The HIPAA rules and regulations provide guidance for the proper uses and disclosures of protected health information (PHI), how to secure PHI, and what to do if there is a PHI breach. The HIPAA rules and regulations consists of three major components, the HIPAA Privacy rules, Security rules, and Breach Notification rules. A summary of these Rules is discussed below.
HIPAA Rules and Regulations: Privacy Rule
The compliance date of the HIPAA Privacy Rule was April 14, 2003 with a one-year extension for certain “small plans”. HIPAA Privacy Rules regulate the use and disclosure of Protected Health Information (PHI) held by covered entities which are defined as health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. The Department of Health and Human Services, when implementing the HIPAA Omnibus Rule, extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of a business associate. PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. There are 18 fields of ePHI that need to be considered that include such items as Name, Diagnosis, Social Security Number, etc. This is includes any part of an individual’s medical record or payment history. Under HIPAA regulations, covered Entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law such as reporting suspected child abuse or when presented with a subpoena or when requested by law enforcement.