About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 1 (September 10, 2024)

handle is hein.crs/goveqoi0001 and id is 1 raw text is: Con re &on I Research S informing I leqi I ive de a ~ in e 191 September 10, 2024 The HIPAA Privacy Rule: Overview and Issues The final HIPAA Privacy Rule (the Rule) was first issued in December 2000, and a final modified rule was issued in August of 2002, pursuant to authority in the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-191). HIPAA was enacted to improve the availability and continuity of health insurance coverage; promote long-term care insurance and the use of health savings accounts; and combat waste, fraud, and abuse, particularly in Medicare and Medicaid. HIPAA also included a series of requirements under the subtitle Administrative Simplification to improve the efficiency of, and decrease costs within, the health care system by supporting a transition to standardized electronic administrative and financial transactions. Among these requirements, the law directed the Department of Health and Human Services (HHS) Secretary to promulgate privacy standards should legislation addressing privacy of personal health information not be enacted within a specified timeframe. The HIPAA Privacy Rule established for the first time a set of federal standards for the protection of personal health information. As part of Administrative Simplification [42 U.S.C. §§1320d et seq.], HIPAA required promulgation of both privacy and security standards in recognition of the increased risk to health data posed by broadly promoting electronic data use and exchange within the health care system. More than a decade later, the Health Information Technology for Economic and Clinical Health Act (HITECH, P.L. 111-5) incentivized the shift away from paper patient records to electronic patient records, building on the earlier shift to standard electronic financial and administrative transactions. These shifts-both on the administrative and patient care side-were considered by many to be a necessary precursor to broader health care reform efforts that culminated in the Patient Protection and Affordable Care Act of 2010 (ACA, P.L. 111-148, as amended). Privacy (and security) of personal health data was to some extent a second-order policy priority in service of broader reform of the health care system. The Privacy Rule applies to specific entities-covered entities and their business associates-and to certain health information, termed protected health information (PHI). The requirements of the Rule primarily address (1) the use and disclosure of PHI, (2) individual rights with respect to PHI, and (3) administrative requirements (e.g., workforce training, data safeguards). The Rule is interpreted and enforced by the Office for Civil Rights (OCR) within HHS. Entities Subject to the Priacy Ru e The HIPAA Privacy Rule applies to three specific types of entities, referred to as covered entities. These include (1) health care clearinghouses, (2) health plans, and (3) health care providers who carry out HIPAA-covered electronic transactions. Health care clearinghouses may serve as intermediaries between plans and providers and often convert standard to nonstandard data (and vice versa) in that role. In addition, pursuant to authority in the HITECH Act, the Privacy Rule governs business associates'- entities that perform certain work on behalf of covered entities-use and disclosure of protected health information (PHI). Business associates must enter into contractual arrangements (business associate agreements) in order to perform certain work on behalf of covered entities that requires disclosure and use of PHI (e.g., claims processing, data analysis, utilization review). A covered entity may be a business associate for another covered entity; for example, health care clearinghouses are often acting as a business associate working on behalf of health plans and health care providers. Finally, the Rule establishes hybrid entities, which are single legal entities that perform both covered and noncovered functions. If a covered entity elects to establish hybrid entity status, the Rule's requirements apply only to the component carrying out covered functions, and PHI may not be shared between the components except as permitted by the Rule (as it would be permitted to be disclosed to a noncovered entity, generally). Information Protected by the Privacy Rule PHI is individually identifiable health information (IIHI) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. IIHI is defined as health information that identifies an individual and that is created, maintained, or received by a covered entity or an employer that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. PHI includes a wide range of information, including among other information demographic data (e.g., name, social security number), medical test results and diagnoses, vaccination status, and family health history. The Privacy Rule does not apply to deidentified PHI, with the Rule specifying two acceptable methods for deidentification: (1) expert determination and (2) safe harbor. To meet the first standard, an expert in statistical and scientific principles and methods for rendering information not individually identifiable must determine and document that there is a very small risk that the information could be used to identify an individual who is the subject of the information. For the safe harbor method, the data must be stripped of 18 specific identifiers (e.g., name, email address) listed in the Rule.

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most