What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule (the Privacy Rule), empowers individuals to have a legal, enforceable right to see and request copies of their medical history and other health records maintained by their health care providers and health plans upon request.

The Privacy Rule is part of the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. It is a set of federal regulations that govern the use and disclosure of Protected Health Information (PHI). PHI is any identifiable health information held or transmitted by a covered entity, such as a health insurance company or healthcare provider. The information is generally connected to individuals. 

The HIPAA Privacy Rule establishes national standards and privacy regulations to protect PHI. It gives patients the right to access and control their health information and limits how and when PHI can be used or disclosed without patient authorization or consent.

The authorization requirement can change in rare circumstances. While there are nuances that a person in connection with healthcare records should be aware of, generally accessing PHI without authorization is permissible only to report disease or in cases surrounding injury, birth, or death.

That said, it is not recommended to access PHI without authorization unless circumstances are dire and the severity of a situation warrants circumventing confidentiality protections. Infectious diseases and such can sometimes fall into the realm of acceptable reasons to bypass HIPAA. That said, seeking additional guidance from the U.S. Department of Health and Human Services is always advisable. 

The rule protects an individual’s past, present, and future physical or mental health condition and medical history, the provision of health care to the individual, health care transactions, and payments for the provision of health care.

Privacy of persons and patient confidentiality are paramount to HIPAA. There can be civil penalties for those who violate HIPAA, whether for personal gain or other reasons.

Those who work in health and human services must take extra care to protect individuals’ privacy. Protecting a patient’s health history is critical to ethical public health practice. 

HIPAA Privacy Rule History

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule dates back to the 1990s. Here’s a brief overview of its history and how it has changed since being enacted in 1996:

  1. HIPAA Passage (1996): The Health Insurance Portability and Accountability Act was enacted by the U.S. Congress in 1996. It aimed to address various issues related to healthcare, including portability of health insurance coverage, fraud and abuse, administrative simplification, and more. Part of HIPAA’s administrative simplification provisions included requirements for protecting individuals’ health information.
  2. HIPAA Privacy Rule Proposal (1999): In 1999, the U.S. Department of Health and Human Services (HHS) issued a proposed rule for the Privacy Rule to establish national standards for protecting individuals’ health information. This marked the initial step in formalizing the regulations for safeguarding sensitive health data.
  3. HIPAA Privacy Rule Finalization (2000): The final version of the HIPAA Privacy Rule was published in the Federal Register on December 28, 2000. The rule established comprehensive standards for protecting individually identifiable health information held or transmitted by healthcare organizations and other covered entities. The 2000 rule included permissions for regulated entities to disclose PHI (protected health information) under certain conditions for judicial and administrative proceedings, health oversight activities, and law enforcement purposes.
  4. Compliance Deadline (2003): Covered entities were given until April 14, 2003, to comply with the HIPAA Privacy Rule’s requirements. This allowed organizations to implement administrative, technical, and physical safeguards to protect patient information.
  5. Enforcement and Penalties (2003 Onward): The HIPAA Privacy Rule empowered the Office for Civil Rights (OCR), a division of HHS, to enforce the rule’s provisions. The OCR began its enforcement efforts by investigating complaints, conducting audits, and imposing penalties for non-compliance.
  6. HITECH Act (2009): The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, strengthened certain aspects of HIPAA. It expanded the scope of HIPAA to include business associates (third-party entities that handle protected health information) and increased penalties for violations.
  7. Omnibus Rule (2013): In January 2013, HHS published the HIPAA Omnibus Rule, which significantly updates the Privacy Rule to address changes brought about by the HITECH Act. It also clarified and strengthened certain provisions related to patient rights, breach notification, and the responsibilities of business associates.
  8. Subsequent Developments: Over the years, there have been ongoing updates, guidance, and clarifications provided by HHS and the OCR to address emerging issues in healthcare data privacy and security. These developments have aimed to adapt to the evolving landscape of technology and healthcare practices.

Throughout its history, the HIPAA Privacy Rule has played a crucial role in setting standards for protecting patient information and ensuring individuals’ rights to privacy and control over their health data. Following is more guidance regarding answers to subjects like why HIPAA exists and why authorization is so important. 

Why Does the HIPAA Privacy Rule Exist?

One of the primary purposes of the HIPAA Privacy Rule is to safeguard the privacy of patient’s sensitive health information. This includes information about medical conditions, treatments, medications, and other personal health details. By establishing clear standards for protecting this information, the rule helps maintain patient trust and confidence in healthcare providers and organizations.

The HIPAA Privacy Rule seeks to strike a balance between the need for healthcare organizations to access and share patient information for legitimate purposes and the imperative to protect patients’ privacy and maintain the confidentiality of their sensitive health data.

It also helps protect the flow of health information, sets privacy standards, and provides additional protection of individuals’ rights related to health care. As trust in health care and access to health care have waned, it has become essential to enact the privacy law for those additional protections with oversight from the Office for Civil Rights. Authorization is a critical component of individual privacy. 

Why Is the HIPAA Privacy Rule Important?

The HIPAA privacy rule is vital to patients, providers, and compliance officers for various reasons. First and foremost, the rule protects the confidentiality of patient records and other identifiable health information.

This is critical to maintaining trust between patients and their healthcare providers. Patients need to know that their health information will be kept private and not shared without their consent.

The HIPAA privacy rule also sets forth rules about when and how medical information can be disclosed. For example, the rule requires covered entities to get patient consent before disclosing protected health information (PHI) for most purposes.

The rule also establishes limitations on the use and disclosure of PHI by covered entities. These protections ensure that protected health information is used only for authorized purposes and is not inappropriately disclosed.

Compliance with HIPAA security and privacy laws is also important from a business perspective. Covered entities that fail to comply with the rule can face significant penalties, including fines of up to $50,000 per violation. In addition, covered entities may be subject to civil or criminal liability if they knowingly violate the rule.

As a result, covered entities must have procedures and policies in place to ensure compliance with the HIPAA privacy rule.

What Happens When You Violate HIPAA Regulations?

When providers disclose health information without the patient’s consent or in ways that do not comply with HIPAA rules, they violate patients’ rights and may also be breaking the law.

Depending on the severity of the violation, consequences can range from a warning to expulsion from the program. More severe penalties may include legal action and/or fines from enforcement agencies.

Providers must understand and ensure they follow the rules to protect patients’ rights and comply with HIPAA regulations. They should err on the side of caution when in doubt and get patient consent before disclosing any health information.

Who Falls Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule applies to various entities and individuals involved in healthcare and the handling of protected health information (PHI). The entities and individuals under the HIPAA Privacy Rule are categorized as covered entities and business associates.

  1. Covered Entities: Covered entities are the primary entities directly subject to the requirements of the HIPAA Privacy Rule. They include:
    • Healthcare Providers: This category includes doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, pharmacies, and other healthcare professionals and institutions that provide medical services.
    • Health Plans: Health plans encompass health insurance companies, health maintenance organizations (HMOs), government health programs (such as Medicaid and Medicare), employer-sponsored health plans, and more.
    • Healthcare Clearinghouses: Healthcare clearinghouses process nonstandard health information received from another regulated entity into a standard format (such as claims submission to insurers) or vice versa.
  2. Business Associates: Business associates are individuals or entities that provide services to covered entities and handle PHI on their behalf. The HITECH Act expanded the HIPAA Privacy Rule to include business associates. Examples of business associates include:
    • Third-Party Administrators (TPAs): TPAs that provide administrative services to health plans, such as claims processing or benefits management.
    • Health Information Exchanges (HIEs): Organizations that facilitate the sharing of health information between different healthcare entities.
    • Pharmacy Benefit Managers (PBMs): Entities that manage prescription drug programs for health plans.
    • Billing and Coding Companies: Entities that assist healthcare providers in processing billing and coding information for claims submission.
    • IT Service Providers: Technology companies that provide services involving the handling of PHI, such as electronic health record (EHR) system vendors and cloud storage providers.

It’s important to note that the HIPAA Privacy Rule regulates how covered entities and business associates can use and disclose PHI. Covered entities are directly responsible for complying with the rule’s requirements and are accountable for ensuring that their business associates also adhere to the rule.

Individuals who work for covered entities and business associates and have access to PHI must follow the rule’s provisions and safeguard patient information.

It’s also worth mentioning that the HIPAA Privacy Rule does not apply to all health information or all entities involved in healthcare. For instance, it doesn’t cover personal health information held by employers for employment-related purposes or health information maintained by individuals themselves. Additionally, certain types of health oversight activities, such as information contained by educational institutions or law enforcement agencies, are not covered by HIPAA.

Understanding how the flow of health information works will help you know who is and isn’t protected by the HIPAA privacy health rule.

How Does the Rule Protect Individuals’ Rights?

Individuals have certain rights under HIPAA. They have the right to access their health information, which is to be made available for a reasonable cost. They also have the right to request changes to their health information if they believe it is inaccurate or incomplete. Individuals can file a complaint if they believe their rights have been violated.

The HIPAA Rule helps protect individuals’ rights by setting rules about how PHI (protected health information) can be used and disclosed. Organizations obligated to comply with HIPAA must have policies and procedures in place to protect the confidentiality of PHI.

What Information Is Protected?

The HIPAA Rule is designed to protect the rights of individuals concerning their medical care and records. HIPAA-compliant providers must comply with specific rules about disclosures of PHI, and patients have a right to expect their medical information to be protected.

The Rule also establishes standards for how patient medical information can be used and disclosed and sets forth financial and criminal penalties for non-compliance. By ensuring that providers comply with the HIPAA Rule, patients can be assured that their rights will be protected. For more information on what HIPAA protects, download this pdf about privacy and security guide.

Covered Entities

There are four basic types of HIPAA entities under HIPAA regulations: covered entities, business associates, hybrid entities, and sole proprietors. Each type of regulated entity is subject to different requirements under the HIPAA Privacy Rule and the HIPAA Security Rule standard.

  • Covered entities – the Rule requires covered entities to take reasonable steps to safeguard PHI from unauthorized use or disclosure of PHI. Covered entities must also provide individuals with rights to access and amend their PHI. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit identifiable electronic health records (EHR).
  • Business associates – are companies that provide services to covered entities and have access to protected health information (PHI).
  • Hybrid entities – those that fall into both categories – are either covered entities or business associates. Sole proprietors are not subject to the requirements of the HIPAA Privacy Rule or the Security Rule.

Permitted Use and Disclosure of PHI

The Health Insurance Portability and Accountability Act (HIPAA) permits covered entities to disclose protected health information (PHI) to a patient or to someone involved in the patient’s care for treatment, payment, or healthcare operations.

HIPAA also permits disclosures for public health activities, research purposes, and when required by law by public health authorities.

In addition, HIPAA permits covered entities to disclose identifiable health records to individuals who need the information to protect the patient’s life or safety. Covered entities must take measures to ensure that PHI is used and disclosed only in accordance with HIPAA rules.

HIPAA Privacy Rule Fact Sheet

Review our quick facts on the history of HIPAA below.

  1. The HIPAA Privacy Rule was established in 1996 as part of the Health Insurance Portability and Accountability Act (HIPAA) and is overseen by the Department of Health and Human Services and the Office for Civil Rights.
  2. The rule’s purpose is to protect sensitive patient health information from being disclosed without appropriate consent or authorization to a spouse, personal representative, or public health authorities.
  3. Covered entities and healthcare clearinghouses must use and disclose identifiable health information only for treatment, payment, healthcare operations, or other purposes specified by the rule.
  4. Individuals have certain rights under HIPAA, such as requesting access to their data, restricting specific uses or accounting of disclosures, receiving confidential communications, filing a complaint if they believe their privacy rights were violated, and informing them about a data breach involving personal data.
  5. Violations can lead to civil monetary penalties, criminal fines of up to $250,000 per violation, and possible jail time, depending on the severity of the offense committed.

Get Perimeter81’s HIPAA Checklist

In summary, the HIPAA Privacy Rule is an important law that protects patients and their sensitive health information. Knowing how to comply with HIPAA helps ensure that healthcare providers can provide needed services while protecting individuals’ privacy rights.

Knowing about and adhering to HIPAA can help ensure patient trust in their healthcare provider, maintain the confidentiality of personal medical data, and help improve the quality of care by shielding sensitive health information from unnecessary use or disclosure; all of these can be found in our HIPAA compliance checklist.

Want to get the latest updated information on the HIPAA Privacy Rule? Download our checklist.

FAQs

Who enforces the HIPAA privacy rule?
The HIPAA Privacy Rule is enforced by the U.S. Department of Health and Human Services (HHS). The HHS Office for Civil Rights (OCR) investigates complaints and enforces the Privacy Rule. OCR can impose civil money penalties or exclude offenders from participating in Medicare, Medicaid, and other federal healthcare programs.

The Privacy Rule applies to all covered entities, including hospitals, clinics, doctor’s offices, nursing homes, pharmacies, insurance companies, and other healthcare providers that deal with protected health information.

Covered entities must comply with the Rule’s requirements to protect the privacy of patient’s medical records and other personal health information. Under the Privacy Rule, patients have certain rights concerning their protected health information.

For example, patients have the right to access their medical records, request amendments to their records, and receive notice of how their protected health information may be used and disclosed. Patients also have the right to file a complaint if they believe their privacy rights have been violated.

The Privacy Rule requires covered entities to safeguard patient privacy and ensure that only authorized individuals can access protected health information.

They must also put in place policies and procedures to protect against unauthorized use or disclosure of PHI. In addition, covered entities must notify patients of their privacy rights and how their protected health information may be used or disclosed.
What is the purpose of the HIPAA privacy rule?
The purpose of the HIPAA privacy rule is to protect patient health information privacy. The rule sets out when and how medical information can be disclosed. The rule also requires covered entities to notify patients of their rights under the rule. The rule is designed to balance protecting patients’ privacy and allowing covered entities to comply with other laws requiring medical information disclosure.

It establishes privacy standards for the disclosure of PHI, provides guidance on the sharing of information for healthcare operations, and protects individuals with health oversight agencies. 
Who is not covered by the HIPAA privacy rule?
The HIPAA Privacy Rule does have exceptions. It does not apply to state or local government agencies unless they administer a Medicaid program. The rule also does not apply to research studies conducted in compliance with other federal regulations.

Finally, the Privacy Rule does not cover information that is already public knowledge, such as birth records, death records, or other public health activities. In general, the HIPAA Privacy Rule is designed to protect the privacy of patients’ medical information. Covered entities must comply with the Rule to protect patients’ rights and maintain compliance with federal regulations.
Would HIPAA protect disputes involving law enforcement?
Yes, domestic violence-related information can be considered protected health information under the HIPAA Privacy Rule, depending on the circumstances. The HIPAA Privacy Rule broadly covers individually identifiable health information held or transmitted by covered entities and their business associates.

This means that your information cannot be shared for marketing purposes or released to government authorities, and it protects people’s privacy unless you permit the information to be released to other parties per the Department of Health and Human Services.

However, it’s important to note that the HIPAA Privacy Rule permits certain disclosure of PHI without patient authorization in cases where it is required by law or to prevent serious and imminent threats to health or safety. In the context of domestic violence, healthcare providers might be allowed to disclose information to appropriate authorities if they believe that an individual is in immediate danger or at risk due to domestic violence.

This information, including PHI and health oversight activities, is allowed to be disclosed to defend any person in a criminal, civil, or administrative proceeding or for law enforcement purposes.
What is the difference between HIPAA privacy and security?
The HIPAA security rule outlines what controls entities subject to the rule must do to protect the protected health information. Make sure your organization has an understanding of the necessary security standards that are required to protect health information.
HIPAA requires standards for electronic healthcare transactions and how they are transmitted.
How does HIPAA come into play when it comes to public health surveillance?
When it comes to public health surveillance, specific provisions within HIPAA allow for the disclosure of PHI without individual authorization for public health purposes. These provisions help ensure that public health authorities have access to necessary information to monitor and respond to public health issues, such as disease outbreaks, bioterrorism threats, and other emergencies, without needing to waste valuable time getting authorization from the person in connection with a condition that can affect the health and safety of entire populations.

It’s important to note that while HIPAA allows for the sharing of PHI for public health purposes, the privacy and security of individuals’ health information must still be upheld. Agencies conducting public health investigations and other entities involved in surveillance activities related to public health interventions must take appropriate measures to safeguard the information they collect and share. For guidance, associated parties should go to the HHS.

Overall, the goal is to balance the need for effective public health investigations and responses with the protection of individual privacy and health data needed for informational purposes. Different states and jurisdictions may have variations in how HIPAA is interpreted and implemented in the context of public health surveillance, so it’s advisable to consult legal experts and relevant authorities for guidance to ensure compliance.
What entities conduct a HIPAA compliance review?
Various entities typically conduct HIPAA compliance reviews to ensure that covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates are adhering to the privacy and security standards outlined in the law.

Different entities are also held to different standards, information reported to law enforcement officials for law enforcement purposes would be held to a different standard than a company that is sharing that information for marketing purposes (which is not allowed). Reporting of disease is one specific public health practice that may allow certain exceptions when it comes to disclosing an individual’s health history. Still, healthcare professionals must take extreme care to ensure they are protecting the privacy of individuals, particularly if they don’t have individual authorization from patients. The health care industry takes HIPAA very seriously and provides guidance to ensure compliance.

It’s important to note that HIPAA compliance is an ongoing process that requires continuous monitoring and improvement. Entities subject to HIPAA regulations should proactively assess their practices, address any identified vulnerabilities, and stay updated on changes to the regulations. In the event of a compliance review or audit, cooperation and transparency are key to demonstrating a commitment to safeguarding protected health information.
What considerations should employers make regarding HIPAA in the workplace?
Employers need to be aware of several key considerations regarding the Health Insurance Portability and Accountability Act (HIPAA) when dealing with health information in the workplace. While employers themselves are not typically considered covered entities under HIPAA, since they are not a public agency and have a grant of authority to administer health care benefits through an employer benefit plan, they do have responsibilities related to employee health information and individual authorization that may be tied to employment records.

Many employers offer wellness programs that collect health information from employees, such as biometric data, to provide incentives, rewards, or other benefit activities. These programs must comply with HIPAA’s wellness program rules to ensure that employees’ health information is protected and that participation in an employer benefit plan is voluntary.

Employers should provide clear and comprehensive privacy policies and notices to employees explaining how their health information will be used, disclosed, and protected and if a public agency may have the information shared. These policies should outline the purposes for collecting health information and describe individuals’ rights related to their health information.

Information that should be protected includes legal services, electronic transactions, if an employee makes an administrative request, legal advice, and covered health care providers. Because employers usually cover benefits, they may have access to information if an employee makes an administrative request like taking leave, or if they need help finding covered healthcare providers or connecting with specific healthcare professionals. Guidance on navigating complex subjects can be found by consulting with HHS.