The Basics of HIPAA Privacy Requirements

June 4, 2020

The HIPAA Privacy Rule, issued by the U.S. Department of Health and Human Services (HHS), has a major goal of assuring that individuals’ health information is properly protected while also allowing the flow of health information needed to protect the public’s health and well being. The Rule protects the disclosure of individuals’ health information, or “protected health information,” by “covered entities” and their business associates–including health plans, health care providers, and health care clearinghouses.

Health information that identifies an individual has permitted uses and disclosures without an individual’s authorization for certain situations. Some of these situations or purposes include disclosures for the individual, for treatment, payment, and health care operations, or for purposes of research, public health or health care operations.

The Privacy Rule also permits the use and disclosure of protected health information without an individual’s authorization or permission for 12 national priority purposes. These include situations where it is required by law; for public health activities; in cases where the individual is a victim of abuse; for purposes of legally authorized health oversight activities; for judicial and administrative proceedings; for law enforcement purposes; for decedents; for cadaveric organ, eye, or tissue donation; for research; for serious threat to health or safety; for essential government functions; and for workers’ compensation.

Outside of these cases, the individual’s written authorization is required. For instance, a covered entity must obtain authorization for disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes. Additionally, a central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure – an entity must reasonably limit uses and disclosures to the minimum necessary. In order to ensure the proper adherence to privacy guidelines, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Individual rights are important requirements of the Privacy Rules and they involve: the right to see and receive copies of medical records, the right to request an amendment of records, the right to control who is informed about their health information, the right to see an accounting of their non-routine disclosures, the right to restrict information, the right to file complaints, the the right to receive a notice of privacy practices. There are certain exceptions to these requirements, however. For instance, exceptions to the access rule include access to psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories.

While covered entities are various, there are administrative requirements that apply to each covered entity, including implementing written privacy policies that are consistent with the Privacy Rule and maintenance of these policies through the workforce in order to ensure appropriate use and disclosure of protected health information. It is important to note that State Laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply. In any other case, under the Privacy Rule, covered entities and their business associates must adhere to the individual rights and protection of health information as prescribed by the Privacy Rule.

References:

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html