What Information is Protected by the HIPAA Privacy Rule?
​
Any individually identifiable health information relating to an individual´s past, present, or future physical or mental condition, treatment for the condition, or payment for the treatment is protected by the HIPAA Privacy Rule, along with individually identifiable non-health information maintained in the same “designated record set”. Information maintained in a designated record set is known as Protected Health Information, even though elements of the set may not contain health information.
This definition of what information is protected by the HIPAA Privacy Rule can cause confusion because some sources claim that all information relating to an individual is protected – and that is not always the case. Individually identifiable health information and any other information that identifies – or that could be used to identify – the subject of the health information (known as an “identifier”) is protected only while it is maintained in a designated record set.
Whenever identifiers are maintained separately from individually identifiable health information, they are no longer Protected Health Information and the protections of the HIPAA Privacy Rule no longer apply. As an example, if a designated record set includes a patient´s diagnosis, their home telephone number, the name of their partner, and their healthcare payment details, all four elements of information are protected while they are maintained in the same designated record set.
However, if a separate record set is created containing a copy of the home telephone number and partner´s name (perhaps to provide the partner with an update on the patient´s health), these elements are not protected by the HIPAA Privacy Rule because there is no health information included in the record set. It is important to be aware that in such circumstances, although the HIPAA Rules do not apply, state privacy and security rules may.
​
How is Information Protected by the HIPAA Privacy Regulations?
​
The HIPAA Privacy Regulations – or “standards” – protect information by stipulating when uses and disclosures or Protected Health Information are required, permitted, or subject to an individual´s authorization. There are only two occasions when uses and disclosures are required – when an individual exercises their access rights and when access is required by HHS´ Office for Civil Rights for an investigation or compliance review. Both of these events are discussed in greater detail later.
Permissible uses and disclosures include those necessary to carry out treatment, payment, or health care operations, those required by law or for public health activities, and those necessary to avert a serious threat to health or safety. However, among the disclosures permitted by HIPAA, there are some that are required by state laws – for example, disclosures to report abuse, neglect, or domestic abuse. Some “permissible” disclosures may also be “required” during emergency incidents.
Other than the uses and disclosures required or permitted by the HIPAA Privacy Regulations – and some for which the individual should be given an opportunity to object when feasible – all other uses and disclosures of Protected Health Information are prohibited unless they are authorized by the individual who is the subject of the Protected Health Information or their personal representative. Such uses and disclosures include uses for marketing and disclosures of psychotherapy notes.
Authorizations have to be written in clear language and explain to the individual what Protected Health Information is being used or disclosed, who to, and what for. If the Covered Entity is receiving a remuneration for the use or disclosure, this has to be included in the authorization, as does a warning that the Covered Entity may have no control over further disclosures of the Protected Health Information if – for example – it is published on a social media platform.
​
How do the HIPAA Privacy Standards Ensure Individuals´ Rights?
​
The HIPAA Privacy Standards ensure individuals´ rights by first requiring covered health plans and healthcare providers to give a Notice of Privacy Practices to new patients or plan members on the “first encounter” whenever possible or as soon as reasonable afterwards. The Notice must describe the ways in which the Covered Entity may use or disclose Protected Health Information and describe how individuals can exercise their rights to access copies of their Protected Health Information.
The right to access copies of Protected Health Information is the “required” disclosure mentioned above, but it is important for individuals to understand they are only able to access information maintained in a designated record set. It is also important to understand that complying with an access request may take some time when multiple designated record sets are maintained per individual, or when Protected Health Information is in the possession of a Business Associate.
Once an individual has received a copy of their Protected Health Information the HIPAA Privacy Standards allows individuals to request corrections to the information if it is inaccurate or incomplete. Individuals can also request information is transferred to another provider, or that specific information is withheld from certain organizations. For example, if a patient has paid for treatment privately, they have the right to request this information is withheld from their insurer.
Additionally, individuals have the right to request an accounting of disclosures. This document should contain a list of the times when Protected Health Information has been disclosed for reasons other than those permitted by the HIPAA Privacy Regulations or authorized by the individual themselves. Individuals have the right to query any entry on the accounting of disclosures and, if not satisfied with the response, make a complaint about their privacy rights being violated.
​
What Happens if You Violate HIPAA Regulations?
​
The violation of privacy rights is one of the leading reasons for complaints to HHS´ Office for Civil Rights; and when a complaint is received by the agency, it has to be reviewed and investigated if it appears there has been a violation of HIPAA regulations. When HHS´ Office for Civil Rights conducts an investigation, a Covered Entity must disclose whatever Protected Health Information is necessary – as mentioned previously in the section explaining how information is protected.
Most violations of HIPAA regulations are resolved by technical assistance or a corrective action plan. This means that the Covered Entity or Business Associate may have to develop and implement new policies and procedures to resolve the issue responsible for the violation of the HIPAA regulations. The organization may then have to train its workforce on the new policies and procedures and – depending on the scale of the violation(s) – undergo a period of compliance monitoring.
In cases where there has been a willful neglect of the HIPAA regulations, HHS´ Office for Civil Rights has the authority to impose civil monetary penalties on noncompliant organizations. Historically, financial settlements and civil monetary penalties have been reserved for the worst offenders following large-scale data breaches. However, in recent years, the agency has pursued a campaign to address violations of the HIPAA regulations that deny individuals their Privacy Rule rights.
​
As a member of the Medical Community since 1985, I have kept my integrity and will continue to do so! Please practice Safely! Have fun, be wild but remember, our Right to Privacy is a Sacred Promise that has been violated for many individuals. It is a crime how a violoation of someones Sacred Space and Privacy creates social injustice. Be Well! Be Vital! Be REAL and honor each other!