- HIPAA Privacy Rule
- Covered Entities
- Permitted Uses and Disclosures
- HIPAA Security Rule
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards lớn protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule lớn implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
HIPAA Privacy Rule
The Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject lớn the Privacy Rule. These individuals and organizations are called “covered entities.”
Bạn đang xem: 1996
The Privacy Rule also contains standards for individuals’ rights lớn understand and control how their health information is used. A major goal of the Privacy Rule is lớn make sure that individuals’ health information is properly protected while allowing the flow of health information needed lớn provide and promote high-quality healthcare, and lớn protect the public’s health and well-being. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.
The following types of individuals and organizations are subject lớn the Privacy Rule and considered covered entities:
- Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include:
- Benefit eligibility inquiries
- Referral authorization requests
- Other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans:
Health plans include:
- Health, dental, vision, and prescription drug insurers
- Health maintenance organizations (HMOs)
- Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers
- Long-term care insurers (excluding nursing trang chính fixed-indemnity policies)
- Employer-sponsored group health plans
- Government- and church-sponsored health plans
- Multi-employer health plans
Exception: A group health plan with fewer than vãn 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
Xem thêm: t.anh 10 kết nối tri thức
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services lớn a health plan or healthcare provider as a business associate.
- Business associates: A person or organization (other than vãn a thành viên of a covered entity’s workforce) using or disclosing individually identifiable health information lớn perform or provide functions, activities, or services for a covered entity.These functions, activities, or services include:
- Claims processing
- Data analysis
- Utilization review
Permitted Uses and Disclosures
The law permits, but does not require, a covered entity lớn use and disclose PHI, without an individual’s authorization, for the following purposes or situations:
- Disclosure lớn the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose lớn the individual)
- Treatment, payment, and healthcare operations
- Opportunity lớn agree or object lớn the disclosure of PHI
- An entity can obtain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity lớn agree, acquiesce, or object
- Incident lớn an otherwise permitted use and disclosure
- Limited dataset for research, public health, or healthcare operations
- Public interest and benefit activities—The Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for 12 national priority purposes:
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Functions (such as identification) concerning deceased persons
- Cadaveric organ, eye, or tissue donation
- Research, under certain conditions
- To prevent or lessen a serious threat lớn health or safety
- Essential government functions
- Workers’ compensation
HIPAA Security Rule
While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic sườn. This information is called electronic protected health information, or e-PHI. The Security Rule does not apply lớn PHI transmitted orally or in writing.
Xem thêm: glasgow thang điểm
To comply with the HIPAA Security Rule, all covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI
- Detect and safeguard against anticipated threats lớn the security of the information
- Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
- Certify compliance by their workforce
Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported lớn that office. HIPAA violations may result in civil monetary or criminal penalties.
For more information, visit HHS’s HIPAA website.