate, as much as possible, the negative effects it learns were the result of improper use or disclosure
- Employ Data Safeguards that will help to protect against the improper use and disclosure of PHI
- The CE must not retaliate against an individual for exercising their rights, and it cannot require that an individual waive any of their rights under the privacy rule to obtain treatment
- All CEs must maintain copies of their policy procedures, privacy practice notices, and disposition of complaints for at least six years after their creation (or its last effective date)
There are exceptions for fully-insured group health plans, which must only ensure that they do not engage in retaliatory action or waive rights and that they maintain documentation.
We have used the term “representative” continuously throughout this article. But what is a representative? Essentially, if an individual appoints a representative, under the Privacy Rule, they must be treated in the same manner as the individual themself. Usually, parents will act as the personal representatives of minors, though in other cases, the State can appoint a representative.
The Privacy Rule is a federal law, meaning that it preempts any contrary State laws. There are some exceptions; for example, if the information is needed for the reporting of health care delivery or operations, State law can preempt the Privacy Rule.
So, what is the HIPAA Privacy Rule? As we have outlined above, it is a comprehensive piece of legislation aimed at protecting patient rights while ensuring that the people who need to access their data can. The Rule stipulates a number of requirements that CEs and BAs must carry out to ensure that the integrity of patient data is maintained. Violations of the HIPAA Privacy Rule can attract large fines or even criminal protection, so it is essential that all CEs and BAs train their employees in HIPAA compliance.