Home » Compliance » HIPAA Compliance in 2015, Part III: How Does My Organization Comply with the Privacy Rule?

HIPAA Compliance in 2015, Part III: How Does My Organization Comply with the Privacy Rule?

This post is the third in a four-part series. We kicked things off with Part I: Why Does My Organization Need to Become HIPAA-Complaint?, and then moved to Part II: How Does My Organization Comply With the Security Rule? If you read those posts, then you know how important HIPAA compliance is to the life of your company, and how to tackle Security Rule requirements. The following article will discuss what the HIPAA Privacy Rule is, what it mandates and how to comply with it.

HIPAA’s Privacy Rule

Unlike the Security Rule, which focuses on protecting electronic Protected Health Information (ePHI), the Privacy Rule is concerned with an entity’s use and disclosure of individuals’ health data. In other words, the Privacy Rule seeks to keep your PHI private and requires people who have access to your PHI to act in very specific ways to ensure your health information remains private.

More specifically, the Privacy Rule states what PHI disclosures are required, permitted, authorized, or prohibited.

Required Use and Disclosure

Covered entities must disclose PHI:

  1. Upon request from the subject individual.
  2. when required to do so by HHS.

Business Associates must disclose PHI:

  1. To a covered entity or subject individual upon request.
  2. When required to do so by HHS.

So, basically, disclosure of an individual’s PHI is mandatory if requested by either the individual to whom the PHI relates or the government.

Permitted Use and Disclosure

Covered entities are permitted to disclose PHI in the following instances. “Permitted” means that the entity is not legally obligated to disclose, but it can choose to without obtaining the subject individual’s consent.

  1. To the subject individual.
  2. For treatment, payment or healthcare operations purposes. This means disclosure can be made to other health care providers during the course of a patient’s treatment; to determine the amount payable for the medical services rendered; and for administrative healthcare operations and quality control.
  3. Subject to the opportunity to agree or object. An example of this would be informal permission of a patient to have their contact information listed in a facility directory.
  4. As a result of incidental use or disclosure. An example of this would be someone seeing another patient’s name on a sign-in sheet or in a stack of to-be-filed medical records.
  5. In the interests of public health. Disclosure of PHI is permitted if made (1) as required by law; (2) to authorized public health authorities; (3) to government entities for purposes related to abuse victims; (4) to a health oversight agency; (5) in the course of legal proceedings; (6) pursuant to law enforcement activities; (7) as it relates to decedents; (8) to facilitate the donation of organs, eyes, or tissues; (9) pursuant to specific research needs; (10) if there’s a belief that disclosure can prevent a serious threat to health or safety; (11) in accordance with essential government functions; and (12) as authorized by workers’ compensation laws.
  6. Limited data set. A limited data set is health information from which specific information has been removed. They can be used for research, healthcare operations, and for public health purposes.

Business Associates are permitted to disclose PHI in accordance to the provisions of its Business Associate Agreement. Business Associates cannot disclose any PHI that, if the Business Associate was a covered entity, would violate the above.

Authorized Use and Disclosure

In addition to those uses and disclosures that are required and permitted, covered entities can also make authorized disclosures of PHI. These uses and disclosures can be made only if the subject individual gives explicit written consent allowing such use and/or disclosure. Examples of instances that require authorization are use of psychotherapy notes, use of PHI for marketing purposes and selling an individual’s PHI. The Privacy Rule also sets forth detailed requirements that dictate the elements and content of the notice to the individual.

Prohibited Uses

In a few situations, use or disclosure of PHI is prohibited. These include using PHI that contains genetic information for insurance underwriting purposes and selling individuals’ PHI (unless the individual explicitly agrees to the sale).

Minimum Necessary Standard

The Privacy Rule also mandates the use the minimum necessary standard. The law states, “When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

This overarching standard essentially means that when collecting, using, and disclosing PHI, Covered Entities and their Business Associates should use only the pieces of data they need, and nothing more.  For example, an organization shouldn’t need to collect someone’s social security number if its only inquiry is with regard to medical treatment.

How Does My Organization Implement and Follow the Privacy Rule?

Compliance with HIPAA’s Privacy Rule hinges on personnel training and awareness. The people handling PHI need to know what they can and can’t do with it. As an initial issue, an organization needs to determine if it handles PHI, and if so, what divisions, departments or personnel do that handling or could otherwise come into contact with PHI.

From there, comprehensive policies and procedures must be created and implemented that combine the requirements of the Privacy Rule and the specific business purposes of the organization. Training of necessary personnel, including management, would be the next big step. Truth is that the Privacy Rule contains much more compliance information than is discussed above. This information must be evaluated in a case-by-case basis, according to the specific environment and business mission of your organization — which is why a full-blown analysis of the intricacies of the Privacy Rule is beyond the scope of this post. Intimate familiarity with the Privacy Rule is a must for those who want to comply with its requirements. What actually applies to your organization and what doesn’t isn’t always a clear analysis that leads to a black or white answer.

Lunarline has a whole team of HIPAA Privacy Rule experts who can help you navigate HIPAA compliance. Contact us and get some peace of mind that compliance is achievable.

About Joshua Merkel

Josh is Lunarline's Director of Privacy. He is a licensed attorney and holds CIPP and CIPM certifications. In addition to data privacy consulting, Josh acts as a subject matter expert supporting HIPAA compliance assessments, and leads FISMA/NIST efforts for several clients.