Summary of the HIPAA Privacy Rule

In 1996, the Health Insurance Portability and Accountability Act or the HIPAA was endorsed by the U.S. Congress. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually-identifiable health information or the PHI (Personal Health Information). ‘Covered entities’ is a term often used in HIPAA-compliant guidelines. This definition of a covered entity is specified by [45 CFR § 160.102] of the Privacy Rule. A covered entity can be a:

• Health plan
• Healthcare clearinghouse
• Healthcare provider

Overview of the Privacy Rule

• Gives patients control over the use of their health information
• Defines boundaries for the use/disclosure of health records by covered entities
• Establishes national-level standards that healthcare providers must comply with
• Helps to limit the use of PHI and minimizes chances of its inappropriate disclosure
• Strictly investigates compliance-related issues and holds violators accountable with civil or criminal penalties for violating the privacy of an individual’s PHI
• Supports the cause of disclosing PHI without individual consent for individual healthcare needs, public benefit and national interests

HIPAA realizes that there is a critical need to balance the steps taken for the protection of an individual’s health information along with provision of proper healthcare faculties. The Privacy Rule strives hard to regulate the sharing of PHI without making it a deterrent for accessing healthcare facilities. Thus, the Privacy Rule does permit disclosures, under special circumstances, wherein individual authorization is not needed by public healthcare authorities.

HIPAA is very comprehensive in terms of laying down guidelines governing the sharing or disclosure of Patient Health Information and has five separate titles dedicated to such stipulations. The HIPAA Title II is called Administrative Simplification or the AS. To ensure that the privacy of health information is upheld in the prevailing healthcare system, HIPAA emphasizes upon the AS stipulations, which in turn influences the DHHS to endorse national standards for electronic healthcare transactions.

AS is concerned with setting-up national standards for electronic healthcare transactions and benchmarks like identifiers for healthcare providers, health insurance plans and employers. The provisions laid down by the AS address the crucial issue of maintaining the security and privacy of a patient’s health data. The most significant AS HHS (Department of Health & Human Services) Rules that are nationally recognized for this purpose are mentioned in [45 CFR §160, §162 and §164]. These rules are:

• The Unique Identifiers Rule (National Provider Identifier)
• The Enforcement Rule
• The Privacy Rule
• The Security Rule
• The Transactions and Code Sets Rule

DHHS or the U.S. Department of Health and Human Services takes upon the responsibility of updating covered entities and issuing new standards regarding the use or exchange of PHI. From a conventional perspective, any healthcare provider referring to his practice being HIPAA-compliant meant that he was attempting to comply with the Privacy Rule. However, in due course of time, it has become much simpler to become HIPAA-compliant. A recent development that has aided this transformation is the enactment of The American Recovery and Reinvestment Act 2009 — ARRA. The ARRA has gained prominence owing the to the presence of the Health Information Technology for Economic and Clinical Health or the HITECH Act within it.

HITECH is concerned with defining the requirements for being compatible with the security and privacy regulations of the Privacy Rule. HITECH also facilitates the expansion of HIPAA standards that aid in electronic exchange of health information on a national basis to make medical care more organized and transparent. It is also concerned with putting forth incentives for covered entities that adopt Electronic Health Records (EHR). With HITECH setting new benchmarks for clarifying the requirements to become HIPAA-compliant, those who choose to be non-compliant have become more vulnerable to civil penalties. Further, non-compliance with HIPAA Privacy Rule almost, entirely excludes covered entities from receiving any kind of financial incentive for adopting EHR.