One of the many misunderstandings in circulation about HIPAA is over how it protects – and when it does not protect – patient privacy. HIPAA patient privacy is regulated by the HIPAA Privacy Rule. The Privacy Rule spells out when an individual’s protected health information (PHI) may be used or disclosed without that patient’s authorization, and when that information may not be disclosed without authorization. Many patients are unaware – even though the Notice of Privacy Practices that they sign states as much – that use or disclosure by covered entities is permitted, without individual authorization, for payment, treatment, and healthcare operations purposes. WWhat constitutes “healthcare operations” and confidentiality is discussed in greater detail below.
HIPAA Patient Privacy: What are Healthcare Operations?
HIPAA patient privacy protections require covered entities to refrain from using or disclosing protected health information (PHI) without first obtaining individual authorization from a patient or that patient’s personal representative.
“Healthcare operations” do not constitute the actual rendering of healthcare or medical treatment. Rather, healthcare operations are specific activities a covered entity performs to run its business. These activities, to qualify as healthcare operations, must:
- Support the core functions of healthcare treatment and payment for healthcare; and
- Constitute one of the following activities:
- Administrative;
- Financial;
- Legal; or
- Quality improvement
What Activities are Included in Healthcare Operations?
Healthcare operations consist of the following activities:
- Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing healthcare costs, and case management and care coordination;
- Reviewing the competence or qualifications of healthcare professionals, evaluating provider and health plan performance, training healthcare and non-healthcare professionals, accreditation, certification, licensing, or credentialing activities;
- Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to healthcare claims;
- Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; and
- Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
- Business management and general administrative activities, including those related to:
- Implementing and complying with the Privacy Rule and other HIPAA Administrative Simplification Rules
- Customer service
- Resolution of internal grievances
- Sale or transfer of assets
- Creating de-identified health information or a limited data set
- Fundraising for the benefit of the covered entity