The Privacy Rule establishes national standards for the protection of certain health information. It applies to all forms of individuals' protected health information, whether electronic, written, or oral. The major goal of the Privacy Rule is to make sure an individuals’ health information is properly protected while allowing the flow of health information needed to provide high quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of those who need care.
The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.
For the average health care provider or health plan, the Privacy Rule requires activities, such as:
Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients’ privacy. To ease the burden of complying with the requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs.
The scalability of the Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard.
Here are some examples:
The Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form.
Prior to HIPAA, no generally accepted set of security standards or general requirement for protecting health information existed in the healthcare industry. At the same time, new technologies were being created, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The health care marketplace is so diverse, therefore, the Security Rule is designed to be flexible so a covered entity can implement policies, procedures, and technologies appropriate for the entity’s particular size, organizational structure, and risks to consumers’ personal information.
The Security Rule applies to health plans, healthcare clearinghouses, and any health care provider who transmits health information in an electronic form.
Covered entities include individual and group plans who provide or pay the cost of medical care. Health plans include the following:
Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
The following two types of government-funded programs are not health plans:
Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance.
Privacy and security go hand-in-hand. Privacy is the “what.” It says patients have the right to have their health information protected from unauthorized disclosures. Security is the “how.” In other words, agencies must determine the procedures they will put into place to protect health information.
According to the Department of Health and Human Services (HHS), the majority of Security Rule violations occur as a result from a covered entity not having adequate policies and procedures in place to safeguard personal information contained on its information systems.
This part of the law prohibits the disclosure of Protected Health Information (PHI) in any form except as required or permitted by law.
The HIPAA Privacy rule mandates how PHI may be used and disclosed.
The Privacy Rule protects PHI in any form including but not limited to:
The HIPAA Privacy Rule says don’t listen, tell, or show any client's PHI to anyone who does not have a legitimate right to see or hear that information.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form of media, whether electronic, paper, or oral.
HIPAA protects information that alone or combined may identify a patient, the patient’s relatives, employer or household members. Health information that contains even one patient identifier is protected under HIPAA. Here are some examples:
Here are some examples of other places you might find patient information:
If you observe someone wrongfully disclosing PHI, you should do the following:
If you wrongfully disclose PHI, you should do the following:
There are several things that can be put into place to protect a patients’ privacy. Here are just a few examples:
Two doctors are eating lunch at a restaurant with many other patrons nearby. They are discussing a patient case that involves medical coverage and eligibility concerns. They are talking about confidential PHI regarding the patient. What should they do?
The correct answer is: Move the discussion to a private location where it cannot be overheard.
Before beginning this quiz, we highly recommend you review the module material. This quiz is designed to allow you to self-check your comprehension of the module content, but only focuses on key concepts and ideas.
Read each question carefully. Select the best answer, even if more than one answer seems possible. When done, click on the "Get Quiz Answers" button. If you do not answer all the questions, you will receive an error message.