HIPAA Privacy Rule | Introduction and Overview

The HIPAA “Privacy Rule” - technically known as Standards for Privacy of Individually Identifiable Health Information (Subpart E) put in place a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) effectively issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by these very organizations subject to the Privacy Rule, such as “covered entities”, and at times, business associates, and their affiliates.

HIPAA Privacy Rule | It's About Protecing Patient Information
According to the Department of Health and Human Services, www.hhs.gov., “A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being.” As to who specifically is covered and mandated to comply with the Privacy Rule, it generally consists of the following:

  • Health Plans
  • Health Care Providers
  • HealthCare Clearinghouses

It’s important to note that the Department of Health and Human Services, www.hhs.gov. states that “The Privacy Rule…apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.” And combined with the Final Omnibus Ruling (January,2013), which includes provisions for “business associates”, it’s safe to say that “ANY” entity working with health information and data will need to be compliant with the HIPAA Privacy Rules and all applicable Subpart E mandates. As for what information is protected under the Privacy Rule, it’s "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral - its "protected health information (PHI).As for “Individually identifiable health information” according to www.hhs.gov, this is information, including demographic data, that relates to:

  • The individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual.

A large part of the Privacy Rule deals specifically with “uses and disclosures” - defining and limiting the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities, business associates, and their affiliates. Subpart E 164.502 to 164.514 discuss in much more detail the various provisions of “uses and disclosures”. 

In all, the Privacy Rule covers the following four (4) broad-based areas and respective requirements:

  • Uses and Disclosures
  • Individual Rights
  • Administrative Requirements
  • General Safeguards and Best Practices

HIPAA Privacy | 164.500 - 164.534
Technically speaking Subpart E of the HIPAA Privacy Rules contains the following:

  • § 164.500 Applicability
  • § 164.501 Definitions
  • § 164.502 Uses and disclosures of protected health information: general rules
  • § 164.504 Uses and disclosures: organizational requirements
  • § 164.506 Uses and disclosures to carry out treatment, payment, or health care operations
  • § 164.508 Uses and disclosures for which an authorization is required
  • § 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object
  • § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required 58
  • § 164.514 Other requirements relating to uses & disclosures of protected health information
  • § 164.520 Notice of privacy practices for protected health information
  • § 164.522 Rights to request privacy protection for protected health information
  • § 164.524 Access of individuals to protected health information
  • § 164.526 Amendment of protected health information
  • § 164.528 Accounting of disclosures of protected health information
  • § 164.530 Administrative requirements
  • § 164.532 Transition provisions
  • § 164.534 Compliance dates for initial implementation of the privacy standards

b2ap3_thumbnail_HIPPA-tookit-CTA.png

As mentioned earlier, the HIPAA Privacy Rule covers the following four (4) broad-based areas and respective requirements:

  • Uses and Disclosures
  • Individual Rights
  • Administrative Requirements
  • General Safeguards and Best Practices

To learn more about the Privacy Rule, please visit the Department of Health and Human Services (HHS) at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.