The Privacy Rule, which fits national standards for when secured health information (PHI) may be used and disclosed. Privacy rule specify and bound the circumstances in which an individual’s protected heath information may be disclosed by covered entities.
Core Principles of the HIPAA Privacy Rule:
Use and Disclosure
Most privacy rules involves the principles around how information can be used and unveiled. “Protected Health Information” or “PHI” in HIPAA cannot be used or disclosed unless permitted by the rules or specifically authorized by the individual. The premise is that use and disclosure should be relatively easy for core health care purposes, and harder for everything else.
Sale and Marketing
There are particular rules related to the sale or the use of PHI for marketing. The HIPAA rules place considerable restrictions on how PHI can be utilized or disclosed for marketing purposes.
The HIPAA rules employ to individually identifiable information. The HIPAA rules set out a highly elaborate formula for de-identification. The principle – set forth in important detail in the HIPAA rules – is that if otherwise protected information has been “de-identified” according to the rules, this data is no longer “individually identifiable” and therefore there are no more sufficient privacy interests at stake to justify regulation. If information is “de-identified” under these standards, then the information is no longer regulated by HIPAA, and can be utilized or disclosed for any purpose. At the same time, it is crucial to understand that PHI remains PHI until it has been de-identified under these standards.
The HIPAA rules also render patients with peculiar individual rights, beyond the general rights conveyed through the use and disclosure limitations. Specifically, individuals have the following rights:
- The right to obtain a notice of privacy practices (the one right that happens automatically, since notices must be provided by most covered entities);
- The right to “access” a “designated record set” about the individual;
- The right to alter information in certain situations;
- The right to an “accounting of disclosures” in certain situations; and
- The right to extra restrictions on utilization and disclosure of a confidential communication.
Business Associate Contracts
While business associates now are covered instantly by the HIPAA rules, HIPAA still needs contractual provisions defining how business associates can utilize and disclose PHI when performing services, along with various other requirements.
Covered entities must implement these contracts with their service providers, and business associates must implement similar contracts with their downstream subcontractors. Negotiating these contracts in a cost-effective way is a substantial challenge for both covered entities and business associates. A covered entity may not disclose protected health information, except either:
- As the Privacy Rule permits or requires; or
- As the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
General Policies and Procedures
Under the HIPAA Privacy Rule there is a responsibility for covered entities to create particular administrative procedures to assure compliance with the overall rules,
The key topics for these procedures include:
- Appointing a privacy official;
- Training of employees;
- Implementing “appropriate safeguards” for PHI (a “min-security rule” for all PHI);
- A complaint process;
- A sanction approach for employees who break these rules;
- Appropriate mitigation activity;
- Overall policies and procedures; and
- Record retention processes.