The first rule to be considered on HIPAA is the Privacy Rule, which raises the standards for the Privacy of Individually Identifiable Health Information in the USA. This Rule sets the appropriate safeguards to protect the privacy of personal health information and sets limits to the uses and disclosures of this information without previous authorization by the patients.
The Privacy Rule also gives the patients rights over the information, such as reviewing them, obtaining a copy of their health information, and even requesting corrections. When talking about authorization, a cover entity must always obtain individuals written for any use or disclosure of the protected health information, which is not for treatments, payments, or other health care operations.
Every health care provider, no matter the size, who transmits electronically health information, in connection or not with other transactions, is a covered entity and must obey the Privacy Rule. Health care clearinghouses or Business Associates must also follow some of the standards of this rule to ensure the safety of personal health information.
What information is protected?
All individually identifiable health information, including demographic data, and also:
- Individual's history of physical or mental health and condition;
- The provision and payments of the provision of health care to the individual, or for which there is a reasonable basis to believe that it can be used to identify the individual;
- Any common information such as name, address, birth date, social security number, etc.
- For de-identified information, there are no restrictions.
The Privacy Rule allows the disclosure of health information in two situations:
- To the individual (or personal representatives) when they ask for access,
- To the HHS (Health and Human Services) in cases of investigations or enforcement actions.
The covered entity can also disclose health information without authorization when:
- The individual subject to the information requests it;
- For treatment, payment, or health care operations, these operations any care coordination, health plan evaluation, credentialing, medical reviews, legal services, risk rating, business management, and others;
- Uses and disclosures with the opportunity to agree or object asked directly to the patients, or in case of an emergency covered entities can make such disclosures and uses in the exercise of their professional judgment if it is the best for the patient;
- For incidental uses and disclosures, the rule does not require that all the risks of an incidental use be eliminated, but the covered entity must have safeguards;
- For victims of abuse, the covered entity may disclose personal health information to the authorities;
- For judicial and administrative proceedings;
- Law enforcement uses, like requested by law, to identify or locate a suspect, fugitive witness, or missing person, request information about a victim of a crime if the covered entity suspects that the information is evidence of a crime, or to locate the perpetrator of a crime;
- And, for the public interest, the Privacy Rule lists twelve disclosures of personal health information in case of national priorities.
There are also cases of disclosures for research, decedents, and cadaveric donations.
Still concerning the disclosures, the Privacy Rule defines the minimum necessary, this being a very important concept of this rule, where the covered entities must make efforts to use, disclosure, and request a minimum possible of personal health information to accomplish their tasks. The covered entity may also develop policies about what consists of the minimum necessary for their uses.
The minimum necessary rule is not used in cases of disclosure to a health care provider for treatment, for the person subject of the information, disclosure to be compliant to an HHS investigation or required by law, or by other HIPAA Rules. The covered entity can create their policies for requests of use and disclosure for routine or recurring disclosures, that limit the health information being disclosed to the minimum standard.
The Privacy Rule asks also for the covered entities to create a privacy practice notice, where they describe the individuals' rights, including the right to complain to HHS and to the entity if they suspect their privacy is being violated. This notice needs to have a point to contact for the patients that need it. And always make a good faith effort to have, in writing, the acknowledgment of the patients saying that they received this privacy practice notice, if that is not possible, the covered entity must document the reasons why.
Source: HHS Privacy Rule