HIPAA Privacy Rule
The HIPAA Privacy Rule places restrictions on how covered entities, e.g., physicians and business associates use and disclose an individual’s "protected health information" (PHI). "Protected health information" means information that would identify an individual and that is held or transmitted by a covered entity or business associate in any form or media—whether electronic, paper, or oral, that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care.
Under the Privacy Rule, a physician generally cannot use or disclose PHI unless the physician has received a written authorization from the individual allowing the use or disclosure. However, there are exceptions to this restriction. For example, a physician does not need an authorization to use or disclose PHI for payment, treatment, or operations purposes.
The Privacy Rule also grants rights to individuals with respect to their PHI. For example, an individual has the right to ask the practice to make changes to his or her PHI, although the practice may refuse to make such changes under certain circumstances; for instance, when the practice believes that the PHI is already complete and accurate.
The requirements of the Privacy Rule have expanded significantly since they first went into effect in 2003. One important expansion occurred when in 2009 the U.S. Department of Health and Human Services (DHHS) issued its HIPAA Breach Notification Rule. The Breach Notification Rule requires physicians and other covered entities to notify patients, DHHS, and in some cases, the media, if a breach of unsecured PHI occurs. The Breach Notification Rule also requires physician practices to implement a number of internal policies and procedures relating to breach notification.
The AMA has developed extensive resources designed to help physicians maintain compliance with the HIPAA Privacy Rule’s ever-evolving requirements.
Additionally, the resource "What you need to know about the new health privacy and security requirements" outlines the newly expanded requirements for protection of patient health information, patient rights to this information and administrative protections physicians must have in place. Learn about the compliance deadlines and where you can find more information to ensure your practice is fully protecting your patients' health information.
The AMA has also prepared the educational resource "What You Need to Know About the New HIPAA Breach Notification Rule" to ensure that physicians are fully aware of their responsibilities under the Breach Notification Rule.