610 Green Hill Manor Dr Franklin Park, NJ 08823
Send Message firstname.lastname@example.org
Hot Line 732-769-1172
The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) sets forth, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (What is HIPAA?).
The Privacy Rule addresses the use and disclosure of individuals’ health information called “Protected Health Information (PHI).” These types of organizations are called “covered entities.” The Privacy Rule standards outline for covered entities individuals’ privacy rights to understand and control how their health information is used. HHS and the Office for Civil Rights (OCR) have the responsibility for implementing and enforcing the Privacy Rule with respect to compliance activities and civil money penalties. The Privacy Rule is to assure that an individuals’ health information is properly protected while allowing the individuals’ necessary health information that is needed to provide and promote quality health care, is protected. The Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare.
The Privacy Rule applies to health plans, healthcare clearinghouses, and to any health care provider who transmits health information in any form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a healthcare provider is a covered entity; the transmission must be in connection with a standard transaction.
The Privacy Rule covers a healthcare provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Healthcare providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care like a Healthcare Clearinghouse.
Who needs a Business Associate Agreement? A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consultant, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.
The Privacy Rule protects all 18 fields of “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information (PHI). Individually identifiable health information is information including demographic data that relates to such personal information, such as name, address, birth date, Social Security Number, address, past medical history, etc. This type of information must be protected.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.
The Security Rule defines confidentiality to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Under the Security Rule, integrity means that ePHI is not altered or destroyed in an unauthorized manner. Availability means that ePHI is accessible and usable on demand by an authorized person.5
HHS recognizes that covered entities range from the smallest provider to the largest, so the Security Rule is flexible and scalable to allow covered entities to analyze their own needs for compliance policies and procedures, and implement solutions appropriate for their specific environments.
When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
Covered entities must review and modify their security policies to continue protecting ePHI in their ever changing environment.7
HIPAA Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly reevaluate potential risks to ePHI.