According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule "establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically."
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Title I of the Act protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of the Act requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
Under Title II, the Privacy Rule, also known as The Standards for Privacy of Individually Identifiable Health Information, establishes a set of national standards for the protection of certain health information.
What Information is Protected?
Under the Privacy Rule, information that is protected is appropriately called Protected Health Information (PHI). This information includes:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual
Permitted Uses and Disclosure
A covered entity is permitted to use covered protected health information without an individual's authorization in the following circumstances:
- To the Individual (unless required for access or accounting of disclosures)
- Treatment, Payment, and Health Care Operations;
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure;
- Public Interest and Benefit Activities; and OCR Privacy Rule Summary 5 Last Revised 05/03
- Limited Data Set for the purposes of research, public health or health care operations
For more detail on the permitted uses, refer to the HHS's Privacy Rule.
According to the U.S. Department of Health and Human Services, "A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule."
The American Hospital Association has put together a great checklist of elements required for HIPAA compliance related to Authorization to disclose PHI.
"Minimum Necessary" Use and Disclosure
According to the U.S. Department of Health and Human Services, "the minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information."
Visit the HHS page on Minimum Necessary Requirement for more details.
Notice of Privacy Practices
Covered entities, with certain exceptions, are required to provide notice of privacy practices. The U.S. Department of Health and Human Services provides a great resource for model notices of privacy practices that can be downloaded and customized to provide employees.
For a full and detailed summary of the Privacy Rule, visit the U.S. Department of Health and Human Services website. The National Institutes of Health also provide a robust overview of the Privacy Rule with detailed information.
Get more articles like this one delivered to your inbox.
Join the thousands who receive ERC's weekly newsletter to stay current on topics including HR news, training your employees, building a great workplace, and more.