Learn the answers to some of the most frequently asked questions about privacy in healthcare, including questions about HIPAA, PHI and more.
Does the United States have a National Privacy Law?
The United States does not currently have a national privacy law. Rather, the federal government, states and cities have passed and implemented a variety of privacy laws. In addition to the Health Insurance Portability and Accountability Act (HIPAA), U.S. laws that protect an individual’s information include:
- The Fair Credit Reporting Act
- The Gramm-Leach-Bliley Act
- The Federal Trade Commission Act Section 5
- And several others
As of March 2023, states including California, Colorado, Connecticut, Utah and Virginia have enacted comprehensive privacy laws. Further, data breach notification laws vary in each state. and Virginia have enacted comprehensive privacy laws. Further, data breach notification laws vary in each state.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law, Public Law 104-191, which includes Administrative Simplification provisions requiring the Department of Health and Human Services (HHS) to adopt national standards for electronic health transactions and code sets, unique health identifiers, and security.
In addition, HIPAA requires the adoption of federal privacy protections for individually identifiable health information. HIPAA includes the Privacy Rule, Security Rule and Enforcement Rule.
Who is required to comply with HIPAA?
Covered entities, including health plans, healthcare clearinghouses, and any healthcare provider who transmits health information electronically in connection with transactions for which HHS has adopted a standard, are required to comply with HIPAA.
If a covered entity engages a business associate to help carry out its healthcare activities and functions, it must have a written business associate contract or another arrangement with the business associate. Business associates must comply with these contractual obligations and are directly liable for compliance with certain provisions of the HIPAA Rules. standard are required to comply with HIPAA. If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate. Business associates must comply with these contractual obligations and are directly liable for compliance with certain provisions of the HIPAA Rules.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information. The Privacy Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of information without an individual’s authorization. The Privacy Rule also contains standards for individuals’ rights over their protected health information.
What is Protected Health Information?
Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral.
Individually identifiable health information is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Examples of common identifiers include birth date, name, and address.
What rights do individuals have under the HIPAA Privacy Rule?
Under the HIPAA Privacy Rule, individuals have a right to receive notice of a covered entity’s privacy practices, which describe ways that the covered entity may use and disclose protected health information. In addition, individuals have the right to:
- Review and obtain a copy of their PHI in a covered entity’s designated record set.
- Have covered entities amend their PHI in a designated record set when that information is inaccurate or incomplete.
- An accounting of the disclosures of their PHI by a covered entity or the covered entity’s business associates.
- Request that a covered entity restrict the use or disclosure of PHI for treatment, payment or healthcare operations, disclosure to persons involved in the individual’s health
- Request an alternative means or location for receiving communications of PHI.
How can entities covered by HIPAA Privacy Rule use and disclose Protected Health Information?
Covered entities are required to disclose Protected Health Information (PHI) in two situations, including:
- to individuals (or their personal representatives) when they request access to, or an accounting of disclosures of, their PHI
- to HHS for the purposes of a compliance investigation or review, or enforcement action
Covered entities are permitted, but not required, to use and disclose PHI, without an individual’s authorization, for the below purposes. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
- To the Individual (unless required for access or accounting of disclosures)
- Treatment, Payment, and Healthcare Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for research, public health or health
Covered entities must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment, healthcare operations or otherwise permitted or required by the Privacy Rule.
How is HIPAA Enforced?
The Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules by investigating complaints, conducting compliance reviews, and performing education and outreach. In addition, OCR works with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.