The HIPAA Privacy Rule
HIPAA contains a series of rules that covered entities (CEs) must follow to be compliant. One of these rules is known as the HIPAA Privacy Rule. This rule is designed to safeguard the privacy of individuals’ protected health information (PHI). In certain circumstances, business associates (BAs) must also comply with the HIPAA Privacy Rule.
Whom Does the HIPAA Privacy Rule Regulate?
The HIPAA Privacy Rule regulates covered entities.
Covered entities are defined in the HIPAA rules as (1) healthcare providers who electronically transmit any health information in connection with a HIPAA covered transaction; (2) health plans; and (3) healthcare clearinghouses.
A “healthcare provider” is defined as an individual or entity that furnishes, bills, or is paid for healthcare, in the normal course of business.
“Healthcare” is defined broadly under HIPAA, as care, services, or supplies, related to the health of an individual.
Healthcare includes, but is not limited to, the following:
◈ Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care; and
◈ Counseling, service, assessment, or procedures with respect to
◈ The physical or mental condition, or functional status, of an individual that affects the structure or function of the body.
Healthcare also includes the sale or dispensing of a drug, device, equipment, or other item, that is
◈ In accordance with a prescription.
A covered healthcare provider is:
◈ A healthcare provider, who
◈ Transmits any health information
◈ In electronic form
◈ In connection with a HIPAA covered transaction.
◈ Any information, whether oral or recorded in any form or medium, that:
◆ Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and
◆ Relates to:
◈ The past, present, or future physical or mental health or condition of an individual;
◈ The provision of healthcare to an individual; or
◈ The past, present, or future payment for the provision of healthcare to an individual.
What Does “In Electronic Form” Mean?
“Electronic form” is not specifically defined under HIPAA. HIPAA defines the closely-related phrase “electronic media” to include:
(1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory media medium, such as magnetic tape or disk, optical disk, or digital memory card; and
(2) Transmission media used to exchange information already in electronic storage media (transmissions via electronic media).
Note: Transmission via paper, and through fax, voice or telephone, are not regarded as “transmissions through electronic media” if the information being exchanged did not exist in electronic form immediately before the transmission.
What are HIPAA Covered Transactions?
HIPAA covered transactions are transactions involving:
◈ The transmission of information, that is
◈ Between two parties,
◈ To carry out financial or administrative activities related to healthcare.
HIPAA covered transactions include (but are not limited to) the following:
(1) Health claims or equivalent encounter information.
(2) Healthcare payment and remittance advice.
(3) Coordination of benefits.
(4) Healthcare claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First reports of injury.
(10) Health claims attachments.
The HIPAA regulations define a health plan as an individual or group plan that provides, or pays the cost of, medical care.
Health plans include (among others):
◈ Group health plans.
◈ Health insurance issuers.
◈ Health maintenance organizations (HMOs).
◈ Medicare (Parts A and B).
◈ The Voluntary Prescription Drug Benefit Program under Part D of Medicare.
◈ Issuers of Medicare supplemental policies.
◈ Issuers of long-term care policies (except nursing home fixed indemnity policies).
◈ Employee welfare benefit plans, or any other arrangements, that offer or provide benefits to the employees of 2 or more employers.
◈ TRICARE (the healthcare program for uniformed services).
◈ The Indian Health Service program under the federal Indian Health Care Improvement Act.
◈ The Federal Employees Health Benefits Program.
◈ The Federal Employees Health Benefits Program.
◈ An approved State child health plan under the Social Security Act.
◈ The Medicare Advantage program.
◈ A state high-risk pool through which health insurance coverage is provided.
The HIPAA regulations define a healthcare clearinghouse as:
A public or private entity (including a billing service, repricing company, community health management information system or community health information system) that performs either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
What Does the HIPAA Privacy Rule Regulate?
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI). PHI is a subset of individually identifiable health information, which is itself a subset of health information.
What is Individually Identifiable Health Information?
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
◈ Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and
◈ That identifies the individual; or, with respect to which, there is a reasonable basis to believe the information can be used to identify the individual.
What is Protected Health Information?
Protected health information means individually identifiable health information that is:
◈ Transmitted by electronic media;
◈ Maintained in electronic media; or
◈ Transmitted or maintained in any other form or medium.
Individually identifiable health information that is excluded from the definition of protected health information includes (among other things):
◈ Employment records held by a covered entity in its role as an employer; and
◈ Education records covered by the Family Education Rights and Privacy Act (FERPA).
Under HIPAA, protected health information (PHI) is any piece of information in an individual’s medical record that is created, used, or disclosed during the course of diagnosis or treatment, that can be used to uniquely identify the patient.
According to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the 18 types of information that qualify as PHI include:
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
What Information Does the HIPAA Privacy Rule Protect?
The HIPAA Privacy Rule protects protected health information (PHI) from unauthorized use or disclosure.
What is “Use”?
Under the HIPAA Privacy Rule, use means, with respect to individually identifiable health information, the:
◈ Examination, or
of such information, within an entity that maintains such information.
What is “Disclosure”?
Under the HIPAA Privacy Rule, disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the covered entity holding the information.
How Does the HIPAA Privacy Rule Regulate Use and Disclosure of PHI?
The HIPAA Privacy Rule defines and limits the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either:
◈ As the HIPAA Privacy Rule permits or requires; or
◈ As the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
What are Business Associates?
As noted in the introduction, in certain circumstances, business associates must also comply with the HIPAA Privacy Rule.
In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.
Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
Persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
A covered entity can be the business associate of another covered entity.
What is a Business Associate Agreement?
When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, HIPAA requires that the covered entity include certain protections for the information in a business associate agreement or contract.
In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.
In addition, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the HIPAA Privacy Rule.
How Must Business Associates Comply with the HIPAA Privacy Rule?
When the business associate carries out the covered entity’s obligations under the Privacy Rule, the business associate must comply with the same requirements of the Privacy Rule that apply to the covered entity in the performance of these obligations.