The HHS Issued a Summary of the HIPAA Privacy Rule

Summary of the HIPAA Privacy Rule

The Department of Health and Human Services (‘HHS”) summarizes the key elements of the HIPAA Privacy Rule, which establishes national standards for the protection of certain health information. This rule, part of the Health Insurance Portability and Accountability Act (“HIPAA”) enacted in 1996, defines "protected health information" and outlines how it can be used and disclosed by "covered entities." The Privacy Rule is designed to protect individuals' health information while ensuring that necessary data flow continues to support high-quality healthcare and public health.

The primary goals of the Privacy Rule include safeguarding personal health information and ensuring individuals have rights to understand and control how their data is used. The rule aims for flexibility to address various contexts in the healthcare marketplace. Although the summary provides an overview, it does not encompass all provisions of the Privacy Rule, which covered entities must comply with fully. HHS emphasizes that this summary should not be viewed as legal advice, and in any case of conflict, the full rule prevails.

The Privacy Rule's development stemmed from a 1996 mandate for privacy regulations, which HHS finalized after extensive public commentary in the late 1990s and early 2000s. For detailed requirements, entities are encouraged to refer to the complete Privacy Rule, which is accessible through HHS resources.

 

The HHS outlines the following:

Who is Covered by the HIPAA Privacy Rule. Which applies to three main categories of entities: health plans, health care providers, and health care clearinghouses.

1. Health plans are defined as any individual or group plans that provide or pay for medical care costs, including insurers for health, dental, vision, and prescription drugs, as well as government programs like Medicare and Medicaid. Certain small group health plans and government programs that primarily provide assistance unrelated to health care are exempt. Additionally, entities focused solely on workers' compensation, automobile insurance, or property and casualty insurance do not fall under the definition of health plans, though health-related lines of business within such entities are subject to HIPAA.

2. Health care providers are also covered entities if they electronically transmit health information related to transactions for which HHS has established standards. This includes providers of services like hospitals and individual practitioners such as physicians and dentists. The transmission must be connected to standard transactions (e.g., claims and eligibility inquiries) to be considered covered under the rule, regardless of whether the provider transmits the information directly or through a third party.

3. Health care clearinghouses process nonstandard health information into a standard format and are typically business associates of health plans or providers. While they may handle protected health information, only certain provisions of the Privacy Rule apply to their activities regarding this information.

 

Business Associates Under HIPAA.

1. A business associate is defined as an individual or organization, distinct from a covered entity's workforce, that performs functions or provides services involving the use or disclosure of protected health information (“PHI”) on behalf of a covered entity. Common functions performed by business associates include claims processing, data analysis, billing, and various professional services such as legal and financial consulting.

2. However, individuals or organizations are not considered business associates if their roles do not involve PHI or if their access to PHI is merely incidental. It is also noted that a covered entity can act as a business associate for another covered entity.

3. When engaging a business associate, the covered entity must establish a business associate agreement (BAA) that outlines specific safeguards for the handling of PHI. This agreement must ensure that the business associate cannot use or disclose PHI in a way that violates HIPAA regulations. For agreements established before October 15, 2002, covered entities were allowed to continue under those contracts until they were renewed or modified by April 14, 2004.

 

What Constitutes Protected Health Information (“PHI”) under HIPAA Privacy Rule.

1. PHI refers to all "individually identifiable health information" that is held or transmitted by a covered entity or its business associates, regardless of the format—be it electronic, paper, or oral.

2. Individually identifiable health information encompasses data related to an individual's past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare services, provided that this information can identify the individual or could reasonably be used to do so. Common identifiers include names, addresses, birth dates, and Social Security numbers. However, certain records, such as employment records maintained by a covered entity as an employer and specific educational records governed by the Family Educational Rights and Privacy Act (FERPA), are excluded from the definition of PHI.

3. Additionally, there are no restrictions on the use or disclosure of de-identified health information, which does not identify individuals and cannot reasonably be used to identify them. De-identification can be achieved through a formal determination by a qualified statistician or by removing specific identifiers from the information, provided the covered entity has no actual knowledge that the remaining information could still identify someone.

 

General Principles Governing the Use and Disclosure of Protected Health Information (“PHI”) under the Privacy Rule.

1. The core principle is that covered entities may only use or disclose PHI as permitted by the Rule or with written authorization from the individual whose information is involved.

2. Covered entities are required to disclose PHI in two specific situations: when individuals (or their personal representatives) request access to their information, and when the HHS is conducting compliance investigations or enforcement actions.

3. Permitted uses and disclosures of PHI without individual authorization include:

1. To the Individual. Covered entities may disclose information to the individual it pertains to.

2. Treatment, Payment, and Health Care Operations. PHI can be used for activities related to treatment, payment, and healthcare operations. This includes coordination of care among providers, billing activities, and management operations.

3. Opportunity to Agree or Object. Covered entities may use informal permission to disclose PHI to family members or friends involved in the individual's care.

4. Incidental Use and Disclosure. Limited disclosures may occur incidentally as long as reasonable safeguards are in place and the minimum necessary information is shared.

5. Public Interest and Benefit Activities. PHI can be disclosed without authorization for certain national priority purposes, such as public health activities, law enforcement, and legal proceedings.

6. Limited Data Set. This refers to PHI with specific identifiers removed, which can be used for research and other purposes under a data use agreement.

The guidance details specific scenarios under which PHI may be disclosed, including public health activities, law enforcement purposes, health oversight activities, and for research purposes, emphasizing that such disclosures must balance individual privacy interests with public health and safety needs.

 

Authorized Uses and Disclosures of Protected Health Information (PHI) Under the Privacy Rule.

1. Authorization Requirement. Covered entities must obtain written authorization from individuals for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations, or otherwise permitted by the Privacy Rule. Authorizations cannot be a condition for treatment, payment, or benefits eligibility, except in specific cases. Authorizations must be clear, detailing the information being disclosed, the parties involved, expiration, and the right to revoke the authorization.

2. Psychotherapy Notes. Specific authorization is required to use or disclose psychotherapy notes, with limited exceptions such as using them for treatment, training, or legal defense.

3. Marketing. Marketing communications generally require authorization, especially if they involve the covered entity receiving remuneration from a third party. Certain communications are exempt from this requirement, including those related to treatment, case management, and health-related services provided within the covered entity’s benefit plan.

4. Minimum Necessary Standard. Covered entities must limit the use, disclosure, and request of PHI to the minimum necessary amount needed to achieve the purpose of the use or disclosure. This requirement does not apply in specific situations, such as disclosures for treatment or to the individual concerned.

5. Access and Internal Uses. Policies must be in place to restrict access to PHI based on job roles within the workforce, ensuring that only those who need access for their duties can obtain it.

6. Routine Disclosures. Procedures should be established for routine disclosures that limit the information shared to what is minimally necessary. For non-routine disclosures, individual reviews should ensure compliance with established criteria for limiting PHI.

7. Reasonable Reliance. Covered entities may rely on requests for PHI from other covered entities or authorized individuals as compliant with the minimum necessary standard if it is reasonable to do so.

 

Privacy Practices and Rights of Individuals.

1.         Privacy Practices Notice.

• Requirement. Covered entities must provide a notice describing their privacy practices, detailing how they may use and disclose PHI, their duties to protect privacy, and individuals' rights.

• Content. The notice must include information on how individuals can file complaints and a contact point for inquiries.

• Distribution. Direct treatment providers must deliver this notice at the first service encounter, post it at service sites, and provide it in emergency situations as soon as possible. Health plans must distribute the notice to enrollees upon enrollment and remind them of its availability at least every three years.

2.         Acknowledgment of Receipt. Covered entities must attempt to obtain written acknowledgment from patients that they have received the privacy practices notice. If not obtained, the provider must document the reason.

3.         Access to Information. Individuals have the right to access and obtain copies of their PHI in a designated record set, with certain exceptions (e.g., psychotherapy notes, legal proceedings). Access can be denied under specific circumstances, but individuals can request a review of such denials.

4.         Amendment Rights. Individuals can request amendments to their PHI if it is inaccurate or incomplete. If a request is denied, the entity must provide a written explanation and allow the individual to submit a statement of disagreement.

5.         Disclosure Accounting. Individuals have the right to request an accounting of disclosures of their PHI, limited to the past six years. There are exceptions for disclosures related to treatment, payment, or operations.

6.         Restriction Requests. Individuals can request restrictions on the use or disclosure of their PHI, but covered entities are not required to agree. If they do agree, they must comply unless it's a medical emergency.

7.         Confidential Communications. Individuals can request alternative means or locations for receiving communications regarding their PHI, especially if disclosure could endanger them. Health plans must accommodate reasonable requests without questioning the individual's claim of potential endangerment.

 

Administrative Requirements.

1.         Flexibility and Scalability. The Privacy Rule is designed to be flexible, allowing covered entities of all sizes to tailor their compliance efforts to their specific needs, resources, and operational contexts.

2.         Privacy Policies and Procedures. Covered entities must develop and implement written privacy policies and procedures that align with the Privacy Rule.

3.         Privacy Personnel. Entities must appoint a privacy official responsible for privacy policies and a contact person for complaints and inquiries regarding privacy practices.

4.         Workforce Training. All workforce members, including employees and volunteers, must be trained on privacy policies as necessary for their roles. Entities must enforce sanctions against those who violate these policies.

5.         Mitigation. Entities are required to mitigate harmful effects caused by unauthorized uses or disclosures of protected health information (PHI) by their workforce or business associates.

6.         Data Safeguards. Reasonable administrative, technical, and physical safeguards must be implemented to prevent improper use or disclosure of PHI. Examples include shredding documents and securing access to medical records.

7.         Complaints Procedure. Entities must establish procedures for individuals to lodge complaints about privacy policy violations, including information on how to contact HHS.

8.         Retaliation and Waiver. Entities cannot retaliate against individuals for exercising their rights under the Privacy Rule or for assisting in investigations. Individuals cannot be required to waive their rights as a condition for treatment or other services.

9.         Documentation and Record Retention. Entities must maintain documentation of their privacy policies, practices, and complaint resolutions for at least six years.

10.       Fully-Insured Group Health Plan Exception. Only specific administrative obligations apply to fully-insured group health plans with minimal data requirements, focusing on non-retaliation and documentation.

11.       Organizational Options.  

• Hybrid Entities. A covered entity conducting both covered and non-covered functions can designate its covered functions as "health care components," applying Privacy Rule requirements only to those parts.

• Affiliated Covered Entities. Legally separate entities under common ownership may operate as a single covered entity for compliance purposes.

• Organized Health Care Arrangements. Entities participating in a shared arrangement can share PHI for joint healthcare operations while maintaining compliance with privacy protections.

12.       Group Health Plan Disclosures. Group health plans can share certain PHI with plan sponsors (e.g., employers) for administration purposes, provided there are restrictions on how that information is used or disclosed.

 

Personal Representatives and Minors.

1.         Personal Representatives. Covered entities must treat personal representatives—individuals legally authorized to make healthcare decisions on behalf of another—equally to the individuals themselves concerning PHI. An exception exists if the covered entity suspects that the personal representative may be abusing or neglecting the individual or if their designation could endanger the individual.

2.         Minors. Typically, parents serve as personal representatives for their minor children and can access medical records on their behalf. In certain situations dictated by state law, a parent may not be recognized as the personal representative. In such cases, if state law is silent, the decision to grant or deny access lies with a licensed healthcare professional’s judgment.

3.         State Law Preemption. Generally, federal Privacy Rule requirements supersede conflicting state laws. A state law is considered "contrary" if compliance with both is impossible or if it obstructs the objectives of the Privacy Rule. Exceptions to this preemption apply if state laws provide greater privacy protections, relate to mandatory reporting (e.g., abuse or public health), or regulate health plans as authorized by statute.

4.         Exception Determination. HHS may determine that a contrary state law is necessary to address fraud, ensure appropriate regulation, or serve a compelling public health need.

5.         Enforcement and Penalties for Noncompliance. The Office for Civil Rights (OCR) administers and enforces compliance with the Privacy Rule. They may conduct investigations and offer technical assistance to help entities comply. Civil money penalties can be imposed for violations, with factors such as the nature of the violation affecting the penalty amount. Penalties may be reduced if the violation was not due to willful neglect and was corrected promptly. Criminal penalties apply for knowingly obtaining or disclosing PHI. The severity of penalties increases based on the nature of the offense, ranging from fines to imprisonment.

6.         Compliance Dates. Most covered entities were required to comply with the Privacy Rule by April 14, 2003, while small health plans (with annual receipts of $5 million or less) had until April 14, 2004, to comply.

 

For more information, see here:  https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

 

These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  These may not be the most recent versions.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.