HIPAA Privacy Rule — Statutory and Regulatory Background

It was the Standards for Privacy of Individually Identifiable Health Information that took the initiative of establishing critical guidelines and parameters for maintaining the sanctity of an individual’s health information. As a result, the U.S. Department of Health and Human Services or the HHS issued the Privacy Rule as an intrinsic requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The standards set by the Privacy Rule address the issues that are typical to the disclosure of an individual's health information or the PHI (Protected Health Information). All healthcare and medical insurance institutions that comply with the standards set by the Privacy Rules are called Covered Entities and each of them has to abide by these guidelines.

HIPAA’s Privacy Rule: An Overview

The Privacy Rule also empowers an individual to be educated about his rights to control the extent to which his personal/health information is used or disclosed by the Covered Entities. It should be understood that within the HHS itself, there is a dedicated authority called the OCR (The Office for Civil Rights) that is responsible for ensuring that the Privacy Rule guidelines are implemented and followed. The OCR has the right to enforce the Privacy Rule guidelines by imposing civil financial penalties. The major concern of the Privacy Rule is to ensure that the health information furnished by an individual is protected against any kind of misuse along with being used efficiently for facilitating healthcare facilities. This is also the biggest challenge for the Privacy Rule guidelines — trying to create a balance between protecting the privacy of personal/medical data along with ensuring that such critical information can be accessed and duly processed, if it is needed for providing healthcare facilities. The Rule acknowledges the fact that healthcare is a widely-diversified industry and it is difficult to make every covered entity abide to the same set of rulings. As a result, the Privacy Rule has developed a very flexible approach wherein each entity is given the opportunity to become compatible with its guidelines. Essentially, every covered entity is allowed certain privileges concerning the distinctive demands of Patient Health Information disclosure that arise in the form of typical issues that are unique to regionally and economically-diverse covered entities.

Tracing the Origins of the Privacy Rule

On August 21, 1996, the HIPAA, Public Law 104-191 was endorsed, wherein Sections 261 to 264 state that the Secretary of the HHS should publicize the standards that have been set for the electronic exchange of health information. It emphasizes upon the HHS to explain its guidelines regarding the sharing of a patient’s health information and their effectiveness in maintaining patient information privacy and security. These provision are now collectively referred to as the Administrative Simplification Provisions. Under these provisions, the Secretary was asked to issue the privacy regulations that govern an individual’s health information, if the Congress was not able to act upon the privacy legislation within a stipulated period of three years. As it turned out, the Congress was unable to define the regulations of the privacy legislation within the required timeframe and thus, the HHS proposed a new rule to make its guiding parameters immediately effective.

On November 3, 1999, this new rule was released for the public’s opinion. The response was not overwhelming but the HHS still received nearly 52,000 public comments. Taking inspiration from these suggestion and incorporating them in its intrinsic opinion, the HHS published the first official draft of the Privacy Rule on December 28, 2000. It was only in March 2002 that the HHS sought the next installation of public opinion and it received nearly 11,000 comments. Based upon this feedback and considering the demands set forth by the existing standards of patient health information disclosure, some modifications were made and the revised draft of Privacy Rule was released on August 14, 2002 and it is being currently used.