The HIPAA Privacy rule, along with the Security, Breach Notification, and Omnibus rules detail how covered entities should properly use and disclose protected health information.

Since HIPAA’s central purpose is to protect the privacy and security of a patient's personal health information. the Privacy Rule is one of the most commonly discussed.

Navigating this rule can be tricky, especially when it comes to understanding what it covers and what’s considered a violation. To. help, this post explains everything you need to know about the HIPAA Privacy Rule. 

Summary of HIPAA Privacy Rule

To start, here is a short and sweet HIPAA Privacy Rule summary: 

• HIPAA Privacy Rule definition: The Privacy Rule regulates the use and disclosure of protected health information (PHI). 
• What does the HIPAA Privacy Rule do?: Requires covered entities to establish privacy practices that safeguard PHI. It also gives patients greater control over who can access and share their health records. 
• When the HIPAA Privacy Rule went into effect: April 14, 2003
• HIPAA Privacy Rules are enforced by: U.S. Department of Health and Human Services Office of Civil Rights; State Attorneys General, Centers for Medicare and Medicaid Services (CMS) 

What is the HIPAA Privacy Rule?

HIPAA legislation was passed in 1996 to address key issues with the US healthcare system. Also known as the Health Insurance Portability and Accountability Act of 1996, it was designed to make healthcare more accessible, efficient, and secure. 

HIPAA includes a set of national standards to help healthcare organizations and their business associates protect the privacy and security of patient data. One of those rules is the Privacy Rule. 

What is the purpose of the HIPAA Privacy Rule? To protect (you guessed it) patient privacy. 

The HIPAA Privacy Rule is a federal law that gives patients individual rights over their protected health information and limits who can access and disclose PHI. It’s designed to ensure that organizations take the proper steps to secure health information while allowing that information to be shared in a way that promotes high-quality healthcare.

Who must comply with the HIPAA Privacy Rule?

The HIPAA Privacy Rule applies to any entity that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud. 

That means the HIPAA privacy rule applies to all of the following: 

• Healthcare providers
• Health insurance companies and employer-sponsored health plans
• Healthcare clearinghouses
• Third-party medical service providers (Business Associates)

What are the HIPAA Privacy Rule exceptions?

Under very specific circumstances, the HIPAA Privacy Rule does allow covered entities to use and/or disclose health information without a patient’s authorization. Typically these situations involve either a healthcare provider’s treatment, payment, and healthcare operations (TPO) or the public interest. 

For example:

• Healthcare regulations and licensing 
• Public health (such as reporting to a state health department or the CDC) 
• Medical research
• Workers compensation 
• Legal proceedings and law enforcement
• Inform next of kin, identify a body or determine cause of death, or for a medical examiner/coroner

Even in these situations, disclosures must be documented in an Accounting of Disclosures log. 

Who enforces the HIPAA Privacy Rule?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the main enforcer of the HIPAA Security Rule and Privacy Rule. State attorneys general and the Centers for Medicare and Medicaid Services (CMS) also have some authority to enforce HIPAA rules, although they do so less commonly. 

OCR investigates complaints, conducts compliance reviews, and educates covered entities about compliance requirements. It also investigates any data breaches that affect 500+ people as well as organizations that have had multiple smaller breaches. 

If organizations don’t resolve HIPAA violations voluntarily, OCR may pursue legal action and/or issue a fine. Violations range in severity based on the level of noncompliance and willful neglect shown by the organization. 

Was the organization aware of the issue? Could they have prevented it from happening? Did they take steps to correct it? 

Fines vary from $100-$50k+ per violation, maxing out at $1.5M per violation, per year. 

Download: HIPAA Privacy Rule Fact Sheet

Keep track of the essential details of the HIPAA Privacy Rule with this downloadable fact sheet. It’s an easy way to reference what the rule covers, who it applies to, its exceptions, and criminal penalties for violations. 

What are the HIPAA Privacy Rule requirements?

The Privacy Rule establishes a set of requirements for HIPAA covered entities to protect PHI. Let's take a look at how it defines what kind of patient health information should be protected first, then look at how it regulates the use and disclosure of this information.

What does the HIPAA Privacy Rule say about PHI?

PHI extends beyond individually identifiable health information like medical diagnoses and procedures to include personally identifiable information like addresses, social security numbers, credit card information, and even electronic signatures.

The Privacy Rule details 18 identifiers that indicate protected information:

• Names
• Dates, except year
• Telephone numbers
• Geographic data
• Fax numbers
• Social Security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers, including license plates
• Web URLs
• Device identifiers and serial numbers
• IP addresses
• Full face photos and comparable images
• Biometric identifiers (i.e., retinal scan, fingerprints)
• Any unique identifying number or code

Videos and images containing PHI are also protected by the Privacy Rule, as is PHI that’s stored electronically. 

For example, say a healthcare provider has a digital photograph of a patient’s wound, and their identity could be determined by a tattoo that’s visible in the photograph. That image is protected by the Privacy Rule. 

Permitted Uses and Disclosure of PHI

The law permits a covered entity to use and disclose PHI, without an individual's authorization, for specific situations. These situations are:

• Disclosure to the individual
• Treatment, payment, and healthcare operations
• Opportunity to agree or object to the disclosure of PHI
• Incident to an otherwise permitted use and disclosure
• Limited dataset for research, public health, or healthcare operations
• Public interest and benefit activities

Public interest and benefit activities fall under 12 national priority purposes, including:

• Required by law
• Public health activities
• Victims of abuse or neglect or domestic violence
• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement
• Functions (such as identification) concerning deceased persons
• Cadaveric organ, eye, or tissue donation
• Research, under certain conditions
• To prevent or lessen a serious threat to health or safety
• Essential government functions
• Workers' compensation

Time to test your knowledge. Given these permitted uses and disclosures outlined above, can PHI be disclosed to a third-party without patient authorization? Under the Privacy Rule, PHI can only be disclosed to a third-party with patient authorization, unless directly related to healthcare treatment, payment, or operations. 

By limiting the use and disclosure of PHI to the circumstances above, the HIPAA Privacy Rule is designed to allow the flow of health information needed to provide and promote high quality health care while protecting the privacy of people seeking that care. With this rule, individuals are able to seek health care from, or share important information with, their health care providers without fear of their sensitive information being disclosed outside of their relationship with their health care provider. Protecting privacy in this way promotes trust between health care providers and individuals, which ultimately advances access to and improving the quality of health care.

It's important to note that the HHS generally has applied the same privacy standards to nearly all PHI, regardless of the type of health care at issue, including most recently reproductive health care.

Verify and maintain HIPAA compliance with Secureframe

To help your organization achieve HIPAA compliance, consider security and compliance software. Secureframe’s platform and team of HIPAA compliance experts can help streamline HIPAA audits, keep you compliant, protect you from potential HIPAA violation fines, and speed up time-to-compliance with other frameworks like SOC 2.

Learn more by scheduling a demo with one of our product experts.