The Privacy Rule defines the administrative requirements of HIPAA. It’s easiest to think of the Privacy Rule as the “what” of HIPAA.
Covered entities (care providers, insurance companies and clearinghouses) and business associates (3rd parties that support covered entities.
Protected health information (PHI), or the data covered under HIPAA.
Covered entities must disclose PHI in two situations - 1) to the individual (or their authorized representative) and 2) to HHS for the purpose of an investigation.
In addition to the above 2 required disclosures, PHI can be disclosed for the following explicit reasons:
Delivery of care and payment for care are self-explanatory. “Healthcare operations”, on the other hand, is a general bucket allowing for interpretation and sometimes abuse of PHI. “Healthcare operations” includes business functions, fundraising, fraud prevention, case management, de-identification, and for improving activities of covered entities. Recently, these generic uses of PHI have been used to allow for mass data sharing for data analytics (ML and AI).
PHI should only be collected and accessed in the minimum necessary way for the covered entity to carry out its functions.
HIPAA requires that all workforce members (employees, consultants, volunteers) receive training about HIPAA and the policies and procedures of the organization.
A privacy official must be appointed to be responsible for creating and maintaining privacy policies and procedures.
Policies and procedures must be created and ensure alignment with HIPAA requirements.
Violations under HIPAA are $100-$50,000 per violation, with an annual cap of $1.5M.
Covered entities must provide customers with clear notice about the types of data collected, the use of the data being collected, the individual’s rights in terms of the data, and a point of contact information related to individual data. This is similar to what newer regulations, such as GDPR and CCPA, require in terms of data subject requests, data usage, and disclosures.
There’s more to the Privacy Rule but those details are only relevant if you are a healthcare compliance attorney or Privacy Officer for a covered entity or business associate.
The Privacy Rule provides the definitions for HIPAA and the first step towards a compliance program.