What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule contains a series of measures that covered entities must comply with to protect individual protected health information,

What Are the Purposes of the Privacy Rule?
The Privacy Rule is designed to protect the privacy of individuals’ protected health information (PHI) from unauthorized or impermissible use or disclosure. To achieve this purpose, the Privacy Rule:

1. Prescribes administrative, technical, and physical safeguards to protect the privacy of protected health information. 

2. Regulates how protected health information may be used or disclosed. The rule sets forth three types of uses and disclosures:

3. Uses and disclosures required by law.

4. Uses and disclosures prohibited by law.

5. Uses and disclosures permitted by law. These uses and disclosures fall into one of three types:

   1. Uses and disclosures requiring written patient authorization. 

   2. Uses and disclosures requiring an opportunity for the individual to agree or object to the use or disclosure.

   3. Uses and disclosures for which neither an authorization nor an opportunity to agree or object is required. 

Who is Subject to the Privacy Rule?
The Privacy Rule regulates covered entities. Covered entities are defined in the HIPAA rules as:

1. Healthcare providers that electronically transmit any health information in connection with a HIPAA-covered transaction. A HIPAA-covered transaction is a transaction involving the transmission of information, between two parties, to carry out financial or administrative activities related to health care.

2. Health plans.

3. Healthcare clearinghouses. 

What Information Does the Privacy Rule Regulate?
The Privacy Rule regulates the use and disclosure of protected health information (PHI). PHI is a subset of individually identifiable health information.

What is Individually Identifiable Health Information?

Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and that:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

i.  That identifies the individual; or

ii. With respect to which, there is a reasonable basis to believe the information can

     be used to identify the individual.

Protected health information, in turn, is individually identifiable health information that is:

1. Transmitted by electronic media;

2. Maintained in electronic media; or

3. Transmitted or maintained in any other form or medium.
   
   

Under HIPAA, protected health information (PHI) is any piece of information in an individual’s medical record that is created, used, or disclosed during the course of diagnosis or treatment, that can be used to uniquely identify an individual. Information that can be used to uniquely identify a patient is called an “identifier.”

The Privacy Rule lists 18 identifiers that qualify as PHI. These include:

1. Name

2. Address 

3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89.

4. Telephone number

5. Fax number

6. Email address

7. Social Security number

8. Medical record number

9. Health plan beneficiary number

10. Account number

11. Certificate/license number

12. Vehicle identifiers, serial numbers, or license plate numbers

13. Device identifiers or serial numbers

14. Web URLs

15. IP address

16. Biometric identifiers such as fingerprints or voiceprints

17.  Full-face photos

18. Any other unique identifying numbers, characteristics, or codes 
    
    
    
    

How Does the Privacy Rule Protect PHI?

The HIPAA Privacy Rule protects protected health information (PHI) from unauthorized use or disclosure. “Use” means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of that information, within an entity maintaining the information.  “Disclosure” means the release, transfer, provision of access to, or divulging in any manner of information outside the covered entity holding the information.

Must Business Associates Comply with the Privacy Rule?

In certain circumstances, business associates must also comply with the HIPAA Privacy Rule. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. 

Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. 

Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. 

If a business associate agreement between a covered entity and a business associate permits or requires the business associate to perform the covered entity’s obligations under the Privacy Rule, the business associate must comply with the same requirements of the Privacy Rule that apply to the covered entity in the performance of these obligations.