The Privacy Rule establishes national standards for the protection of certain health information. It applies to all forms of individuals' protected health information, whether electronic, written, or oral. The major goal of the Privacy Rule is to make sure an individuals’ health information is properly protected while allowing the flow of health information needed to provide high quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of those who need care.
The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.
For the average health care provider or health plan, the Privacy Rule requires activities, such as:
Each section in this course will include a quiz question at the bottom of the page. In the last section, you'll be able to check your score and retake the quiz if desired. Be sure to answer all questions or you won't see your score. To improve your score after you get results, just go back through the sections and change your answers. Do not refresh pages or you'll have to answer all questions again.
Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients' privacy. To ease the burden of complying with the requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs.
The rule is scalable to provide a more efficient and appropriate means of safeguarding protected health information than would any single standard.
Here are some examples:
The HIPAA Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.
Prior to HIPAA, no generally accepted set of security standards or general requirement for protecting health information existed in the healthcare industry. At the same time, new technologies were being created, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The health care marketplace is so diverse, therefore, the Security Rule is designed to be flexible so a covered entity can implement policies, procedures, and technologies appropriate for the entity’s particular size, organizational structure, and risks to consumers’ personal information.
The Security Rule applies to health plans, healthcare clearinghouses, and any health care provider who transmits health information in an electronic form.
Covered entities include individual and group plans who provide or pay the cost of medical care. Health plans include the following:
Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions — a group health plan with less than 50 participants, that is administered solely by the employer that established and maintains the plan, is not a covered entity.
The following two types of government-funded programs are not health plans:
Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance.
Privacy and security go hand-in-hand. Privacy is the "what." It says patients have the right to have their health information protected from unauthorized disclosures. Security is the "how." In other words, agencies must determine the procedures they will put into place to protect health information.
According to the Department of Health and Human Services (HHS), the majority of Security Rule violations occur as a result from a covered entity not having adequate policies and procedures in place to safeguard personal information contained on its information systems.
This part of the law prohibits the disclosure of Protected Health Information (PHI) in any form except as required or permitted by law.
The HIPAA Privacy rule mandates how PHI may be used and disclosed.
The Privacy Rule protects PHI in any form including but not limited to:
The HIPAA Privacy Rule says don't listen, tell, or show any client's PHI to anyone who does not have a legitimate right to see or hear that information.
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form of media, whether electronic, paper, or oral.
HIPAA protects information that alone or combined may identify a patient, the patient’s relatives, employer or household members. Health information that contains even one patient identifier is protected under HIPAA. Here are some examples:
Here are some examples of other places you might find patient information:
If you observe someone wrongfully disclosing PHI, you should do the following:
If you wrongfully disclose PHI, you should do the following:
There are several things that can be put into place to protect a patients' privacy. Here are just a few examples:
Click on the "Check Quiz Answers" button to grade your quiz and see your score. You will receive a message if you forgot to answer one of the questions. After clicking the button, the questions you missed will be listed below. You can correct any missed questions and check your answers again.
Whether your health information is stored on paper or electronically, you have the right to keep it private. Watch this video and visit http://www.hhs.gov/ocr to learn about electronic health records and your patient privacy rights under the HIPAA privacy and security rules.