HIPAA Privacy Rule
The Privacy Rule protects your patients’ PHI while letting you exchange information to coordinate your patient’s care. The Privacy Rule also gives patients the right to examine and get a copy of their medical records, including an electronic copy of their electronic medical records, and to request corrections. Under the Privacy Rule, patients can restrict their health plan’s access to information about treatments they paid for in cash, and most health plans can’t use or disclose genetic information for underwriting purposes. The Privacy Rule allows you to report child abuse or neglect to the authorities.
The Security Rule requires you to develop reasonable and appropriate security policies. In addition, you must analyze security risks in your environment and create appropriate solutions. What’s reasonable and appropriate depends on your business as well as its size, complexity, and resources. You should always review and modify security measures to continue protecting ePHI in a changing environment.
Three basic thumb rules of HIPPA:
Confidentiality: ePHI can’t be available or disclosed to unauthorized persons or processes
Integrity: ePHI can’t be altered or destroyed in an unauthorized manner
Availability: ePHI has to be accessible and usable on demand by the authorized person
Who Must Comply with HIPAA Rules?
Covered entities and business associates must follow HIPAA rules. If you don’t meet the definition of a covered entity or business associate, you don’t have to comply with the HIPAA rules.
Covered Entities Covered entities that must follow HIPAA standards and requirements include:
- Covered Health Care Provider: Any provider of medical or other health care services or supplies that transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard, such as:
- Health Plan: Any individual or group plan that provides or pays the cost of health care, such as:
- Health Care Clearinghouse: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice versa, such as:
- Nursing Homes
- Health insurance companies
- Health maintenance organizations
- Company health plans
- Government programs that pay for health care
- Billing services
- Community health management information systems
- Repricing companies
- Value-added network.
A business associate is a person or organization, other than a workforce member of a covered entity, that performs functions on behalf of or provides services to a covered entity that involve PHI access. Business associates also include subcontractors responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate. Business associates provide services to covered entities that include:
- Claims processing
- Data analysis
- Financial services
- Legal services
- Management administration
- Utilization review
So in a nut-shell, HIPAA seeks to respect the rights of individuals by guaranteeing that they will retain control over their health-related data. With specific rules established to ensure privacy, individuals can receive medical care without unnecessary complications caused by this law. For example, someone may approve giving consent for her doctor to see her x-rays during one appointment then change her mind and ask for them never to be shared again during another session. HIPAA also grants broad exceptions for studying a person’s records in an academic setting but generally limits what is allowed outside those circumstances.