What are the HIPAA Privacy Rules?
The privacy provisions of HIPAA apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.
The Department of Health and Human Services (HHS) has issued the regulation, "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation. (See the Statement of Delegation of Authority to the Office for Civil Rights, as published in the Federal Register on December 28, 2000.)
The privacy standards contain three basic sections:
- Restriction on the use and disclosure of certain health information;
- Establishment of individual rights regarding health information; and
- Establishment of administrative requirements to ensure confidentiality and appropriate use of health information.
The regulations are often confusing, compliance will be difficult, and the consequences for non-compliance can be unpleasant; there are both civil and criminal penalties for violations. So, a basic understanding is essential for compliance.
Notice of Privacy Practices for Protected Health Information
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.
[45 CFR 164.520]
How the Rule Works
General Rule.The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices...