HIPAA Privacy Standards

Under HIPAA and ARRA, physicians are required to control the ways in which they use and disclose patients’ protected health information.  This brief overview outlines some of the changes made by ARRA to HIPAA privacy standards.

The educational resources "What you need to know about the new health privacy and security requirements" outlines the compliance deadlines associated with the newly expanded requirements for protection of patient health information, patient rights to this information and administrative protections physicians must have in place.

The U.S. Department of Health & Human Services' (HHS) Office of Civil Rights oversees compliance with the HIPAA Privacy requirements. As a result of the ARRA, several new regulations will be published implementing the law.  To date, only the "breach notification" rules have been finalized.  OCR also published a proposed rule (a final rule is still forthcoming) which calls for:

• Extending the applicability of certain of the Privacy and Security Rules’ requirements to the BAs of CEs;
• Requiring CEs and BAs to provide for notification of breaches of unsecured PHI;
• Establishing new limitations on the use and disclosure of PHI for marketing and fundraising purposes;
• Prohibiting the sale of PHI;
• Requiring the consideration of a limited data set as the minimum necessary amount of information for a particular use, disclosure, or request of PHI;
• Expanding individuals’ rights to access and receive an accounting of disclosures of their PHI, and to obtain restrictions on certain disclosures of PHI to health plans; and
• Strengthening enforcement provisions.

According to the new breach notification rules, physicians are required to notify patients if there are breaches of security involving their medical information.  The educational resource "What you need to know about the new HIPAA Breach Notification Rule" provides an overview of these new requirements.

Privacy Resources

• How to "HIPAA" - Top 10 Tips to understand the basics about the Privacy Rules.
• Frequently Asked Questions 
• Privacy Rules
  • Full text of the HIPAA Privacy Rule
  • Breach Notification Interim Final Rule
• Federal Privacy Legislation
  
  • HIPAA (Privacy, Section 264)
  • ARRA (Privacy, Sections 13400-13411)
• Guidance on the HIPAA Privacy Rule
• OCR HIPAA Privacy
• Organized Health Care Arrangement
• AMA HIPAA Compliance Resources
• AMA Privacy Comment letters
  • AMA comments on the Accounting of Disclosures Proposed Rule, November 10, 2011
  • AMA comments on the Accounting of Disclosures Proposed Rule, August 1, 2011
  • Response to OCR Proposed Breach Notification Rule, October 14, 2009
  • Response to OCR Guidance on Specifying Technologies and Methodologies that Render PHI Unsuable, Unreadable, or Indecipherable to Unauthorized Individuals for the Purposes of Meeting the Breach Notification Requirements, May 21, 2009
  • Response to OCR Proposed Privacy Rule, February 17, 2000