HIPAA Overview

Privacy Rule

The Privacy Rule establishes national standards for the protection of certain health information. It applies to all forms of individuals' protected health information, whether electronic, written, or oral. The major goal of the Privacy Rule is to make sure an individual's health information is properly protected while allowing the flow of health information needed to provide high quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of those who need care.

The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.

For the average health care provider or health plan, the Privacy Rule requires activities, such as:

• Notifying patients about their privacy rights and how their information can be used.
• Adopting and implementing privacy procedures for its practice, hospital, or plan.
• Training employees so that they understand the privacy procedures.
• Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
• Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Protecting Patients' Privacy

Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients' privacy. To ease the burden of complying with the requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs.

The rule is scalable to provide a more efficient and appropriate means of safeguarding protected health information than would any single standard.

Here are some examples:

• The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
• The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
• The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.

Security Rule

The HIPAA Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

Prior to HIPAA, no generally accepted set of security standards or general requirement for protecting health information existed in the healthcare industry. At the same time, new technologies were being created, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The health care marketplace is so diverse, therefore, the Security Rule is designed to be flexible so a covered entity can implement policies, procedures, and technologies appropriate for the entity’s particular size, organizational structure, and risks to consumers’ personal information.

Security Rule Coverage

The Security Rule applies to health plans, healthcare clearinghouses, and any health care provider who transmits health information in an electronic form.

Covered entities include individual and group plans who provide or pay the cost of medical care. Health plans include the following:

• health
• dental
• vision
• prescription drug insurers
• health maintenance organizations ("HMOs")
• Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers
• long-term care insurers (excluding nursing home fixed-indemnity policies)

Health Plans

Most health plans are considered covered entities.

Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions — a group health plan with less than 50 participants, that is administered solely by the employer that established and maintains the plan, is not a covered entity.

The following two types of government-funded programs are not health plans:

1. those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program
2. those programs whose principal activity is directly providing health care, such as a community health center, or the making of grants to fund the direct provision of health care

Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance.

Privacy vs. Security

Privacy and security go hand-in-hand. Privacy is the "what." It says patients have the right to have their health information protected from unauthorized disclosures. Security is the "how." In other words, agencies must determine the procedures they will put into place to protect health information.

According to the Department of Health and Human Services (HHS), the majority of Security Rule violations occur as a result from a covered entity not having adequate policies and procedures in place to safeguard personal information contained on its information systems.

HIPAA Privacy

This part of the law prohibits the disclosure of Protected Health Information (PHI) in any form except as required or permitted by law.

The HIPAA Privacy rule mandates how PHI may be used and disclosed.

The Privacy Rule protects PHI in any form including but not limited to:

• email
• fax
• information on the computer
• voice
• paper

The HIPAA Privacy Rule says don't listen, tell, or show any client's PHI to anyone who does not have a legitimate right to see or hear that information.

Protected Healthcare Identifiers (PHI)

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form of media, whether electronic, paper, or oral.

HIPAA protects information that alone or combined may identify a patient, the patient’s relatives, employer or household members. Health information that contains even one patient identifier is protected under HIPAA. Here are some examples:

• name
• address
• birth date
• telephone numbers
• fax numbers
• email addresses
• social security number
• medical record number
• health plan beneficiary number
• account number
• voice recordings
• photographic images
• other characteristics which may identify the person, such as the individual’s past, present, or future physical or mental health or condition

PHI Locations

Here are some examples of other places you might find patient information:

• patient status boards
• financial records
• fax sheets
• data used for research purposes
• patient’s identification bracelet
• prescription bottle labels
• photograph or video recording of a patient

Wrongful Disclosure of PHI

If you observe someone wrongfully disclosing PHI, you should do the following:

1. First, talk to the person who is disclosing PHI. Tell them what you heard or saw and why you believe PHI has been wrongfully disclosed.
2. Then talk with your supervisor about the situation immediately.

If you wrongfully disclose PHI, you should do the following:

1. Write down the following information:
1. whose PHI was disclosed
2. how it was disclosed
3. to whom
4. what day and time
5. what was done to correct the problem
2. Inform your supervisor immediately.

Good Privacy Practices

Be careful when discussing patient records in public areas.

There are several things that can be put into place to protect a patients' privacy. Here are just a few examples:

• Do put papers with PHI in a secured area.
• Don't leave PHI exposed where other can see the content.
• Do discuss particular cases in private.
• Don't discuss a case in a public area where other people can overhear you.
• Use passwords to keep other people from accessing your computer files.
• Make sure your computer is locked when you leave your desk.
• Minimize PHI in emails. Include as little as possible.
• Protect fax machines that will be receiving PHI by putting them in secure and private locations.

Check Answers

Click on the "Check Quiz Answers" button to grade your quiz and see your score. You will receive a message if you forgot to answer one of the questions. After clicking the button, the questions you missed will be listed below.

Video

Whether your health information is stored on paper or electronically, you have the right to keep it private. Watch this video and visit http://www.hhs.gov/ocr to learn about electronic health records and your patient privacy rights under the HIPAA privacy and security rules.

Next Module