The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients' personal health information (PHI).
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Issued by the United States Department of Health and Human Services, the rule focuses on limiting the use and disclosure of sensitive PHI. It seeks to protect the privacy of patients -- by requiring doctors to provide patients an account of each entity to which the doctor discloses PHI for billing and administrative purposes -- while still allowing relevant health information to flow through the proper channels. It also gives patients the right to access their own medical records.
Who is covered by and must follow HIPAA?
The HIPAA Privacy Rule applies to organizations that are considered HIPAA covered entities, including health plans, healthcare clearinghouses and healthcare providers. In addition, the HIPAA Privacy Rule requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the business associate uses or discloses.
What information is protected?
The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by a covered entity or a business associate. This information can be held in any form, including digital, paper or oral. This individually identifiable health information is also known as PHI under the Privacy Rule.
- Name, address, birth date and Social Security Number;
- An individual's physical or mental health condition;
- Any care provided to an individual; or
- Information concerning the payment for the care provided to the individual that identifies the patient, or if there is a reasonable basis to believe it can be used to identify the patient.
The HIPAA Privacy Rule does not consider employment records that covered entities hold as an employer -- information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act -- as PHI.
When it comes to de-identified data, however, there are no restrictions to the use or disclosure. De-identified data does not identify or provide information that could identify an individual.
The Privacy Rule lays out certain administrative requirements that covered entities must have in place.
These requirements include:
- A privacy official must be appointed who is responsible for developing and implementing policies and procedures at a covered entity.
- Employees -- including volunteers and trainees -- must be trained on policies and procedures.
- Appropriate administrative, technical and physical safeguards must be maintained to protect the privacy of PHI in a covered entity.
- A process for individuals to make complaints concerning policies and procedures must be in place at a covered entity.
- If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate, to the furthest extent actionable, any harmful effects.
The minimum penalty for:
- Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
- Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
- Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
- Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
The maximum penalty for all of these is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison.
If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.
Some examples of healthcare organizations getting fined for violating HIPAA include Beth Israel Deaconess Medical Center in Boston, which had to pay a $100,000 fine due to the theft of an employee's laptop, and Cignet Health in Maryland, which had to pay $4.3 million in fines for withholding medical records from 41 patients who asked for them and for not cooperating with an OCR investigation.