For many people, their medical history is an intensely personal and sensitive matter. The reluctance of a significant portion of the population to openly discuss this information, even with their healthcare providers, underscores the deeply held protectiveness surrounding such data.
Naturally, the protection of such data itself, and more importantly, the protection of the privacy of that data, is a critical concern for most patients. The HIPAA Privacy Rule was enacted with the express purpose of addressing that concern.
The Privacy Rule makes it a legal obligation for subject organizations to ensure all their patients’ medical history remains confidential, with the records being accessible on a strict “need to” basis only.
Read on to learn more about the history of the Privacy Rule, what makes it such a vital piece of legislation, what information it protects, and most importantly, how organizations can ensure compliance with its strict requirements.
What is the HIPAA Privacy Rule?
The Health Insurance Portability and Accountability Act (HIPAA) is a significant federal healthcare regulation in the United States (US) that establishes and governs the standards related to the protection of all patients’ medical health records or protected health information (PHI).
The Privacy Rule defines PHI, its permissible uses and disclosures, and individuals' rights over their PHI. While the first "proposed" Privacy Rule was published in November 1999, the "final" version was not published until August 2002, owing to the sheer volume of public comments. The Privacy Rule was enacted in 2003 to broaden the scope of HIPAA and set further expansive requirements and safeguards related to protecting the privacy of all patients’ medical health information. As a result of the Privacy Rule, all subject organizations must undertake appropriate measures to ensure that any PHI in their possession is managed per the legal requirements.
Obligations of Covered Entities
1. Permitted Use and Disclosure of PHI
The Privacy Rule defines and limits the circumstances in which an individual's PHI may be used or disclosed by covered entities. A covered entity may only disclose the PHI of an individual if:
- the use or disclosure is permitted or required under the Privacy Rule; or
- the individual who is the subject of the information has authorized the use or disclosure in writing.
The Privacy Rule makes it obligatory for the covered entities to disclose the PHI of individuals in the following two situations only:
- to the individuals (or their personal representatives)
- specifically when they request access to or an accounting of disclosures of, their PHI; and
- to HHS when it is undertaking a compliance investigation or review or enforcement action.
Covered entities are permitted under the Privacy Rule to use or disclose the PHI of an individual without the individual’s written authorization for the following purposes or situations:
- to the individual who is the subject of the PHI;
- for treatment, payment, and health care operations;
- for provision of an opportunity to agree or object;
- for a purpose incident to an otherwise permitted use and disclosure;
- for public interest and benefit activities; and
- use or disclosure of limited data sets for the purposes of research, public health, or healthcare operations.
2. Obtain Written Authorization
For all the uses and disclosures of the PHI that do not fall under the scope of the required or permitted disclosures as discussed above, the covered entities are required to seek specific written authorization from the individual who is subject to the PHI. All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.
3. Compliance with the Principle of Minimum Necessary
According to the principle of minimum necessary, covered entities are obligated to make reasonable efforts to utilize, disclose, and request only the minimum amount of protected health information necessary to achieve the intended purpose. In instances where the minimum necessary standard applies, a covered entity cannot use, disclose, or request the entire medical record unless it can specifically justify the entire record as reasonably needed for the intended purpose. Exceptions to the minimum necessary requirement include:
- Disclosure to or a request by a health care provider for treatment.
- Disclosure to an individual who is the subject of the information or the individual's personal representative.
- Use or disclosure made pursuant to an authorization.
- Disclosure to the Department of Health and Human Services (HHS) for complaint investigation, compliance review, or enforcement.
- Use or disclosure required by law.
- Use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.
4. Implement Internal Policies and Procedures
In accordance with the Privacy Rule, covered entities are mandated to establish and enforce internal policies and procedures. These measures are designed to limit access and usage of protected health information within the organization, taking into account the specific roles of individual workforce members. The policies and procedures should precisely identify the following:
- The individuals or groups within the workforce that require access to protected health information for the fulfillment of their duties.
- The specific categories of PHI to which access is necessary.
- Any conditions under which these individuals or groups need access to the information in order to effectively perform their job responsibilities.
For routine, recurring disclosures or requests for disclosures, covered entities must establish policies that limit the disclosure of PHI to the minimum necessary for the intended purpose. In contrast, for non-routine, non-recurring disclosures or requests, individual reviews are required to ensure the minimum necessary PHI is disclosed to achieve the specific purpose.
Covered entities are obligated to develop and implement comprehensive written privacy policies and procedures consistent with the Privacy Rule. Covered entities must appoint a designated privacy official responsible for developing and implementing privacy policies and procedures.
Additionally, a contact person or office should be designated to handle complaints, provide information on privacy practices, and serve as a point of contact for individuals seeking information about the covered entity's privacy policies.
The Privacy Rule requires the covered entities to train their workforce members on their privacy policies and procedures, as necessary and appropriate for them to carry out their functions, and to have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
6. Mitigate any Harm Due to Disclosure
The covered entities must mitigate, to the extent practicable, any harmful effect caused by the use or disclosure of protected health information by their workforce or business associates in violation of their privacy policies and procedures or the Privacy Rule.
7. Establish and Maintain Data Safeguards
The covered entities must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
8. Establish a Complaints Redressal Mechanism
The covered entities must have procedures, which must also be explained in the privacy notice, for individuals to complain about their compliance with their privacy policies and procedures and the Privacy Rule.
9. Retaliation and Waiver
The covered entities are barred from retaliating against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by the US Department of Health and Human Services (HHS) or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. The Privacy Rule also prohibits requiring an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
10. Documentation and Record Retention
The covered entities are required to maintain, until six years after the date of their creation or last effective date, their privacy policies and procedures, their privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented
Rights of Individuals
The individuals who are subject of PHI have the following rights under the Privacy Rule:
1. Right to Privacy Notice
The covered entities are required to provide the individuals with a notice of their privacy practices, including the ways in which the covered entity may use and disclose the PHI and its duties to protect the privacy of the PHI. The notice must also describe the individuals' rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated, and must include a point of contact of the covered entity.
2. Right to Access
The individuals have the right to review and obtain a copy of their PHI in a covered entity's designated record set.
3. Right to Amend PHI
The individuals have the right to have covered entities amend their PHI in a designated record set when that information is inaccurate or incomplete.
4. Right to Accounting of Disclosures
The individuals have the right to an accounting of the disclosures of their PHI by a covered entity or the covered entity's business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request.
5. Right to Restrict
The individuals have a right to request that a covered entity restrict the use or disclosure of PHI for treatment, payment, or health care operations, disclosure to persons involved in the individual's health care or payment for health care, or disclosure to notify family members or others about the individual's general condition, location, or death.
A covered entity is under no obligation to agree to the requests for restriction. However, a covered entity is required to agree to an individual’s request to restrict the disclosure of their PHI to a health plan when both of the following conditions are met:
- the disclosure is for payment or health care operations and is not otherwise required by law; and
- the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the covered entity in full.
Why is the HIPAA Privacy Rule Important?
The HIPAA Privacy Rule acts as a potent safeguard in place to protect the privacy and security of patients’ PHI. Some critical reasons that make it a highly important regulation within the United States include the following:
1. Patient Privacy Protection
The Privacy Rule is designed meticulously to protect the confidentiality and privacy of all patients’ PHI. Not only do patients have a significant degree of control over who can access their medical records, but they also have visibility into the reasons behind the need for access to their records.
2. Consistency
Similar to any other regulation, the Privacy Rule standardizes the protection protocols an organization is expected to undertake to protect a patient’s PHI. As a result, regardless of the patient’s location within the US, the protection of their data per the stated standards is guaranteed.
3. Healthcare Quality
For patients, the Privacy Rule delivers a much-needed extension to the concept of quality healthcare. A patient is much more likely to trust practitioners with their medical history and share medical information if they are assured of the information’s continuous confidentiality.
4. Reduction in Fraud
A natural consequence of the strict access controls enforced by the Privacy Rule is the reduction in medical fraud as only a select few personnel can access a patient’s sensitive medical health history and information, and that too with a valid reason to access such information.
HIPAA Privacy Rule History
The HIPAA Privacy Rule has a substantial bit of history behind it. Understanding and going through this timeline can help understand how the regulation came to be in its final form today and lend perspective related to how the regulation adapted to evolving social and informational challenges over the years.
- HIPAA Passage - HIPPA was formally enacted by Congress in 1996. Its stated objectives were to address several issues related to healthcare, such as insurance coverage, fraud, abuse, and, above all, protection of all patient health information.
- HIPAA Privacy Rule Proposal - In 1999, the HHS issued its first proposal related to the Privacy Rule. The aim of such a regulation would be to create national standards to improve the efficiency and effectiveness of public and private health programs by providing enhanced protections for PHI.
- HIPAA Privacy Rule Finalization - In December 2000, the finalized version of the HIPAA Privacy Rule was published in full in the Federal Register. In this version, the Privacy Rule provided permissions for subject organizations to disclose PHI under specific circumstances such as judicial and administrative proceedings, health oversight activities, and law enforcement purposes.
- Enforcement - From 2003 onward, the Office for Civil Rights (OCR), a sub-office of the HHS, was tasked with enforcement of the HIPAA Privacy Rule.
- HITECH Act - In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009. Its primary purpose was to strengthen HIPAA in several critical aspects, such as expanding the scope of HIPAA to include third parties, such as business associates, that handle PHI on behalf of another organization. Other additions included stricter and heftier penalties for violations of the Privacy Rule
- Omnibus Rule - In January 2013, the HHS published the Omnibus Rule, which brought significant additions to the Privacy Rule. Additionally, the Omnibus Rule provided much-needed clarity on the several preceding additions that had been made to the Privacy Rule as a result of the HITECH Act. These included provisions related to patient rights, breach notification, and the responsibilities of business associates.
What Data is Protected Under Privacy Rule?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral. Individually identifiable health information refers to information, including demographic data, that pertains to
- The individual's past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
This information either directly identifies the individual or has a reasonable basis to be used for identification. Common identifiers include name, address, birth date, and Social Security Number. The Privacy Rule does not protect:
- Personally identifiable health information that is held or maintained by an organization other than a covered entity.
- Information that has been de-identified in accordance with the Privacy Rule.
- Health information maintained in students´ educational records as these are protected by the Family Educational Rights and Privacy Act.
- Health information maintained by a covered entity in its role as an employer, for e.g. health information relating to an employee's absence from work.
Who Needs to Comply with the HIPAA Privacy Rule?
Individuals, organizations, and agencies that fall under the definition of a ‘covered entity’ must comply with the Privacy Rule. Covered entities under HIPAA include the following categories:
1. Health Plans
These include Individual or group plans that provide or pay the cost of medical care. The health plans may include the following:
- Health insurance companies.
- Health maintenance organizations.
- Employer-sponsored health plans.
- Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs.
2. Healthcare Providers
These individuals or entities who electronically transmit health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. The health care providers include but are not limited to doctors, psychologists, dentists, clinics, pharmacies, nursing homes, etc.
3. Healthcare Clearinghouses
Healthcare clearinghouses are entities that process nonstandard information they receive from another entity into a standard format or data content, or vice versa. Healthcare clearinghouses may include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
In addition to the covered entities, HIPAA applies to ‘business associates’, which refers to an individual or entity that performs certain functions on behalf of a covered entity that entails the use or disclosure of PHI. These can include IT service providers providing services such as electronic health record (EHR) systems and cloud storage services, as well as health information exchanges and pharmacy benefit managers.
Who Enforces HIPAA Privacy Rules?
The enforcement of the HIPAA regulation itself is the responsibility of the HHS. The Office for Civil Rights (OCR) is the sub-department within the HHS responsible for overseeing and enforcing compliance with the HIPAA Privacy Rule.
The OCR oversees the comprehensive compliance audits that subject organizations must conduct per the Privacy Rule requirements. Additionally, the OCR is responsible for undertaking investigations related to reported violations and imposing penalties and fines if an organization is found to have violated the Privacy Rule.
Once an organization is found to have violated the HIPAA Privacy Rule, the OCR works with such organizations to develop a comprehensive corrective action plan that addresses the identified issues and hastens the path toward compliance. The OCR also provides technical assistance and educational material for such organizations to leverage to comply with the Privacy Rule.
How Does Securiti Help?
The Privacy Rule may seem intimidating, but organizations leveraging the appropriate approach and tools will find compliance a much more seamless process. Automation represents the best chance of becoming compliant with the Privacy Rule as it would negate the tremendous resources needed to be devoted to the process if it were to be done manually.
This is where Securiti can help.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Additionally, Securiti has many other modules and solutions designed to ensure an organization can adequately address any of its data security, privacy, governance, and compliance obligations per HIPAA.
The vendor risk management and privacy notice solutions are elaborate examples of such. Leveraging these modules, subject organizations can ensure compliance with various provisions of the HIPAA Privacy Rule and address their obligations.
Request a demo today and learn more about how Securiti can help your organization's HIPAA compliance journey.