Healthcare News & Insights

HIPAA Privacy Rule

HIPAA PrivacyThe “Standards for Privacy of Individually Identifiable Health Information,” or what is more commonly known as the HIPAA Privacy Rule, was established in 2003 to provide a national set of standards that protect patient health information along with the rights they have to understand and control how their information is being shared.

The HIPAA Privacy Rule strikes an important balance between protecting patient privacy and allowing enough for the sharing and transfer of data between health professionals to ensure the best care. It directly applies to what the rule refers to as “covered entities”, or healthcare providers that transmit their patients’ information in an electronic form, health plans and health insurance companies, as well as other medically-related services, such as medical billing, which are referred to as health clearinghouses.

HIPAA Privacy: Protecting Patient Information

The Privacy Rule gives patients rights over their personal health information and establishes restrictions on who can view and access that information. HIPAA Privacy applies to all forms of individuals’ protected health information, including electronic records, written statements and records, and oral notes and agreements.

Professionals in the healthcare industry must adhere to several stipulations to guarantee patient confidentiality. These stipulations include:

  • Securing patient records containing health information that can identify an individual so that they are not readily accessible or available to those who do not need them
  • Adopting and enacting privacy procedures for the organization
  • Designating at least one individual to be responsible for ensuring that privacy and security procedures are adopted and followed at the organization
  • Training all employees so that they understand the privacy procedures of the organization
  • Notifying patients about their privacy rights and how their information can or will be used

Information Protected Under the HIPAA Privacy Rule

The main goal of the HIPAA Privacy Rule is to protect any data that can identify an individual or patient. This protection covers any information with personal details, such as name, date of birth, and social security number, and also extends into documents that detail the physical or mental condition of a patient, the methods of payment for healthcare provisions, or the details of the care provided to a patient.

Disclosure of personal and private health information can only be given under certain circumstances, such as if a patient or someone deemed as their representative requests access to their personal record, or to the Department of Health and Human Services when they are requesting it for a compliance investigation.

Health professionals are allowed to use a patient’s personal health information for uses such as billing and payments, treatment with multiple healthcare providers, or for other operations specified in the Rule. For any other use, sharing of information is restricted, unless authorized and specified in writing by the individual patient.

Compliance Enforcements and Violation Penalties

All covered entities are expected to stay in compliance with HIPAA Privacy. In order to support and encourage compliance, the Department of Health and Human Services provides education, training, and some technical assistance to help all covered entities stay within the guidelines set forth by the Rule.

In the event of a possible violation, there are steps that can be taken to report the action and have it investigated before any civil or criminal penalties can be imposed.

Civil penalties are in the form of monetary fines, and can be imposed up to $25,000 in a year. However, fines cannot be imposed under specific circumstances, such as if a health care professional unwillingly violated the HIPAA Privacy Rule and if it was committed under reasonable circumstances. Covered entities are also given up to 30 days to rectify the violation from the time of the act before these fines can be imposed.

Criminal penalties can also be enforced for violations of the Privacy Rule. Monetary fines and imprisonment can be imposed for a number of different degrees of violation, ranging from $50,000 and a one-year sentence for knowingly accessing or obtaining protected information, $100,000 and up to five years in prison for operating under false pretenses, and $250,000 and up to ten years in prison for planning to sell, transfer, or use protected health information for harmful intentions, commercial advantage, or personal gain.