At its core, the Privacy Rule of HIPAA can be briefly summarized as the set of standards in rules employed by HIPAA to protect the health information of patients of covered entities (healthcare facilities, health clearinghouses, health plans, etc.). With this, the primary goal of the organization is to ensure that there is a proper and efficient flow of information while maintaining appropriate access and avoiding information breaches and leakage along the way.
It is important to note that HIPAA compliance and enforcement is a source of discomfort, given that enforcement protocols for a lot of agencies spell varying and surmounting penalties for a lot of businesses. There would be times where compliance is simply too hard because of the specificity of the regulations to follow. This is not the case with HIPAA’s Privacy Rule. Throughout this article, it will become clearer that HIPAA’s privacy regulations and standards are incredibly flexible. Which means that it accounts for the different nuances between varying healthcare establishments, as well as their respective capabilities.
What Kind of Information Does the Privacy Rule Protect?
The general standard to know whether or not a certain information is protected is that if it qualifies as an “individually identifiable health information” which covers the previous, present, and eventual health status of an individual. Another qualifier of a protected health information or PHI is that it must have been “created, collected, maintained, or transmitted” by the healthcare entities covered by HIPAA.
A couple of examples are:
- Names
- Geographical identifiers (full zip code)
- Phone, social security, health insurance, medical record, license numbers, and etc.
- Email addresses
- Biometric identifiers
- IP addresses
- Photographs that are full-face or images that similarly apply
- Health status
One caveat though is the existence of “de-identified” health information. De-identified health information does not count as protected and can be qualified as such through the following standards:
- That the information is a “formal determination by a qualified statistician” which means statisticians must be able to determine and confirm that the information is safe from relevant identifiers.
- That the data or information’s identifiers have been removed and thus far would have no reasonable basis to identify a certain individual.
Who is covered by HIPAA?
It has already been mentioned that covered entities involve healthcare providers, health clearinghouses, health insurance plans, and the like. The coverage and scope of HIPAA goes beyond this. Covered entities – which by the way, is defined by their ability to create, collect, maintain, and transmit PHI – enter into third party transactions with other businesses. This is usually done to perform a function that a covered entity would rather source out than do by themselves.
These businesses are usually third parties that involve functions that are not integral to healthcare but integral to business operations and processes. Such as:
- Accounting, auditing, and law firms
- Backup storage companies
- IT support
- File sharing clouds
These businesses are not directly covered by HIPAA’s Privacy Rule, hence in order for HIPAA’s scope to widen and avoid getting both the covered entity and the business associate or third party in trouble, they must enter a Business Associate Agreement. This will ensure that penalties and sanctions when a breach or leak happens will be appropriately applied as the BAA specifies responsibilities for third parties that will have the minimum necessary access to PHI.
What types of disclosures are permitted under the Privacy Rule?
Consent and authorization is one of the cornerstones around the disclosure of PHI. However, there are instances by which covered entities are permitted to disclose these sets of information without the authorization of the individual concerned.
- To the individuals themselves. Whenever requested and at any time, the covered entity must disclose the PHI to whoever the subject of the PHI is.
- For the treatment, payment, or operations regarding health care. Whenever there are treatment, payment, or operation-related activities that a covered entity is conducting using its own resources. These include the management and provision of healthcare services, health plan activities and the provision of benefits, as well as the operations involving assessment, medical reviews, and the like.
- Uses and disclosures that lends the ability to agree or object. These refer to informal permission derived out of asking an individual to decide on certain emergency situations. This also applies to whenever the said individual is physically incapable of making a decision, the covered entity utilizes the healthcare information to determine the best possible decision.
- Incidental use and disclosure. This refers to situations where the “incidental disclosure” of PHI does not necessarily qualify as unauthorized disclosure. This is for as long as the PHI shared qualifies under the “minimum necessary” degree.
- Public interest and benefit activities. This is if there is a security or public interest that will necessitate disclosure. For instance, if it is required by law for an investigation or if there is a public health activity which requires the collection of these types of information.
What does HIPAA expect covered entities to do?
There is a lot listed on the Privacy Rule regarding the possible methods by which entities can reach HIPAA compliance. Generally speaking, an entity can be “compliant” if it fulfills the three categories of information safeguards sufficiently.
- Administrative safeguards. Safeguards require technical procedures and policies to restrict access and usage of PHI. (e.g., workforce training, security team, etc.)
- Technical safeguards. Safeguards require technical procedures and policies to restrict access to e-PHI. (e.g., passwords)
- Physical safeguards. The restriction of physical access to spaces and locations that contain and deal with PHI. (e.g., security personnel, CCTV cameras, keycards, login books, etc.)
How does HIPAA deal with non-compliance and violations?
Under the Breach Notification Rule, HIPAA requires covered entities or whoever has discovered breach or unauthorized access to immediately notify individuals once the breach is discovered. Usually, the qualification of whether or not the access is authorized depends on:
- The nature of the data that has been disclosed
- Persons and positions that have been involved in the disclosure
- The manner by which the PHI was involved
The standard of HIPAA is that the individual as well as the Health and Human Services must be notified within 60 days.