Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information (known as the HIPAA Privacy Rule or Privacy Rule), 65 Fed. Reg. 250, 82462 (Dec. 28, 2000) (incorporated at 45 C.F.R. Parts 160 and 164); modifications to the Rule, 67 Fed. Reg. 157, 53181 (Aug. 14, 2002) (incorporated at 45 C.F.R. Parts 160 and 164) (full-text).
The Secretary of HHS issued the HIPAA Privacy Rule in December 2000, and it was amended in August 2002. The initial compliance date for the HIPAA Privacy Rule was April 2003 for most covered entities.
The Rule is applicable to health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically. The rule regulates "protected health information" (PHI) that is "individually identifiable health information" transmitted by or maintained in electronic, paper, or any other medium. The Privacy Rule requires covered entities to enter into agreements with business associates who create, receive, maintain, or transmit protected health information on their behalf. The Office for Civil Rights (OCR) in HHS enforces the Privacy Rule.
A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
The Rule limits the circumstances under which an individual's protected health information may be used or disclosed by covered entities. A covered entity is permitted to use or disclose protected health information without patient authorization for treatment, payment, or health care operations. For other purposes, a covered entity may only use or disclose PHI with patient authorization subject to certain exceptions. Exceptions permit the use or disclosure of PHI without patient authorization or prior agreement for public health, judicial, law enforcement, and other specialized purposes. In certain situations that would otherwise require authorization, a covered entity may use or disclose PHI without authorization provided that the individual is given the prior opportunity to object or agree. The HIPAA Privacy Rule also requires a covered entity to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
- ↑ 65 Fed. Reg. 82381.
- ↑ 45 C.F.R. §164.506. The HIPAA privacy rule carves out specific exceptions to its definition of "marketing" that include communications regarding refill reminders, communications to individuals from a covered entity's benefit plan that describe health-related products or services provided by or included in a benefit plan, communications about participating providers in a provider or health plan network, communications for treatment of individuals, and communications for case management or care coordination for an individual. Id. §164.501.
- ↑ Id. §164.508.
- ↑ Id. §164.512(a)-(l).
- ↑ Id. §164.510.
- ↑ Id. §164.530(c).
- Data Security Breach Notification Laws, at 12.
- Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight, at 11-12.
See also Edit
- Compliance with the HIPAA Medical Privacy Rule
- HIPAA Enforcement Rule
- HIPAA Privacy Rule Blue Card for Law Enforcement
- HIPAA Privacy Rule: Disclosures for Emergency Preparedness-A Decision Tool
- HIPAA Security Rule