HIPAA 101: HIPAA Privacy Rule Summary

HIPAA privacy rule fact sheet

Even though it’s been around since 1996, the Health Insurance Portability and Accountability Act (HIPAA) is still misunderstood or mishandled by many patients and providers.

This is unfortunate because the HIPAA Privacy Rule is the cornerstone of the entire law. To clear some of the confusion, we’ve put together a HIPAA Privacy Rule Summary to help you better understand what the Privacy Rule does and doesn’t do.

HIPAA Privacy Rule Summary – What Does it Protect?

The core component of the HIPAA Privacy Rule is the data collected about patients during their care and treatment. HIPAA refers to this data as protected health information (PHI) in a physical form and electronic protected health information (ePHI) when stored in an electronic format. 

18 different types of data compose PHI and ePHI:

  1. Name
  2. Address 
  3. Any dates (except years) directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voiceprints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

Every part of HIPAA rules and regulations focuses on what happens to PHI and ePHI data.

Need Help with the HIPAA Privacy Rule?

Compliancy Group can help you meet all your HIPAA requirements.

Find Out More

HIPAA Privacy Rule Summary – How PHI is Used or Disclosed

The HIPAA Privacy Rule requires covered entities and business associates to have written policies and procedures to prevent the unauthorized use and disclosure of PHI and ePHI. 

Here are a few examples of authorized use and disclosure of PHI:

  • Information related to healthcare provider treatment, payment, or operations
  • Information a patient has permitted to be disclosed (via signed release)
  • Healthcare regulations and licensing 
  • Public health (such as reporting to a state health department or the CDC) 
  • Legal proceedings and law enforcement
  • Inform next of kin, identify a body or determine the cause of death, or for a medical examiner/coroner

It also limits authorized use and disclosure to the HIPAA minimum necessary standard required to complete the task. For example:

  • Sending only patient treatment information needed to a coding clerk instead all PHI (including address, phone number, etc.)