The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for covered entities to use and disclose an individual's health information—known as protected health information—as well as standards for providing individuals with privacy...
The Privacy Rule's main purpose is to guarantee that people' health information is appropriately secured while permitting the flow of health information required to deliver and promote high-quality health care and protect the public's health and well-being. The rule also ensures that individuals have appropriate notice about how their health data is used and allows them to opt out of certain uses of their health information.
The Privacy Rule consists of five parts: (1) General Provision, (2) Individual Consent, (3) Restrictions on Disclosure, (4) Enforcement, and (5) Civil Remedies.
The General Provision requires that all health providers must comply with the Privacy Rule when they conduct their business with Medicare or Medicaid beneficiaries or use or disclose any health information for such purposes. The rule applies to all health providers, including physicians, dentists, hospitals, nursing homes, home health agencies, physical therapy offices, laboratories, clinics, health maintenance organizations, pharmaceutical companies, medical equipment manufacturers, health plans, health care clearinghouses, and other similar entities.
The Individual Consent requirement ensures that individuals give consent before any health provider discloses their health information to others. If consent is not obtained, then the disclosure is considered a violation of the Privacy Rule.
Privacy Rule under HIPAA The Privacy Rule rules govern how enterprises subject to the Privacy Rule use and disclose people' health information (known as "protected health information"). These people and organizations are referred to as "covered entities."
Covered entities include: hospitals, medical practices, nursing homes, home health agencies, disease management programs, integrated delivery systems, physical therapy offices, rehabilitation facilities, laboratories, clinics, doctors' offices, dentists' offices, health maintenance organizations, preferred provider organizations, insurance companies, employment screening services, job placement services for individuals with disabilities, and any other business or organization that receives protected health information about individuals. Some examples of businesses that do not have independent privacy policies but rather place them within their parent company's policy are food manufacturers, beverage distributors, and retailers.
What does the Privacy Rule require? Under the Privacy Rule, covered entities must take reasonable steps to protect the confidentiality of individually identifiable health information. This means that they cannot release this information to anyone without your consent. Further, they must limit access to such information to only those employees who need it to perform their jobs. Employees who have direct contact with patients should be required to sign confidentiality agreements. Finally, covered entities must notify you if they disclose your personal information outside of their corporate family.
The Privacy Rule, a federal statute, provides you with rights to your health information while also establishing restrictions and limits on who can access and receive it. The Privacy Rule applies to all types of protected health information held by persons, whether electronic, written, or spoken.
Health information includes any information related to your past or present physical or mental health status or treatment, including but not limited to: notes from doctors visits, test results, prescriptions, x-rays, and referrals to other professionals. Health information also includes personal data such as social security numbers that may be collected during care provision or coverage determinations.
You have rights under the Privacy Rule regarding our handling of your health information. These rights include the right to ask us not to disclose your health information; the right to request changes to the way we handle your health information; and the right to obtain copies of your own health information.
Our duty to protect your privacy extends to anyone who has contact with us during an appointment or transaction involving your health information. This includes employees, contractors, and other individuals or entities who provide services to us. They must respect your privacy rights at all times. If someone fails to do so, they could be sued by you or others like you.