The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards to protect patients' personal health information (PHI).
Issued by the United States Department of Health and Human Services, the rule focuses on limiting the use and disclosure of sensitive PHI. It seeks to protect the privacy of patients -- by requiring doctors to provide patients an account of each entity to which the doctor discloses PHI for billing and administrative purposes -- while still allowing relevant health information to flow through the proper channels. It also gives patients the right to access their own medical records.
The HIPAA Privacy Rule applies to organizations that are considered a HIPAA covered entity -- health plans, health care clearinghouses and health care providers. In addition, the HIPAA Privacy Rule requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the business associate uses or discloses.
Under the HIPAA Privacy Rule, falling victim to a health care data breach, as well as failing to give patients access to their PHI, could result in a fine from the Office for Civil Rights (OCR).