What Is The HIPAA Privacy Rule?
Physicians are entrusted with some of the most intimate and personal information in a patient’s lifetime—account and identity information as well as health information. Patients expect that information to be kept private. When that trust is breached, the ramifications to the healthcare organization can be heavy.
The HIPAA Privacy Rule was issued by the United States Department of Health and Human Services to restrict the use and disclosure of personally identifiable information that pertains to a patient or consumer of healthcare services. This information is called protected health information (PHI). The rule was created to protect patients’ privacy.
Under HIPAA, a covered entity (CE) must make practical efforts to use, disclose and request only the minimum necessary amount of PHI required for any particular task. The Privacy Rule also gives patients rights over their health information and the right to access their own medical records.
Does the Privacy Rule Apply to You?
The HIPAA Privacy Rule applies to covered entities and their business associates (BA). A covered entity is a health plan, a healthcare clearinghouse or a healthcare provider. Subcontractors, or business associates of business associates, must also be in compliance. In other words, if your organization might have access or the ability to access PHI, HIPAA applies to you.
If you’re a covered entity and you use a vendor or organization that will have access to PHI, you need to have a written business associate agreement (BAA). A BAA states how PHI will be used, disclosed and protected. If a breach occurs, BAs are directly liable to the same penalties as covered entities.
What Information Is Protected Under HIPAA?
The Privacy Rule protects a patient’s health information and any identifying information, in any medium or format—files, email, audio, video or verbal communication. Any of the following is considered private health information:
- Birth, death or treatment dates, and any other dates relating to a patient’s illness or care
- Telephone numbers, addresses and other contact information
- Social Security numbers
- Medical records numbers
- Finger and voice prints
- Any other unique identifying number or account number
How Do You Become HIPAA Compliant?
Your privacy procedures must include the following safeguards:
- Administrative procedures, policies and practices to regulate access and use of PHI
- Physical security to protect all data and documents that contain PHI
- Technical security in place to prevent links or breaches of PHI
You’ll also need to maintain audit reports, or tracking logs, to keep activity records on hardware and software. This is especially useful to pinpoint the source or cause of any security violations. Your procedures should also designate a privacy officer and explain the complaint and resolution process.
In addition, your employees should be trained in HIPAA requirements, business associates must sign agreements respecting the confidentiality of PHI, and patients must be well informed of their rights and your practices.
What Happens If a Breach Occurs?
Breaches can happen even with the most secure safeguards in place. In the case of loss, theft, or certain other impermissible uses, you must notify the affected patients. If the breach involves more than 500 individuals, you must also notify the Secretary of the HHS and the media in the state or jurisdiction where the individuals live.
What If You’re not HIPAA Compliant?
If you’re a covered entity, you are required by Federal law to comply with the HIPAA Security Rule, or you could face strict fines and penalties. Civil penalties range from $25,000 to $1.5 million per year. Criminal penalties can also be enforced for purposefully accessing, selling or using ePHI unlawfully. Criminal penalties include heavy fines and imprisonment—up to $250,000 and ten years in prison.
- Read about the HIPAA Security Rule.
- Find out about secure, HIPAA compliant hosting. Download our HIPAA white paper.
- Talk with someone about your HIPAA compliant hosting needs.