Skip to content
English - United States
Submit a Ticket Go To Customer Portal
  • There are no suggestions because the search field is empty.

Privacy Overview: What is the HIPAA Privacy Rule?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


Introduction

This article discusses the HIPAA Privacy Rule. The HIPAA Privacy Rule applies to covered entities, prohibits unauthorized uses and disclosures of PHI, and grants patients certain rights with respect to their PHI.

 

What is the HIPAA Privacy Rule?



The HIPAA Privacy Rule contains a series of measures that covered entities must comply with to protect individual protected health information (PHI). The rule also requires covered entities to, in appropriate circumstances, grant patient requests to access and amend PHI, grant patient requests for an accounting of their PHI, and to request privacy protections for their PHI. 


What is the Structure of the HIPAA Privacy Rule?
The Privacy Rule is designed to protect the privacy of individuals’ protected health information (PHI) from unauthorized or impermissible use or disclosure. To achieve this purpose, the Privacy Rule:

  1. Prescribes administrative, technical, and physical safeguards to protect the privacy of protected health information. 

  2. Regulates how protected health information may be used or disclosed. The rule sets forth three types of uses and disclosures: (a) Uses and disclosures that are required by law; (b) uses and disclosures that are prohibited by law; and (c) uses and disclosures that are permitted by law. 

    Within the category of uses and disclosures of PHI that are permitted by law, there are three sub-categories. These include:
        i. Uses and disclosures requiring written patient authorization.
       ii. Uses and disclosures requiring an opportunity for an individual to agree or object to a use 
           or disclosure.
      iii. Uses and disclosures for which neither an authorization nor an opportunity to agree or or
           object is required.


Who is Subject to the Privacy Rule?
The Privacy Rule regulates covered entities. Covered entities are defined in the HIPAA rules as:

  1. Healthcare providers that electronically transmit any health information in connection with a HIPAA-covered transaction. A HIPAA-covered transaction is a transaction involving the transmission of information, between two parties, to carry out financial or administrative activities related to health care.

  2. Health plans.

  3. Healthcare clearinghouses. 

The Privacy Rule also regulates business associates that perform Privacy Rule functions on behalf of covered entities, in the performance of those functions.


What Information Does the Privacy Rule Regulate?
The Privacy Rule regulates the use and disclosure of protected health information (PHI). PHI is a subset of individually identifiable health information.

What is Individually Identifiable Health Information?

Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and that:

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

i.  That identifies the individual; or

ii. With respect to which, there is a reasonable basis to believe the information can

     be used to identify the individual.


Protected health information, in turn, is individually identifiable health information that is:

  1. Transmitted by electronic media;

  2. Maintained in electronic media; or

  3. Transmitted or maintained in any other form or medium.

Under HIPAA, protected health information (PHI) is any piece of information in an individual’s medical record that is created, used, or disclosed during the course of diagnosis or treatment, that can be used to uniquely identify an individual. Information that can be used to uniquely identify a patient is called an “identifier.”

The Privacy Rule lists 18 identifiers that qualify as PHI. These include:

  1. Name

  2. Address 

  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89.

  4. Telephone number

  5. Fax number

  6. Email address

  7. Social Security number