At its core, the Privacy Rule of HIPAA can be briefly summarized as the set of standards in rules employed by HIPAA to protect the health information of patients of covered entities (healthcare facilities, health clearinghouses, health plans, etc.). With this, the primary goal of the organization is to ensure that there is a proper and efficient flow of information while maintaining appropriate access and avoiding information breaches and leakage along the way.
It is important to note that HIPAA compliance and enforcement is a source of discomfort, given that enforcement protocols for a lot of agencies spell varying and surmounting penalties for a lot of businesses. There would be times where compliance is simply too hard because of the specificity of the regulations to follow. This is not the case with HIPAA’s Privacy Rule. Throughout this article, it will become clearer that HIPAA’s privacy regulations and standards are incredibly flexible. Which means that it accounts for the different nuances between varying healthcare establishments, as well as their respective capabilities.
The general standard to know whether or not a certain information is protected is that if it qualifies as an “individually identifiable health information” which covers the previous, present, and eventual health status of an individual. Another qualifier of a protected health information or PHI is that it must have been “created, collected, maintained, or transmitted” by the healthcare entities covered by HIPAA.
A couple of examples are:
One caveat though is the existence of “de-identified” health information. De-identified health information does not count as protected and can be qualified as such through the following standards:
It has already been mentioned that covered entities involve healthcare providers, health clearinghouses, health insurance plans, and the like. The coverage and scope of HIPAA goes beyond this. Covered entities - which by the way, is defined by their ability to create, collect, maintain, and transmit PHI - enter into third party transactions with other businesses. This is usually done to perform a function that a covered entity would rather source out than do by themselves.
These businesses are usually third parties that involve functions that are not integral to healthcare but integral to business operations and processes. Such as:
These businesses are not directly covered by HIPAA’s Privacy Rule, hence in order for HIPAA’s scope to widen and avoid getting both the covered entity and the business associate or third party in trouble, they must enter a Business Associate Agreement. This will ensure that penalties and sanctions when a breach or leak happens will be appropriately applied as the BAA specifies responsibilities for third parties that will have the minimum necessary access to PHI.
Consent and authorization is one of the cornerstones around the disclosure of PHI. However, there are instances by which covered entities are permitted to disclose these sets of information without the authorization of the individual concerned.
There is a lot listed on the Privacy Rule regarding the possible methods by which entities can reach HIPAA compliance. Generally speaking, an entity can be “compliant” if it fulfills the three categories of information safeguards sufficiently.
Under the Breach Notification Rule, HIPAA requires covered entities or whoever has discovered breach or unauthorized access to immediately notify individuals once the breach is discovered. Usually, the qualification of whether or not the access is authorized depends on:
The standard of HIPAA is that the individual as well as the Health and Human Services must be notified within 60 days.