The HIPAA Privacy Rule
January 20, 2017 | Aging Services Risk, Quality, & Safety Guidance
Issued by HHS under HIPAA of 1996, the HIPAA privacy rule is a set of federal standards that creates privacy protections for individuals' PHI maintained or transmitted in any form or medium. Most healthcare providers and other designated "covered entities" (e.g., health plans, hospitals, nursing facilities, physicians, healthcare providers that conduct certain healthcare transactions electronically and their business associates, healthcare clearinghouses) must comply with the rule's provisions. The rule gives individuals certain privacy rights, including the right to know the covered entities' privacy practices, to examine and obtain a copy of their health records, and to request corrections. The HIPAA omnibus final rule of 2013 added new provisions that apply to psychotherapy notes, research, marketing, and the sale of PHI. These are further discussed in Special Considerations for Uses and Disclosures of PHI elsewhere in this guidance article.
PHI is defined broadly as "individually identifiable health information," whether oral or recorded in any form or medium, including electronic, that relates to the individual's past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual. Further, the information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual (45 CFR § 160.103). A covered entity must obtain an individual's valid HIPAA authorization to use or disclose PHI for purposes other than treatment, payment, or healthcare operations, except for specific purposes otherwise established by the rule.
Covered entities must limit use, disclosure, and requests for PHI to the "minimum necessary" to accomplish the intended purpose of the use, disclosure, or request. However, the rule does not apply to providers who use, disclose, or request PHI for treatment purposes. Nor does it apply to disclosures and uses required by law or to comply with the HIPAA administration simplification provisions, or to disclosures made pursuant to a HIPAA written authorization.
Covered entities are required to designate a HIPAA privacy officer...