HIPAA Privacy Rules
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules
What are they?
Privacy rules were created in conjunction with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These rules protect the privacy of patients’ medical and health records and limit the way that those records can be used. The rules apply nationally.
Who must comply?
As of April 14, 2003, health plans, healthcare clearinghouses, and healthcare providers who conducted electronic financial and administrative transactions were all required to comply with the privacy rules. These groups are called HIPAA “covered entities”.
What do the privacy rules mean?
The rules set down clear limits concerning the disclosure of private patient information:
- The patient’s consent must be obtained before their medical information is released, and the medical information cannot be used for purposes other than healthcare without the patient’s consent.
- The rules do not prohibit the sharing of medical information among healthcare providers who are treating the patient.
- Doctors and covered entities may talk to patients about treatment and may share other health-related information.
- A patient has the ability to see and obtain copies of their medical records and can request corrections to identified errors.
- Patients can request that doctors and healthcare providers take steps to insure that their communications are kept confidential.
What if a covered entity violates the HIPAA?
If they think that the privacy rules have been violated, patients can file a complaint with the covered entity or with the United States Department of Health and Human Service’s Office for Civil Rights (OCR). The OCR will investigate the complaint, determine whether there has been a violation, and enforce the HIPAA. Both civil and criminal penalties may be imposed on covered entities under the HIPAA.
What about state privacy laws?
State privacy laws, which provide additional or greater protection to patients than those provided by the HIPAA, are not affected by the privacy rules. Covered entities in those states have to comply with the higher standards set under state law. Covered entities that provide healthcare services in other states must comply with the HIPAA privacy rules.
Copyright 2011 LexisNexis, a division of Reed Elsevier Inc.