IG10068 — The HIPAA Privacy Rule

/ The HIPAA Privacy Rule The HIPAA Privacy Rule (45 C.F.R. Part 164, Subparts A, E) established, for the first time, a set of federal standards for the protection of personal health information. Although the Health Insurance Portability and Accountability Act of 1 996 (HIPAA, P.L. 104-191) was enacted primarily to improve the availability of health insurance coverage, it included a series of requirements under the subtitle "Administrative Simplification" to improve the efficiency of health care by supporting a transition to standardized electronic administrative and financial transactions. As part of Administrative Simplification, Congress required promulgation of privacy and security standards in recognition of the increased risk to health data posed by increased electronic data use and exchange within the health care system. To Which Entities Does the Privacy Rule Apply? Covered Entities Health care providers (who transmit any health information in electronic form in connection with a HIPAA-covered transaction) Business Associates Health care clearinghouses Health plans The rule governs business associates' use and disclosure of Protected Health Information (PHI). Business associates have contractual arrangements—business associate agreements—to perform certain work on behalf of covered entities that requires disclosure and use of PHI. Claims processing Data analysis Utilization review Billing What Information Does the Privacy Rule Govern? The rule governs protected health information. PHI is individually identifiable health information ("HI) that is transmitted or maintained by any form or medium. IIHI is health information that (1 ) identifies an individual: (2) is created or received by a covered entity or an employer, and (3) "relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual." Exceptions to PHI include, for example, certain education and employment records. PHI May Include Demographic data (e.g., name, social security number) Prescriptions Family health history Blood test results Imaging exams Vaccination status HIPAA Privacy Rule Requirements Use and Disclosure Requirements The rule prohibits a covered entity from using or disclosing PHI except as expressly permitted or required. For all uses or disclosures of PHI that are not otherwise permitted or required by the rule, covered entities must obtain a patient's written authorization. Administrative Requirements The rule requires covered entities to put in place safeguards to protect PHI from unauthorized access, use, or disclosure. Individual Rights of Access The rule gives individuals certain rights of access with respect to their own health information (e.g., amendment). Deidentified PHI The rule does not apply to deidentified PHI held by a covered entity, and it specifies two methods for deidentification: e expert determination, where an expert documents that there is a small risk that the information could be used to identify the subject of the information, or e safe harbor, where the data are stripped of 18 specific identifiers (e.g., phone number, email address). Permissible Uses and Disclosures In general, covered entities may between and among themselves use or disclose PHI for the purposes of treatment, payment, and other routine health care operations without patient authorization. For disclosures to family members and friends and from public directories maintained by certain facilities, covered entities must give the individual an opportunity to object or agree to the disclosure. The rule permits a covered entity to disclose PHI to noncovered entities, without written authorization or the opportunity to agree or object, for 12 public interest or national priority purposes (e.g., as required by law, for public health activities, for health oversight, for law enforcement, or for judicial and administrative proceedings). Information as of November 18, 2024. Prepared by Amanda Sarata, Specialist in Health Policy, and Brion Long, Visual Information Specialist.

Curated by CRS — every bill listed in this report's relatedMaterials. Edge type cited_in_report, gold confidence.

No bill citations on file.