HIPAA Privacy Rule

Overview

The HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) establishes national standards for the protection of individually identifiable health information, called "protected health information" (PHI). The Rule was issued by the U.S. Department of Health and Human Services (HHS) to implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996.

Who Must Comply

Covered Entities

• Health Plans: Including health insurance companies, HMOs, company health plans, government programs (Medicare, Medicaid)


• Healthcare Clearinghouses: Entities that process health information


• Healthcare Providers: Any provider who transmits health information electronically in connection with certain transactions

Business Associates

• Persons or entities that perform functions or activities on behalf of, or provide services to, a covered entity that involve the use or disclosure of PHI


• Must comply with specific Privacy Rule requirements via business associate agreements (BAAs)

Protected Health Information (PHI)

PHI is individually identifiable health information that is:

• Created or received by a covered entity


• Relates to past, present, or future physical/mental health, healthcare provision, or payment for healthcare


• Identifies the individual or could reasonably be used to identify the individual

18 HIPAA Identifiers

1. Names


2. Geographic subdivisions smaller than state


3. Dates (except year) related to the individual


4. Telephone numbers


5. Fax numbers


6. Email addresses


7. Social Security numbers


8. Medical record numbers


9. Health plan beneficiary numbers


10. Account numbers


11. Certificate/license numbers


12. Vehicle identifiers and serial numbers


13. Device identifiers and serial numbers


14. Web URLs


15. IP addresses


16. Biometric identifiers


17. Full-face photographs


18. Any other unique identifying characteristic or code

Key Requirements

1. Individual Rights

Individuals have the right to:

• Access their PHI: Inspect and obtain copies of their health records


• Request amendments: Request corrections to their health information


• Accounting of disclosures: Receive a list of disclosures made


• Request restrictions: Request limits on uses and disclosures


• Request confidential communications: Choose how and where to receive communications


• File complaints: Complain about potential Privacy Rule violations

2. Notice of Privacy Practices

• Covered entities must provide individuals with notice of:

- How PHI may be used and disclosed
- Individual rights regarding PHI
- Entity's legal duties regarding PHI

• Notice must be provided at first service delivery


• Healthcare providers must make good faith effort to obtain written acknowledgment

3. Minimum Necessary Standard

• Covered entities must make reasonable efforts to use, disclose, and request only the minimum PHI necessary to accomplish the intended purpose


• Exceptions include: treatment purposes, disclosures to the individual, authorized disclosures

4. Uses and Disclosures

Permitted Uses/Disclosures Without Authorization:

• Treatment, payment, and healthcare operations (TPO)


• To the individual


• Incidental disclosures (as byproduct of permitted use/disclosure)


• Public interest and benefit activities (12 categories including law enforcement, public health)

Requiring Individual Authorization:

• Marketing purposes


• Sale of PHI


• Psychotherapy notes (with limited exceptions)


• Any use/disclosure not otherwise permitted

5. Administrative Requirements

• Privacy Official: Designate a privacy official responsible for Privacy Rule compliance


• Workforce Training: Train all workforce members on privacy policies and procedures


• Safeguards: Implement administrative, physical, and technical safeguards


• Complaint Process: Establish procedures for individuals to file complaints


• Sanctions: Apply sanctions against workforce members who violate privacy policies


• Mitigation: Mitigate harmful effects of privacy violations


• No Retaliation: Prohibit retaliation against individuals who exercise their rights or file complaints

6. Business Associate Agreements

• Written contracts required with business associates that:

- Establish permitted and required uses/disclosures of PHI
- Require appropriate safeguards
- Require business associate to report security incidents and breaches
- Establish termination procedures for contract violations

Penalties and Enforcement

Civil Penalties (Administered by HHS Office for Civil Rights)

• Tier 1: $100–$50,000 per violation (unknowing)


• Tier 2: $1,000–$50,000 per violation (reasonable cause)


• Tier 3: $10,000–$50,000 per violation (willful neglect, corrected)


• Tier 4: $50,000 per violation (willful neglect, not corrected)


• Annual maximum: $1.5 million per identical violation type

Criminal Penalties (Administered by Department of Justice)

• Tier 1: Up to $50,000 and 1 year in prison (unknowing)


• Tier 2: Up to $100,000 and 5 years in prison (false pretenses)


• Tier 3: Up to $250,000 and 10 years in prison (intent to sell/transfer/use for commercial advantage, personal gain, or malicious harm)

Massachusetts Considerations

Massachusetts healthcare entities must comply with both HIPAA and state law:

• M.G.L. c. 111, Section 70: Massachusetts patient confidentiality law


• M.G.L. c. 112, Section 12CC: Mental health records confidentiality


• 201 CMR 17.00: Massachusetts data security regulation applies to PHI


• When state and federal law conflict, the more stringent requirement applies

Compliance Steps

1. Conduct Privacy Risk Assessment

- Identify all PHI in your organization
- Document PHI flows and disclosures
- Assess current privacy practices

1. Develop Privacy Policies and Procedures

- Create comprehensive privacy policies
- Establish procedures for handling PHI
- Document business associate relationships

1. Implement Administrative Requirements

- Designate Privacy Official
- Train workforce
- Establish complaint procedures

1. Create Notice of Privacy Practices

- Draft compliant notice
- Establish distribution procedures
- Obtain acknowledgments

1. Execute Business Associate Agreements

- Identify all business associates
- Execute BAAs with all business associates
- Monitor business associate compliance

1. Establish Individual Rights Procedures

- Procedures for access requests
- Amendment request procedures
- Accounting of disclosures tracking

1. Ongoing Compliance

- Regular privacy training
- Periodic risk assessments
- Policy and procedure updates
- Documentation and record retention

Official Resources

• HHS HIPAA for Professionals


• 45 CFR Parts 160 and 164 (eCFR)


• OCR Privacy Rule Summary


• OCR Guidance Documents