Research indicates that over 40 million people were affected by healthcare data breaches in 2022 in the US. That's why businesses, government and industry bodies must focus on protecting patients’ privacy. The Health Insurance Portability and Accountability Act, or HIPAA, is a set of regulations that outline how protected health information (PHI) can be used and disclosed.
These regulatory standards include the HIPAA Privacy Rule. This rule aims to protect PHI while allowing the flow of health information necessary to provide quality care.
Key takeaways
- The HIPAA Privacy Rule aims to protect patient health information.
- The standards also ensure patients have access to their own medical data.
- The privacy rule applies to covered entities, their business associates, and hybrid entities.
- Any information that can be used to identify an individual patient is considered PHI and must be protected.
- Healthcare providers are permitted to use and disclose PHI during their normal medical-related duties. They may also be mandated to use or disclose PHI for a compliance review.
- To remain compliant, companies need to draw up policies and procedures for handling PHI and appoint a privacy officer.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule is a set of standards developed to protect patient confidentiality and their right to access their health information. The aim of these rules is to safeguard patients’ sensitive health data from being disclosed without their consent. Plus, it ensures that the data will only be used for healthcare purposes.
The privacy rule applies to health plans, healthcare providers, healthcare clearinghouses, and their business associates.
According to these regulations, covered entities must provide a Notice of Privacy Practices to all their patients and plan members. This notice explains what PHI can be disclosed, why, and to which parties. The document also informs them of their individual right to access, amend, or transfer their PHI.
Importance of the HIPAA Privacy Rule
If any covered entity or one of their business associates violates the HIPAA Privacy Rule or the HIPAA regulations, they may be investigated by the Department of Health and Human Services. They could be fined up to $1.5 million if the breach was due to willful neglect and they failed to remedy the situation.
Who is covered by the HIPAA Privacy Rule?
The rule applies to covered entities, business associates, and hybrid entities that handle PHI. (Hybrid entities have only certain activities covered by HIPAA). There are exceptions, such as:
- Insurance providers who offer health insurance as a secondary benefit
- Covered entities that bill their clients directly
- Some employers who self-administer a group health plan
What information is protected?
Any information that can be used to identify a patient is protected. This means any individually identifiable health information and any non-health information contained in the same records (called a designated record set). However, the data is only protected when it is in a designated record set.
In other words, a patient’s social security number is not health information, but it is information that could be used to identify the patient. This non-health data is only protected while included in a PHI database. If that social security number is maintained in a record that does not contain individually identifiable health information, it is no longer protected by the Privacy Rule.
In instances when the rule does not apply, state privacy and security rules may come into play to ensure that data is handled securely. The Privacy Rule applies not only to electronic PHI but also to any physical documents that contain individual health data.
PHI uses and disclosures
The Privacy Rule clarifies in what situations protected health information can be used and disclosed. The two instances when uses and disclosures are mandated include:
- When an individual makes an access request for their own PHI records
- When the HHS requires the information for a compliance review or investigation
Covered entities are permitted to use and disclose PHI to carry out their normal healthcare-related duties. Sometimes, these permitted uses can become required uses and disclosures under state law. For example, to disclose abuse or neglect.
A final way PHI can legally be used or disclosed is if the individual authorizes it. A common example of this is for marketing purposes. It’s important that the authorization wording is easy to understand and that it is clear how the PHI will be used or disclosed. The document should also clarify when the covered entity will no longer have any control over further disclosures. For example, data that will be published on social media.
Remaining compliant with the HIPAA Privacy Rule
Organizations must draw up privacy policies and procedures that align with the HIPAA Privacy Rule. They also need to appoint a Privacy officer who develops these policies, provides info to individuals requesting their PHI, and handles complaints about the organization’s privacy practices.
Organizations should also train their employees, volunteers and contractors on PHI and privacy policies. The entity must maintain the right administration, policies, procedures, and technical safeguards to keep its patients’ sensitive medical information secure. For example, encrypting emails containing PHI or shredding documents that contain PHI.
Balancing cybersecurity and the immediacy of patient care
Covered entities need to access information and respond to critical care issues quickly. At the same time, they should still focus on their data security protocols. The HIPAA Privacy Rule and HIPAA Security Rule help to focus more on cybersecurity and preventing healthcare data breaches.
A recent US government report revealed that many organizations that handle electronic protected health information don’t have dedicated cybersecurity personnel. And often lack enterprise-wide security and expertise. Healthcare providers must adhere to vital regulations like the HIPAA rules. At the same time, they need to recognize the relationship between cybersecurity and the safety of their patients’ private medical information.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.