HIPAA 1: Privacy Overview

HIPAA Rules and Regulations Privacy Overview

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.

To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Included in this lesson is a description of the three categories of organizations that HIPAA laws and rules apply to, Covered Entities and their Workforce, Business Associates, and Sub-Contractors and Agents. It also includes the support staff of Business Associates.

This lesson is divided into four parts:

The HIPAA Privacy Rule Summary

HIPAA Privacy Standards and The Sample Business Associate Contract

HIPAA Privacy Rule Frequently Asked Questions

The HIPAA Security Rule and Security FAQ

Who do HIPAA rules apply to?

Covered Entities are required to follow HIPAA laws and regulations. An example of a covered entity is an insurance company or hospital. A more detailed description of covered entities is provided later in the lesson.

Attorneys fall into the category of Business Associates for the purposes of HIPAA regulations. A business associate is someone who is required to have a Business Associate Contract with a Covered Entity.

While court reporters are not generally considered to be a Business Associate of a Covered Entity, the attorneys they work for are required to have a Business Associate Contract. This is because the court reporter is an agent or sub-contractor of the Attorney Business Associate.

The Attorney Business Associate is required [to sign?] HIPAA’s recommended Business Associate Contract with the Covered Entity to ensure the Court Reporter is in compliance with HIPAA regulations.

If the court reporter has a contract directly with a Covered Entity, they may be considered a Business Associate.

HIPAA Privacy Rules Summary

This information is from the following website:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

Your Health Information Is Protected By Federal Law

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

Who Must Follow These Laws

We call the entities that must follow the HIPAA regulations “covered entities.”

Covered entities include:

Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.

Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.

Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Who Is Not Required to Follow These Laws

Many organizations that have health information about you do not have to follow these laws.

Examples of organizations that do not have to follow the Privacy and Security Rules include:

life insurers,

employers,

workers compensation carriers,

many schools and school districts,

many state agencies like child protective service agencies,

many law enforcement agencies,

many municipal offices.

What Information Is Protected

Information your doctors, nurses, and other health care providers put in your medical record

Conversations your doctor has about your care or treatment with nurses and others

Information about you in your health insurer’s computer system

Billing information about you at your clinic.