Most health care providers know they must abide by the HIPAA Privacy Rule. However, understanding the law and navigating its components still poses a challenge in this industry. Without a firm grasp of the HIPAA Privacy Rule, covered entities - those covered by the Rule - increase their risk of violations and being fined.
The big picture
The U.S. Department of Health and Human Services established the Standards for Privacy of Individually Identifiable Health Information, commonly known as the Privacy Rule, to outline a set criteria for safeguarding patient health information. Essentially, the HHS uses the Privacy Rule as a way to implement HIPAA in regard to disclosing protected health information.
Privacy Rule basics
The Privacy Rule comprises many details that require a certain scrutiny to fully comprehend. However, the first step in adhering to the law involves gaining a firm grasp on the basics.
Covered entities: The HIPAA Privacy Rule applies to certain individuals and groups called covered entities. These include:
- Health care providers.
- Health plans.
- Health clearinghouses.
- Hybrid entities.
In most circumstances, the Privacy Rule in its entirety applies to covered entities. These groups and individuals must develop a solid understanding of the law to ensure full compliance.
PHI: The HIPAA Privacy Rule regulates the release of PHI. These documents contain both identifying factors - such as name, Social Security number and email address - and health information - such as laboratory results, X-rays and billing data. No matter the format, whether in hard copy or electronic form (ePHI), covered entities must have safeguards in place to protect PHI.
Disclosures: Covered entities do not need patient approval to release PHI for payment, treatment and health care operation purposes. Otherwise, they must have a patient-signed authorization that contains:
- Names of individuals disclosing PHI.
- Names of individuals receiving PHI.
- Expiration date or event.
- Right to revoke clause.
- Details on why the covered entity is disclosing PHI and how recipients will use it.
Patient rights: As the name suggests, the Privacy Rule protects patient privacy and also preserves their rights, including remaining informed. Covered entities must grant patients access to PHI upon request and notify individuals if a breach occurs.
How can covered entities effectively implement the Privacy Rule?
The Office of Civil Rights periodically conducts audits, so covered entities must always be prepared by ensuring compliance with the law at all times. Otherwise, they may be subject to civil penalties in the form of fees. Comprehensive understanding of the law, effective business management and overall diligence will allow covered entities to abide by the Privacy Rule. This effort requires the proper tools.
Policies and procedures: It is not only helpful for covered entities to have policies in place that outline how workforce members should safeguard PHI. It is actually a requirement under the Privacy Rule. The HHS designed the Privacy Rule with flexibility in mind so health care providers could adapt the law to their unique practices.
Employee training: Knowledge gaps leave room for error, so it's important that covered entities effectively train all employees on the HIPAA Privacy Rule.
Risk management: Covered entities should always remain aware of their risk ratings so they can change their practices to address security vulnerabilities. In fact, adapting procedures on an as-needed basis is a Privacy Rule requirement.
Incidence response: In the event that an information breach occurs, health care providers must quickly correct the incident to reduce their chance of incurring penalties.
The HIPAA Help Center provides modules that target each of these Privacy Rule needs. Not only does the application ensure compliance, but it also helps covered entities to more efficiently run their businesses. For example, the Employee Training module both provides comprehensive education on the law and alerts workforce members if they still need to complete the training, keeping everyone on track.