The HIPAA Privacy Rule
The HIPAA Privacy Rule is one of the five main Healthcare Insurance Portability and Accountability Act (HIPAA) rules. It regulates the use and disclosure of Protected Health Information (PHI) or electronic protected health information (ePHI) that is collected, used, and stored by covered entities (i.e., certain organizations or individuals), health care clearinghouses, and business associates.
Limits and conditions related to the use and disclosure of PHI are defined in the HIPAA Privacy Rule. This includes what PHI can and cannot be disclosed without patient authorization.
|Difference between PHI and ePHI?|
Commonly used interchangeably, PHI and ePHI are not exactly the same. The difference is that PHI refers to physical records.
In contrast, ePHI refers to protected health information that is created, used, shared, or stored electronically—for example, an electronic health record included in the content of an email or a cloud database.
Both PHI and ePHI are subject to the same protections under the HIPAA Privacy Rule.
NOTE: PHI will be used to refer to physical and electronic health information.
Let’s jump in and learn:
- History of the HIPAA Privacy Rule
- Summary of the HIPAA Privacy Rule
- What the HIPAA Privacy Rule Does
- Who Must Comply with the HIPAA Privacy Rule?
- Who Does Not Have to Comply with the HIPAA Privacy Rule?
- Information Protected Under the HIPAA Privacy Rule
- HIPAA Privacy Rule Enforcement
- Additional HIPAA Privacy Rule Enforcement Considerations
History of the HIPAA Privacy Rule
- August 21, 1996—HIPAA was signed into law
- August 1997— recommendations submitted to Congress to amend HIPAA to include specific direction on protecting the privacy of PHI
- November 1999—proposed version of the HIPAA Privacy Rule submitted for public comment
- December 2000—HHS issued the second version of the HIPAA Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information
- March 2002—HHS published a proposed modification to the HIPAA Privacy Rule
- August 2002— HHS issued the final version of the HIPAA Privacy Rule
- April 14, 2003—HIPAA Privacy Rule effective compliance date
- April 14, 2004—HIPAA Privacy Rule extension for small health plans
- March 26, 2013—Final Omnibus Rule was signed into law
- September 2013—Final Omnibus Rule compliance data
Summary of the HIPAA Privacy Rule
The HIPAA Privacy Rule sets the standard for protecting patient PHI in the United States. The privacy standards set forth in the HIPAA Privacy Rule include the following:
- Patient’s right to access their PHI
- Covered entity’s right to access patient PHI
- Covered entity’s right to refuse access to patient PHI
- Minimum required standards for a covered entity’s HIPAA policies and release forms
The HIPAA Privacy Rule permits the disclosure of PHI without the individual’s authorization in some circumstances, including:
- For judicial and administrative proceedings, if the request for information is made through a court order
- For public health purposes as required by state and federal law
- For research, if the PHI is de-identified
- To business associates
- To law enforcement officials
- To public agencies for health oversight activities (e.g., audits; inspections; civil, criminal, or administrative proceedings; other activities necessary for the oversight of the healthcare system
What the HIPAA Privacy Rule Does
The HIPAA Privacy Rule also provides individuals with specific rights related to their PHI. Among the rights and protections afforded individuals under the HIPAA Privacy Rule are the right to:
- Receive a notice of privacy practices from a covered entity that must, among other things, inform patients of the anticipated uses and disclosures of their health information that may be made without the patients’ consent or authorization
- See and obtain a copy of their health information
- Request changes to any information that is incomplete or inaccurate
- Obtain an accounting of certain disclosures that the covered entity made of their PHI over the past six years
According to the HIPAA Privacy Rule, individuals may ask for access to their PHI from their providers for a reasonable price and in a timely manner. The HIPAA Privacy Rule also gives every patient the right to access their health records to inspect them for accuracy and, subsequently, request corrections to their file.
As detailed in the HIPAA Privacy Rule, the right of access gives priority enforcement when covered entities deny access to information. While covered entities are not required to develop new information, they have to provide available information to patients who request it.
There are specific forms that coincide with the HIPAA Privacy Rule and must be provided to patients by covered entities, including:
- Request of Access to PHI
- Notice of Privacy Practices (NPP) Form
- Request for Accounting Disclosures Form
- Request for Restriction of Patient Health Care Information
- Authorization for Use or Disclosure Form
- Privacy Complaint Form
To comply with the HIPAA Privacy Rule, covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They are also required to appoint a privacy official and/or have an individual who is responsible for receiving complaints and training all members of their workforce on how to handle and manage PHI.
Who Must Comply with the HIPAA Privacy Rule?
The HIPAA Privacy Rule applies to covered entities (i.e., individuals or organizations) that handle health information in the course of routine health care practices. The HIPAA Privacy Rule requires two groups to comply with the statute—covered entities and business associates.
A covered entity is an organization that collects, creates, stores, or sends PHI records. Covered entities have direct contact with patients. These organizations must comply with HIPAA Privacy Rules when they send PHI to anyone in any format, such as emailing PHI with a referral to a specialist or mailing documents to an insurance provider for payment. Covered entities include:
- Health care providers—hospitals, doctors, dentists, therapists, other health care professionals, and facilities that provide treatment (e.g., hospitals, surgery centers)
- Health plans—provide or pay the cost of medical care, such as private health insurers or managed care organizations, and governmental payers and health programs such as Medicaid, Medicare, or Veterans Affairs
- Health care clearinghouses—a third-party service that interprets claim data between provider systems and insurance payers
- Independent contractors—engaged by covered entities and who fit within the definition of a business associate
Business associates do not have direct contact with patients. However, they do create, receive, or transmit a patient’s PHI. Examples of a business associate include the following:
- Answering services
- Cloud storage providers
- Collection agencies
- Email hosting providers
- E-prescribing services
- IT consultants
- Law office or accounting firms
- Medical billing or coding firms
- Medical device makers
- Physical storage companies
- Practice management services
- Shredding services
- Transcription services
Covered entities must have business associate agreements in place, agreeing to specific terms of engagement, including providing assurances that they will:
- Use the information only for the purposes for which it was engaged by the covered entity—details of how PHI may be used must be included in the agreement
- Not use or disclose the PHI other than as permitted or required by the contract or as required by law
- Safeguard the information from misuse
- Help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule
If an organization falls into one of the categories of a covered entity and performs functions unrelated to health care, it can become a hybrid entity and designate specific health care components. In this case, only the healthcare components would require compliance with the HIPAA Privacy Rule.
An example is if a university includes an academic medical center with a hospital. The school could classify only the hospital as a covered entity so that the entire university does not have to conform to the HIPAA Privacy Rules.
Who Does Not Have to Comply with the HIPAA Privacy Rule?
The HIPAA Privacy Rule does not protect PHI that is held or maintained by an organization other than a covered entity. It also does not apply to information that has been de-identified.
Organizations Exempt from HIPAA Privacy Rule
Many in these groups do not have to follow the HIPAA Privacy Rule:
- Employers with less than 50 employees
- Law enforcement agencies
- Life insurers
- Municipal offices
- Schools and school districts
- State agencies, such as child protective services, food stamps, and community health centers
- Workers’ compensation carriers
Data De-Identification for Exemption from HIPAA Privacy Rule
The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals. Therefore, the HIPAA Privacy Rule provides exemptions for de-identified PHI for secondary use. This includes using data for comparative effectiveness studies, policy assessment, life sciences research, and other analytics.
The HIPAA Privacy Rule requires that de-identification follows specified standards and implementation practices. Two de-identification methods are approved under the HIPAA Privacy Rule:
1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information that is not individually identifiable
2. The removal of any of the 18 fields of PHI that identify the individual or relatives, employers, or household members of the individual
The 18 fields of PHI that need to be considered as part of HIPAA Privacy Rule compliance are:
1. Account numbers
2. Any unique identifying number or code
3. Biometric identifiers (i.e., retinal scan, fingerprints)
4. Certificate/license numbers
5. Dates, except year
6. Device identifiers and serial numbers
7. Email addresses
8. Fax numbers
9. Full-face photos and comparable images
10. Geographic data
11. Health plan beneficiary numbers
12. IP addresses
13. Medical record numbers
15. Social Security numbers
16. Telephone numbers
17. Vehicle identifiers and serial numbers, including license plates
18. Web URLs
The inclusion of one or more of these 18 identifiers turns health information into PHI and subjects it to PHI HIPAA Privacy Rule restrictions. This will limit the uses and disclosures of the information.
Even when properly applied, both methods result in data that has some risk of identification. However, regardless of the risk, if data is de-identified using one of the approved methods, the HIPAA Privacy Rule does not restrict the use or disclosure of that PHI.
Information Protected Under the HIPAA Privacy Rule
Under the HIPAA Privacy Rule, PHI is considered any identifiable health information used, maintained, stored, or transmitted by a HIPAA-covered entity. The HIPAA Privacy Rule applies not only past and PHI, but also future information about medical conditions or physical and mental health-related to the provision of care or payment for care. PHI includes any information held by a covered entity that concerns:
- Health status
- Provision of health care
- Payment for health care that can be linked to an individual
HIPAA Privacy Rule Enforcement
The Optical Character Recognition (OCR) is responsible for enforcing the HIPAA Privacy Rule. The HIPAA Privacy Rule is enforced in several ways:
- Investigations into complaints filed with the OCR
- Reviews to determine if covered entities are in compliance
- Education and outreach to foster compliance with the rules
If a covered entity is found to be noncompliant, the OCR attempts to resolve the issue by seeking:
- Voluntary compliance
- Resolution agreement
Compliance with the HIPAA Privacy Rule is something to be taken seriously. Violations of the HIPAA Privacy Rule carry steep penalties. The HIPAA Privacy Rule sets out both civil and criminal penalties for violations.
It is noteworthy that enforcement actions related to violations of the HIPAA Privacy Rule may only be taken by the OCR or Department of Justice (DOJ). The HIPAA Privacy Rule does not provide for patients’ or research participants’ private right of action.
Civil penalties for violation of the HIPAA Privacy Rule
- Unknowing (i.e., the violation was made in error) penalty range is $100-$50,000 per violation, with an annual maximum of $25,000 for repeat violations
- Willful neglect, where the violation was corrected in the allotted time, penalty range is $1,000-$50,000 per violation, with an annual maximum of $100,000 for repeat violations
- Willful neglect, but the violation is not corrected within the required time, penalty range is $10,000-$50,000 per violation, with an annual maximum of $250,000 for repeat violations
Criminal penalties for violations of the HIPAA Privacy Rule
OCR calls in the DOJ for investigation if a complaint describes an action that could be a violation of the criminal provision of the HIPAA Privacy Rule. There are different levels of penalties for criminal violation of the HIPAA Privacy Rule:
- Covered entities that knowingly obtain or disclose PHI can be sentenced to up to one-year imprisonment
- Offenses committed under false pretenses are subject to up to 5 years in prison
- Offenses committed with the intent to sell, transfer or use PHI for commercial advantage, personal gain, or malicious harm are subject to up to 10 years imprisonment
Additional HIPAA Privacy Rule Enforcement Considerations
While the HIPAA Privacy Rule includes repercussions for violations, the default action by the OCR is to stress cooperative compliance over the imposition of penalties. The HIPAA Privacy Rule states explicitly that the OCR will, to the extent practicable, seek the cooperation of the covered entity in obtaining compliance.
Initially, informal means are used to resolve the violation, including having covered entities demonstrate compliance, a completed corrective action plan, or a resolution agreement. Imposing penalties is usually only done when a covered entity refuses to take action to remediate the violation.
It is also worth noting that a covered entity that is in compliance with the HIPAA Privacy Rule will not be held liable for the actions of a business associate that violates the terms of a business associate agreement—so long as the covered entity follows the HIPAA Privacy Rules protocols.
When a covered entity becomes aware of the business associate conducting an activity that is in violation of the HIPAA Privacy Rule, it must take steps to remediate the issue. If the issue is not fixed, the covered entity must terminate its contract with the business associate. If it is impossible to terminate the agreement, the covered entity must report the problem to the OCR.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 13th April, 2022