Anyone who is familiar with HIPAA will be aware of the Privacy Rule, one of the central Rules that make up the legislation. But what is the HIPAA Privacy Rule? What rights does it confer to patients, and what does it mean for HIPAA Covered Entities and their Business Associates? We will discuss the answers to those questions, among others, in this article.
The Standards for Privacy of Individually Identifiable Health Information (abbreviated to the HIPAA Privacy Rule) were introduced in 2002, six years after the original HIPAA legislation. The Rule set standards for what it considered “Protected Health Information” (PHI) could be used, disclosed, and protected. However, it needed to be sufficiently flexible to ensure that the information could be disclosed when necessary. That is, PHI had to be sufficiently safeguarded so that patients were not at risk of identity theft, but its protection should not interfere with healthcare operations.
To achieve this balance, the Privacy Rule set out a number of standards covering appropriate uses of PHI, who could access it, and what administrative requirements must be in place to ensure that the Rule is followed.
Perhaps confusingly, not all health-related data is covered by the HIPAA Privacy Rule. So what is? Firstly, the data must contain one of 18 HIPAA identifiers (demographic or related data that can be used to identify an individual). The data can be in any format (verbal, electronic, or physical), and must pertain to one of the following:
- A past, present, or future mental or physical diagnosis,
- The provision of healthcare services, or
- The past, present, or future payment for the provision of healthcare.
All data that is classified as PHI is protected under the HIPAA Privacy Rule.
It is possible for CEs and BAs to “de-identify” PHI. By removing identifiers, or ensuring that only sufficiently vague identifiers remain such that the identity of the individual would be impossible to trace, the CE or BA can make it so that the health data is no longer subject to the HIPAA Privacy Rule.
Those that are subject to the HIPAA Privacy Rule are considered Covered Entities (CEs). Broadly, these CEs are health plans, healthcare clearinghouses, and healthcare organizations that use PHI for specific transactions. If a CE enters a Business Associate Agreement (BAA) with a third party, that party becomes a Business Associate and is also required to be HIPAA compliant.
So, we have covered what it protects, but again: what is the HIPAA Privacy Rule? One of the key purposes of the HIPAA Privacy Rule is to stipulate how PHI can be used and disclosed. The Basic Principle is that CEs should do their utmost to limit the disclosure of PHI. The PHI should only be disclosed if the use is stipulated in the Privacy Rule or if patient authorization has been obtained.
In some cases, CEs are required to disclose PHI if individuals (or their representatives) request access to their PHI. The CE must also hand over PHI if it is required as part of a DHSS investigation.
Patients may not always have the capacity to act on their own behalf. In these instances, they may appoint a “representative” who, under the HIPAA Privacy Rule, must be treated the same way the individual themself would be. In most cases, a minor’s parents will act as their representative, though this is not always appropriate. In these situations, the State can appoint another representative.
As we alluded to above, there are several “Permitted Disclosures” under the HIPAA Privacy Rule. They are as follows:
- If requested by the individual or their representative;
- For payment of healthcare, treatment, or other healthcare-related operations;
- To give the individual or their representative the opportunity to agree or object to their data;
- If the data is needed for the public interest (including legal investigations or for public health monitoring), or;
- As part of a limited dataset for scientific or other research.
If the CE wishes to use PHI for another type of activity, they must obtain the correct authorization from the patient or their representative. For example, if the CE wishes to use a parent’s data for marketing purposes, they must obtain authorization from the patient. Authorization is also required for disclosure of psychotherapy notes.
One of the key ways by which the Privacy Rule governs the disclosure of PHI is the Minimum Necessary Rule. Under this Rule, CEs must make “reasonable efforts” to ensure that only the minimum amount of information required to carry out a certain transaction is disclosed. Unsurprisingly, there are some exceptions to this rule when:
- The information is being provided to the individual or their representative;
- The correct authorization has been obtained;
- The information is required to provide treatment;
- The data is required by the DHSS for an investigation;
- The information is required by law;
- The information is required for compliance with the HIPAA Transaction Rule or other HIPAA Administration Rules.
To facilitate the safe disclosure and use of PHI, the HIPAA Privacy Rule stipulates a number of administrative requirements that must be followed by the CE. The CE must do the following:
- Develop and implement privacy policies and procedures;
- Appoint a designated Privacy Officer who oversees the privacy policies;
- Train and correctly manage the workforce;
- Have mitigation policies if a violation occurs;
- Implement data safeguards;
- Develop a complaints procedure (where complaints can be directed to the Privacy Officer)
- Ensure that they do not retaliate against an individual who chooses to exercise their rights, or to require an individual to waive any rights to receive a service;
- Maintain copies of their privacy practice notices, policy procedures, and complaints for at least six years after they were created (or from their last effective use).
There are some exceptions to these administrative requirements. Fully-insured group help plans, for example, must only ensure that they maintain their documentation and that they do not retaliate against individuals (or require that they waive their rights).
At the point of the first service, individuals must receive a Privacy Practice Notice that stipulates how PHI can be used and disclosed. It should also give details of the HIPAA Privacy Officer, who the individual can contact if they have any HIPAA-related concerns.
Under the Privacy Rule, patients also have the right to access and amend their data if they feel it is incorrect. Records of what amendments were made should also be maintained.
As the HIPAA Privacy Rule is a federal law, it preempts State laws in most circumstances. The Rule, as well as HIPAA more broadly, is enforced by the Office for Civil Rights, which can pursue investigations into CEs and BAs for non-compliance. These investigations can have a number of outcomes, ranging from voluntary compliance actions to financial penalties or even criminal prosecution. For these reasons, it is essential that CEs and BAs ensure that their workforce is fully trained in HIPAA compliance.