LibGuides: Medicine and Health: HIPAA

Your Health Information, Your Rights

HIPAA Basics

The privacy and security of patient health information is a top priority for patients and their families, health care providers and professionals, and the government. Federal laws require many of the key persons and organizations that handle health information to have policies and security safeguards in place to protect health information — whether it is stored on paper or electronically.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the main Federal law that protects health information. The HIPAA Privacy and Security Rules protect the privacy and security of individually identifiable health information. HIPAA Rules have detailed requirements regarding both privacy and security.

The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the
The HIPAA Security Rule covers electronic protected health information (ePHI).

Source: HIPAA Basics from HealthIT.gov

Covered Entities

The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:

Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
- Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.

Source: Health Insurance Portability and Accountability Act of 1996 (HIPAA) from the CDC Public Health Professionals Gateway

What Types of Information Does HIPAA Protect?

The Privacy Rule protects most individually identifiable health information held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” or “PHI.” Individually identifiable health information is information, including demographic information, that relates to:

• The individual’s past, present, or future physical or mental health or condition,

• The provision of health care to the individual, or

• The past, present, or future payment for the provision of health care to the individual.

In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual. For example, a medical record, laboratory report, or hospital bill would be PHI if information contained therein includes a patient’s name and/or other identifying information.

Source: Your Practice and the HIPAA Rules (Chapter 2 of Guide to Privacy and Security of Electronic Health Information from The Office of the National Coordinator for Health Information Technology)

Patient Health Information Rights

Under the HIPAA Privacy Rule, providers have responsibilities to patients, which include:

Providing a Notice of Privacy Practices (NPP)
Responding to patients’ requests for:
- Access to their Protected Health Information (PHI)
- Amendments to their PHI
- Accounting of disclosures
- Restrictions on uses and disclosures of their health information
- Confidential communications

Source: HIPAA for Providers from HealthIT.gov

Websites

Health Information Privacy
From the U.S. Department of Health and Human Services
HIPAA FAQs for Professionals
Search frequently asked questions about HIPAA by category, number, or keyword. From U.S. Department of Health and Human Services.
Smaller Providers and Businesses
A selection of HIPAA FAQs from the U.S. Department of Health and Human Services.
Health Insurance Portability and Accountability Act of 1996
Document from the American Association of Medical Assistants.
USGovHHSOCR
YouTube channel for the U.S. Department of Health and Human Services Office of Civil Rights.
Seven Legal Errors Practices Make When Handling Medical Records
Article from Psychiatric Times.

In the NYSMDA Library

HIPAA for Health Care Professionals by Dan Krager; Carole Krager
Call Number: KF3827.R4 2018
ISBN: 9781305946064
Publication Date: 2017-01-01
HIPAA Plain and Simple by Carolyn P. Hartley; Edward D. Jones; Louis W. Sullivan (Foreword by)
Call Number: R728 .H3628 2014
ISBN: 9781603596572
Publication Date: 2013-09-01

Medicine and Health: HIPAA