HIPAA stands for the Health Insurance Portability and Accountability Act. It is a U.S. law designed to provide privacy and security protections for individuals’ health information. HIPAA sets standards for the protection of sensitive patient data and regulates how healthcare providers, health plans, and other entities handle this information.
This guide to the HIPAA Privacy Rule explains why it exists, who it applies to, what it protects, and how to maintain compliance. It should be used in conjunction with our free easy-to-use HIPAA Privacy Rule Checklist PDF which can be ordered by using any form on this page
What is the Privacy Rule in the Context of HIPAA?
In the context of HIPAA the Privacy Rule is a subpart of the Administrative Simplifications Regulations (45 CFR Parts 160,162, and 164). However, the protections provided by the Privacy Rule to individually identifiable health information apply to other subparts of the Administrative Simplification Regulations and how the standards within those subparts are applied.
For this reason, it is important for entities that are not usually required to comply with the HIPAA Privacy Rule (i.e., data storage services and vendors of personal health devices) to understand what the Rule protects and how. It can also be useful for those whose information is protected by the Privacy Rule to understand how the HIPAA privacy standards are applied to prevent misconceptions.
HIPAA Privacy Rule Fact Sheet:
- The Privacy Rule was published in 2002. It is one of several sets of standards that evolved from HIPAA.
- It stipulates permissible uses and disclosures of Protected Health Information and individuals´ rights.
- Most health plans, health care clearinghouses, and healthcare providers are required to comply with the Privacy Rule.
- Business Associates may also be required to comply with the Privacy Rule depending on the service being provided.
- The Privacy Rule defines Protected Health Information to include identifiers maintained in the same designated record set.
- All patients and plan members must be given a HIPAA Notice of Privacy Practices on the first encounter or as soon as reasonable.
- The Notice of Privacy Practices must explain what Protected Health Information may be disclosed, to whom, and why.
- The Notice of Privacy Practices must also explain an individual´s right to access, amend, or transfer their Protected Health Information.
- If organizations violate the HIPAA Rules, individuals have the right to complain to the organization or HHS´ Office for Civil Rights.
- The Office for Civil Rights has the authority to impose corrective action plans or financial penalties on noncompliant organizations.
Who Falls Under the HIPAA Privacy Rule
Before discussing what information is protected by the HIPAA Privacy Rule and how the HIPAA Privacy Standards ensure individuals´ rights, it is important to understand who the HIPAA Rules apply to because some organizations are not required to comply with every HIPAA Rule or every part of every HIPAA Rule. It is also the case that exceptions can exist to the applicability of each Rule.
- Health care providers that bill clients directly are not covered entities.
- Neither are insurance issuers who offer health insurance as a secondary benefit.
- Neither are health plans for certain types of benefits that are offered separately.
- The HIPAA Rules may apply to employers who self-administer a group health plan.
- But not to employment records containing individually identifiable health information.
- Prescription drug card sponsors are only required to comply with the HIPAA Privacy Rule.
- Vendors of personal health devices may be required to comply with the Breach Notification Rule depending on the devices’ capabilities.
Why Does the HIPAA Privacy Rule Exist?
With the advent of digital technologies, storing, accessing, and sharing health data became effortless. While this technological leap forward made healthcare more streamlined and personalized, it also introduced the risk of improper use and exploitation of sensitive health data. This led to the introduction of the HIPAA Privacy Rule.
The HIPAA Privacy Rule is part of the HIPAA Administrative Simplification Regulations – regulations developed following the passage of the Health Insurance Portability and Accountability Act which had the objective of “encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”.
To achieve this objective, the Secretary of Health and Human Services was instructed to promulgate Rules that would standardize transactions between healthcare providers and health plans (the Administrative Requirements), and that would ensure the integrity and confidentiality of health information, protect it from reasonably anticipated threats, and prevent unauthorized uses and disclosures (the HIPAA Security Rule).
Additionally, the Secretary was instructed to make recommendations “with respect to the privacy of certain health information”. At a minimum, the recommendations had to include:
- The rights that an individual who is a subject of individually identifiable health information should have.
- The procedures that should be established for the exercise of such rights.
- The uses and disclosures of such information that should be authorized or required.
The instruction adds that, if Congress does not pass legislation to protect the privacy of individually identifiable health information within three years of the passage of HIPAA, the Secretary shall promulgate a further Rule addressing the minimum recommendations. Congress did not pass privacy legislation within three years and a proposed HIPAA Privacy Rule was published in 1999. After years of addressing stakeholders’ comments, the HIPAA Final Privacy Rule was published in 2002.