Passed by Congress in 1996, the Health Insurance Portability and Accountability Act is designed to protect the privacy of healthcare patients. It consists of several Rules that healthcare providers must follow in order to remain compliant. If a provider is found in violation of one or more HIPAA Rules, it could face fines or other penalties by the Office for Civil Rights (OCR). Today, we're going to focus on the HIPAA Privacy Rule, revealing whom exactly it affects and how.
The Basics of HIPAA Privacy Rule
The Privacy Rile lives up to namesake by consisting of national standards which aim to protect patients' medical records and personally identifiable health data from unauthorized use or disclosure. Among other things, it requires covered entities, such as doctors and hospitals, to implement meaningful and appropriate safeguards. The HIPAA Privacy Rule also grants patients certain rights in regards to their health information, such as the right to obtain a copy of their health records on request, or to make corrections when the information is erroneous.
Who is Required to Follow the HIPAA Privacy Rule?
When HIPAA was created nearly a decade ago, Congress defined three separate entities whom must comply with the HIPAA Privacy Rule and its respective standards. Referred to collectively as “covered entities,” they consist of the following:
- Health plans
- Health care clearinghouse
- Health care providers who use, store and/or transmit Electronic Protected Health Information (EPHI).
In other words, medical practitioners and health insurance companies are generally required to comply with the HIPAA Privacy Rule. Assuming they are classified as a “covered entity,” the practice must abide by the nuances of the HIPAA Privacy Rule, or it could face a fine or penalty should the OCR find the practice in violation of HIPAA.
While the three aforementioned entities are required to comply with the HIPAA Privacy Rule, this Rule offers protection for all customers serviced by these entities, assuming there's PHI involved.
There are times, however, when other entities may be required to follow the HIPAA Privacy Rule, such as the case involving Business Associates. If a covered entity outsources some of its operations to a third-party company, and that third-party company has access to PHI, the covered entity must create a Business Associates Agreement (BAA) that defines what type of PHI will be access by the company and how it will be used.