If you perform healthcare services in the United States, you'll need to comply with the Health Insurance Portability and Accountability Act (HIPAA). Originally signed into law by Congress in 1996, HIPAA is designed to protect the privacy of healthcare patients by requiring doctors, surgeons, nurses, chiropractors, dentists and other covered entities to follow certain guidelines when conducting business. Among these guidelines includes the Privacy Rule, which we're going to discuss in greater detail today.
Must Disclose PHI to Patient Upon Request
Although rare, some patients may want to access their own PHI. As per the HIPAA Privacy Rule, covered entities must disclose Protected Health Information (PHI) to the patient within 30 days upon request. Failure to satisfy a patient's request of PHI could be viewed as a HIPAA violation, which of course is something that you'll want to avoid.
Right to Have Inaccurate PHI Corrected
One of the reasons why the Privacy Rule allows patients to access their own PHI is so they can ensure the information is correct. In addition, the Privacy Rule grants healthcare patients the right to have inaccurate PHI corrected. If a patient discovers that his or her information is incorrect, they can request the covered entity to correct it.
Notification of How PHI is Being Used
The Privacy Rule required covered entities to notify patients about the way in which their PHI is being used. If a doctor is using the patient's PHI to diagnose a disease or condition, for instance, the patient must be notified.
Privacy Rule Violations can be Reported to the OCR
Anyone, including healthcare practitioners, patients or the general public, can file a complaint with the Office for Civil Rights (OCR) if they believe a covered entity is not complying with the Privacy Rule.
Must Designate Privacy Officer
Whether you operate a small family-care practice or a major hospital, all covered entities are required to designate a Privacy Officer. The Privacy Officer is responsible for ensuring that the practice and its workforce complies with the HIPAA Privacy Rule. Covered entities must also designate a Security Officer, whom is responsible for complying with the HIPAA Security Rule. A single worker can act as both the Privacy and Security Officer.
Exceptions for Disclosing PHI
The Privacy Rule also includes exceptions in which a covered entity may disclose the PHI of a patient without his or her authorization. For instance, a covered entity may disclose PHI to law enforcement in cases involving court orders, warrants, subpoenas, or child abuse.