HIPAA 101: HIPAA Privacy Rule Summary

HIPAA privacy rule fact sheet

Even though it’s been around since 1996, the Health Insurance Portability and Accountability Act (HIPAA) is still misunderstood or mishandled by many patients and providers.

This is unfortunate because the HIPAA Privacy Rule is the cornerstone of the entire law. To clear some of the confusion, we’ve put together a HIPAA Privacy Rule Summary to help you better understand what the Privacy Rule does and doesn’t do.

HIPAA Privacy Rule Summary – What Does it Protect?

The core component of the HIPAA Privacy Rule is the data collected about patients during their care and treatment. HIPAA refers to this data as protected health information (PHI) in a physical form and electronic protected health information (ePHI) when stored in an electronic format. 

18 different types of data compose PHI and ePHI:

  1. Name
  2. Address 
  3. Any dates (except years) directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voiceprints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

Every part of HIPAA rules and regulations focuses on what happens to PHI and ePHI data.

Need Help with the HIPAA Privacy Rule?

Compliancy Group can help you meet all your HIPAA requirements.

HIPAA Privacy Rule Summary – How PHI is Used or Disclosed

The HIPAA Privacy Rule requires covered entities and business associates to have written policies and procedures to prevent the unauthorized use and disclosure of PHI and ePHI. 

Here are a few examples of authorized use and disclosure of PHI:

  • Information related to healthcare provider treatment, payment, or operations
  • Information a patient has permitted to be disclosed (via signed release)
  • Healthcare regulations and licensing 
  • Public health (such as reporting to a state health department or the CDC) 
  • Legal proceedings and law enforcement
  • Inform next of kin, identify a body or determine the cause of death, or for a medical examiner/coroner

It also limits authorized use and disclosure to the HIPAA minimum necessary standard required to complete the task. For example:

  • Sending only patient treatment information needed to a coding clerk instead all PHI (including address, phone number, etc.)

HIPAA Privacy Rule Summary – Who Must Comply?

The HIPAA Privacy Rule requires two groups to protect PHI and ePHI data.

Covered Entities 

  • Healthcare providers (doctors, dentists, chiropractors, etc.)
  • Health plans (group and individual plans, employer self-insured plans, government-sponsored plans, Medicare Supplement and Advantage policies, etc.)
  • Healthcare clearinghouses (companies that standardize data to assist with claims processing and payment)

Business Associates 

  • Any individual or organization that must store PHI or ePHI as part of providing services for a covered entity or other business associates 

Covered entities and business associates must have signed business associate agreements before transferring PHI or ePHI to a business associate. If they do not, it is a violation of HIPAA.

A HIPAA violation occurs any time a covered entity or business associate makes an unauthorized disclosure to anyone, including another covered entity or business associate.

If a covered entity or business associate makes an authorized PHI disclosure to a third party that is not required to comply with HIPAA (like a family member) and they disclose the information to someone else (making a post on Facebook), there is no HIPAA violation. 

HIPAA Privacy Rule Summary – Patient Right of Access

The Patient’s Right of Access is an often overlooked provision of the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity must act on an individual’s request for access no later than 30 calendar days after receipt of the request.

Covered entities must answer a patient’s request for their medical records. Even if a patient owes money to the practice, the practice must provide patient records when requested.

Covered entities also: 

  • Must provide the PHI in the form, format, and manner of access requested by the individual if it is “readily producible” in that manner
  • Charge only a reasonable, cost-based fee that complies with 45 CFR 164.524(c) (4)

The Department of Health and Human Services Office for Civil Rights (OCR) is the enforcement arm for HIPAA violations. OCR has made right of access violations an enforcement priority, resulting in 41 settlement actions and HIPAA fines in the past three years.

If you need more guidance in navigating the HIPAA Privacy Rule or any other part of HIPAA regulations, Compliancy Group is ready to help. We have a proven method to simplify HIPAA compliance to fit your organization’s operations.

Learn How Simple Compliance Can Be

With HIPAA Compliance Software

Get a Demo!