The HIPAA Privacy Rule is composed of national regulations for the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment and operations by covered entities.
The effective compliance date of the Privacy Rule was April 14, 2003, with a one-year extension for certain "small plans". The HIPAA Privacy Rule regulates the use and disclosure of
protected health information (PHI) held by "covered entities" (generally, health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers that engage in certain transactions).
[18] By regulation, the HHS extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates".
[19] PHI is any information that is held by a covered entity regarding health status, provision of health care, or health care payment that can be linked to any individual.
[16] This is interpreted rather broadly and includes any part of an individual's
medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request.
[20] Also, they must disclose PHI when required to do so by law such as reporting suspected
child abuse to state child welfare agencies.
[21]
Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; or to identify or locate a suspect, a fugitive, a material witness, or a missing person.
[22]
A covered entity may disclose PHI to certain parties to facilitate treatment, payment, or health care operations without a patient's express written authorization.
[23] Any other disclosures of PHI require the covered entity to obtain written authorization from the individual for the disclosure.
[24] In any case, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
[25]
The Privacy Rule gives individuals the right to request a covered entity to correct any inaccurate PHI.
[26] Also, it requires covered entities to take some reasonable steps on ensuring the confidentiality of communications with individuals.
[27] For example, an individual can ask to be called at their work number instead of home or cell phone numbers.
The Privacy Rule requires covered entities to notify individuals of uses of their PHI.
[28] Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures.
[29] They must appoint a Privacy Official and a contact person
[30] responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.
[31]
An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).
[32][33] However, according to the
Wall Street Journal, the OCR has a long backlog and ignores most complaints. "Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April of 2003 and November 2006, the agency fielded 23,886 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved."
[34] However, in July 2011, UCLA agreed to pay $865,500 in a settlement regarding potential HIPAA violations. An HHS Office for Civil Rights investigation showed that from 2005 to 2008, unauthorized employees repeatedly and without legitimate cause looked at the electronic protected health information of numerous UCLAHS patients.
[35]
