Just recently, we talked about HIPAA Security Rules, the national standards that require healthcare organizations and the associated businesses associates to protect the Electronic Protected Health Information (ePHI) of an individual. Now, it’s time to have a brief discussion on HIPAA Privacy Rules. You already know that whereas security rules apply only to the information that is stored, handled and transferred electronically, privacy rules apply to all forms of PHI, whether electronic, written, or oral. So, it’s obvious that Privacy Rules (PR) will involve even broader requirements than Security Rules (SR) to protect the confidentiality of patient information. Let’s delve deep into this topic.

What information is protected?

The HIPAA Privacy Rule establishes national standards to protect the medical records and other protected health information (PHI) of an individual. With a couple of exceptions, PHI includes all individually identifiable health information that is maintained or transmitted in any form or medium whether electronic, written, or oral. Some of the examples of PHI are names, all dates (except year) elements related to the person, license numbers, fax numbers, telephone numbers, social security numbers, and demographic information such as addresses, geographic codes smaller than state, etc. Any other information that can possibly identify the person needs to be protected.

The exception involves disclosures of patient information that are required by law. For example, we are legally authorized to report communicable diseases to the appropriate authorities.

What is considered “personally-identifiable health information”?

Personally-Identifiable health information generally includes the following, whether in electronic, paper, or oral format:

 Enrollment and disenrollment in a health plan
 Health plan premium payments
 Health care claims
 Health care encounter information, such as physical or e-paper documenting doctor’s visits
 Health care payment and remittance advice
 First report of injury
 Health claims attachments
 Coordination of health care benefits
 Health care claim status
 Referral certifications and authorization
 Health care electronic funds transfers (EFT) and remittance advice; and
 Other transactions that HHS may prescribe in future regulations

Who is covered by HIPAA Privacy Rules?

The Rule applies to all the healthcare providers, health care plans, insurance companies and health care clearing houses. In order to comply with this rule and protect the privacy of healthcare information, physicians are required to follow appropriate safeguards and set limits and conditions on the uses and disclosures of such information without patient authorization.
Under this rule, the patients are given full rights over their health information, including rights to scrutinize and get a copy of their health records when required, and to request corrections. The standards also require doctors to provide their patients an account of each entity to which they disclose PHI for administrative and billing purposes.

Business Associates (BAs) of the covered entities (CEs) are also directly liable for uses and disclosures of PHI that are not covered under their BAA (Business Associate Agreement) or the HIPAA Privacy Rule itself.

The Privacy Rule requires BAs to do the following:

 Do not allow any unauthorized uses or disclosures of PHI.
 Provide breach notification to the CE.
 Provide either the individual or the CE access to PHI.
 Disclose PHI to the Secretary of Department of Human Health and Services (HHS), if asked to do so.
 Provide an accounting of disclosures.
 Comply with the guidelines set by HIPAA Security Rule.

Challenges Presented by HIPAA Privacy Rule

HIPAA privacy rule has posed several challenges for the healthcare providers. They cannot share patient information between each other freely, unless the patient or the client gives permission to them. Without being able to share that information, it takes a lot of time to obtain important information that can impact patient care adversely. Even when the patient has given permission for information sharing, healthcare providers remain extremely cautious. Anyone who is found violating HIPAA privacy rules is charged with huge penalties under the law.

The complexity involved in the implementation of HIPAA privacy provisions has also risen the costs. Organization are not only obligated to train their staff but also hire outside companies to perform audits and implement policies and procedures to remain compliant.

Researchers also get affected by this rule because they cannot do their study freely based on patient data, unless the patient authorizes them to view and use that information. Due to this, the cost of recruitment for studies has also risen considerably.

In spite of these limitations, we can’t deny the fact that the HIPAA Privacy Rule has helped to build better security within many healthcare organizations. It has created a culture of compliance and promoted the confidentiality of patient information both physically and electronically.