Just recently, we talked about HIPAA Security Rules, the national standards that require healthcare organizations and the associated businesses associates to protect the Electronic Protected Health Information (ePHI) of an individual. Now, it’s time to have a brief discussion on HIPAA Privacy Rules. You already know that whereas security rules apply only to the information that is stored, handled and transferred electronically, privacy rules apply to all forms of PHI, whether electronic, written, or oral. So, it’s obvious that Privacy Rules (PR) will involve even broader requirements than Security Rules (SR) to protect the confidentiality of patient information. Let’s delve deep into this topic.

What health information is protected by the privacy rule

What information is protected?

The HIPAA Privacy Rule establishes national standards to protect the medical records and other protected health information (PHI) of an individual. With a couple of exceptions, PHI includes all individually identifiable health information that is maintained or transmitted in any form or medium whether electronic, written, or oral. Some of the examples of PHI are names, all dates (except year) elements related to the person, license numbers, fax numbers, telephone numbers, social security numbers, and demographic information such as addresses, geographic codes smaller than state, etc. Any other information that can possibly identify the person needs to be protected.

The exception involves disclosures of patient information that are required by law. For example, we are legally authorized to report communicable diseases to the appropriate authorities.

standards for privacy of individually identifiable health information

What is considered “personally-identifiable health information”?

Personally-Identifiable health information generally includes the following, whether in electronic, paper, or oral format:

checkbox Enrollment and disenrollment in a health plan
checkbox Health plan premium payments
checkbox Health care claims
checkbox Health care encounter information, such as physical or e-paper documenting doctor’s visits
checkbox Health care payment and remittance advice
checkbox First report of injury
checkbox Health claims attachments
checkbox Coordination of health care benefits
checkbox Health care claim status
checkbox Referral certifications and authorization
checkbox Health care electronic funds transfers (EFT) and remittance advice; and
checkbox Other transactions that HHS may prescribe in future regulations

HIPAA privacy rules

Who is covered by HIPAA Privacy Rules?

The Rule applies to all the healthcare providers, health care plans, insurance companies and health care clearing houses. In order to comply with this rule and protect the privacy of healthcare information, physicians are required to follow appropriate safeguards and set limits and conditions on the uses and disclosures of such information without patient authorization.
Under this rule, the patients are given full rights over their health information, including rights to scrutinize and get a copy of their health records when required, and to request corrections. The standards also require doctors to provide their patients an account of each entity to which they disclose PHI for administrative and billing purposes.

Business Associates (BAs) of the covered entities (CEs) are also directly liable for uses and disclosures of PHI that are not covered under their BAA (Business Associate Agreement) or the HIPAA Privacy Rule itself.

The Privacy Rule requires BAs to do the following:

checkbox Do not allow any unauthorized uses or disclosures of PHI.
checkbox Provide breach notification to the CE.
checkbox Provide either the individual or the CE access to PHI.
checkbox Disclose PHI to the Secretary of Department of Human Health and Services (HHS), if asked to do so.
checkbox Provide an accounting of disclosures.
checkbox checkboxComply with the guidelines set by HIPAA Security Rule.

HIPAA and privacy rules create complex challenges

Challenges Presented by HIPAA Privacy Rule

HIPAA privacy rule has posed several challenges for the healthcare providers. They cannot share patient information between each other freely, unless the patient or the client gives permission to them. Without being able to share that information, it takes a lot of time to obtain important information that can impact patient care adversely. Even when the patient has given permission for information sharing, healthcare providers remain extremely cautious. Anyone who is found violating HIPAA privacy rules is charged with huge penalties under the law.

The complexity involved in the implementation of HIPAA privacy provisions has also risen the costs. Organization are not only obligated to train their staff but also hire outside companies to perform audits and implement policies and procedures to remain compliant.

Researchers also get affected by this rule because they cannot do their study freely based on patient data, unless the patient authorizes them to view and use that information. Due to this, the cost of recruitment for studies has also risen considerably.

In spite of these limitations, we can’t deny the fact that the HIPAA Privacy Rule has helped to build better security within many healthcare organizations. It has created a culture of compliance and promoted the confidentiality of patient information both physically and electronically.


February 10, 2016
summary of the HIPAA privacy rule

A Definitive Guide to HIPAA Privacy Rules

Just recently, we talked about HIPAA Security Rules, the national standards that require healthcare organizations and the associated businesses associates to protect the Electronic Protected Health Information (ePHI) of an individual. Now, it’s time to have a brief discussion on HIPAA Privacy Rules. You already know that whereas security rules […]
February 4, 2016
the best health technologies from CES 2016

CES 2016 : Digital Health Technologies Disrupting How Care is Delivered [Infographic]

2015 may be remembered as a year of Healthcare reform – a year full of  new health and fitness devices, mHealth Apps. We saw a huge influx of new entrants jumped in on mobile health wagon with flooded the market with wearables and  activity trackers  A Gartner, Inc. report forecasts that […]
January 29, 2016
HIPAA security technical safeguards

A Definitive Guide to HIPAA Security Rules

Patient health data referred to as Protected Health Information (PHI) under US law is the prime responsibility of healthcare providers. Under the HIPAA (Health Insurance Portability and Accountability Act), the healthcare providers are legally bound to protect the patient data in a way that meets the guidelines set by HIPAA […]
January 21, 2016
Data analytics in healthcare

Data Analytics in Healthcare: Boon to Healthcare Reform

2015 witnessed numerous healthcare trends that redefined the industry and opened newer avenues to patient engagement. While it is yet to see what changes 2016 will bring to healthcare, it would not be wrong to say that healthcare analytics will still remain one of the primacy focus. Although with digital […]
January 6, 2016
HIPAA security: Administrative safeguards

HIPAA Administrative Safeguards: Policies & Procedures to Protect ePHI [Infographic]

Continuing our HIPAA series, we are back with HIPAA compliance: Administrative safeguards. While HIPAA Technical Safeguards deals primarily protecting electronic protected health information, administrative safeguards sets the foundations to implement HIPAA policies. Administrative safeguards covers half of the HIPAA security requirements and includes but not limited to risk management and […]
December 24, 2015
A guide to the technical safeguards of HIPAA’s security rule

HIPAA Technical Safeguards: Technologies, and Policies to Protect ePHI [Infographic]

PHI, ePHI, Privacy, Security, HIPAA Security rules, HITECH act – struggling to grasp these terms and how these apply to you? You are not alone… Healthcare Information Portability and Accountability Act(HIPAA) lays out sets of rules and guidelines that every covered entity and their business associate must follow to protect […]