An Overview of the Privacy Rule in HIPAA.
Introduction to the HIPAA Privacy Rule The Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) for the first time establish a set of national standards for the protection of certain health information. The Privacy Rule was issued by the U.S. Department of Health and Human Services (HHS) to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The use and disclosure of individuals’ “protected health information” by organizations subject to the Privacy Rule, or “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used are addressed in the Privacy Rule standards. The Privacy Rule’s voluntary compliance activities and civil money penalties are implemented and enforced by the Office for Civil Rights (OCR) within HHS.
The Privacy Rule’s primary objective is to ensure that individuals’ health information is adequately protected while permitting the flow of health information necessary to provide and promote high-quality healthcare and to safeguard public health and well-being. The Rule strikes a balance that safeguards the privacy of individuals seeking treatment and healing while permitting significant uses of information. The Rule is designed to be adaptable and comprehensive to cover the numerous uses and disclosures that must be addressed due to the diverse health care market.
This is not a complete or all-encompassing compliance guide; rather, it is a summary of the Privacy Rule’s most important parts. This summary should not be relied upon as a source of legal information or advice because entities subject to the Rule are required to comply with all of its applicable requirements.
Who is Covered by the Protection Rule
The Protection Rule, as well as all the Managerial Rearrangements rules, apply to wellbeing plans, medical services clearinghouses, and to any medical care supplier who sends wellbeing data in electronic structure regarding exchanges for which the Secretary of HHS has embraced norms under HIPAA (the “covered substances
Wellbeing Plans. Entities that provide medical care or pay for it are covered. This includes individual and group plans. Long-term care insurance, excluding nursing home fixed-indemnity policies, is covered by health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers. Additionally, there are multi-employer health plans, government- and church-sponsored health plans, and employer-sponsored group health plans.
Healthcare professionals. A covered entity is any and all health care providers, regardless of size, that electronically transmit health information in connection with specific transactions. In accordance with the HIPAA Transactions Rule, these types of transactions include claims, inquiries regarding benefit eligibility, authorization requests for referrals, and other types of transactions. A health care provider’s use of electronic technology, such as email, does not make them a covered entity; A standard transaction must be the context of the transmission.
Clearinghouses for health care Entities that convert nonstandard information they receive from another entity into a standard or the other way around are known as health care clearinghouses. When acting as a business associate, health care clearinghouses will typically only receive individually identifiable health information from health plans or providers of health care. What Information is Protected Protected Health Information All “individually identifiable health information” held or transmitted by a covered entity or its business associate in any form or medium—electronic, paper, or oral—is protected by the Privacy Rule. This data is referred to as “protected health information (PHI)” in the Privacy Rule.