Learn More About the HIPAA Privacy Rule

Not only does the Health Insurance Portability and Accountability Act (HIPAA) protect workers and their families by requiring employers to limit preexisting medical condition exclusions, but it has also set the Privacy Rule in place to protect electronically stored patient healthcare information.

History of the Privacy Rule

Congress determined that because of problems with breaches of privacy, widespread electronic transmission of health information would jeopardize patient privacy.  Therefore, Congress left the task of developing privacy standards to the U.S. Health and Human Services Department (HHS). The HHS enacted the HIPAA Privacy Rule in 2001, which regulates covered entities’ use and disclosure of Protected Health Information (PHI), information which broadly includes any oral or recorded information regarding the health status, health records and payment history of an individual.

Regulations on Covered Entities

Covered Entities include health care providers that conduct health care transactions electronically, health plans, and health care clearinghouses. Doctors, nurses, and health care providers are not the only entities that must comply with the HIPAA Privacy Rule. Employers who sponsor health plans for their employees must also abide by the Privacy Rule. A covered entity may disclose the following information after providing notice to individuals:

  • PHI to law enforcement officials for court orders, subpoenas, and other law enforcement purposes as required by law.

  • PHI to expedite payment or treatment without a patient’s written authorization.

A covered entity may NOT disclose any other PHI without a patient’s written authorization. When a covered entity does disclose PHI, it must make sure that it discloses the minimum necessary information and make a reasonable effort to ensure the confidentiality of communications with individuals.

What Individuals Can Do

The HIPAA Privacy Rule granted individuals the right to request inaccurate PHI by a covered entity be corrected. If a covered entity disclosed PHI without written authorization from the individual or the individual feels that the Privacy Rule standards are not being upheld by a certain covered entity, the individual may file a complaint with the HHS Office for Civil Rights.