The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a set of federal rules designed in part to protect the privacy of an individual’s health information.

History of HIPAA

  •  

    HIPAA Signed into Law by President Clinton

  •  

    Effective Date of the HIPAA Privacy Rule

  •  

    Effective Date of the HIPAA Security Rule

  •  

    Effective Date of the HIPAA Breach Enforcement Rule

  •  

    Effective Date of HITECH and Breach Notification Rule

  •  

    Effective Date of the Final Omnibus Rule

What is Protected Health Information (PHI)

Health Information – Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information – Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual .

Protected Health Information - PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

Individual Rights under the Privacy Rule

The federal privacy regulations under HIPAA grants individuals certain rights to be informed about and to control their PHI.

Rights Under HIPAA

Here’s Where to Look

Right to inspect and copy of their PHI, including receiving electronic copies of all records included in the designated record set

Right to amend their PHI

Right to receive an accounting of disclosures of their PHI

Right to receive a Notice of Privacy Practices

Right to receive confidential communications of PHI

Right to restrict disclosure on certain uses and disclosures of their PHI

Right to file a complaint about a covered entity’s privacy practices to the covered entity as well as to the Office for Civil Rights (OCR).

Uses and Disclosures

Consent

Patient’s consent is permitted but not required for uses or disclosures of PHI for treatment, payment, or hospital operations.

Authorization

Authorization is required for all uses or disclosures of PHI not allowed in the privacy rule. Voluntary consent is not sufficient.

Required elements:

  • Description of PHI used or disclosed
  • Person authorized to use or disclose
  • To whom CE may make disclosure
  • Expiration Date
  • Purpose (in some cases)

Privacy Policies

General Rules AUMC Policy
Minimum Necessary AUMC Policy
Mitigation for Improper Use AUMC Policy
Marketing Purposes AUMC Policy
Fundraising Purposes AUMC Policy
Research Purposes AUMC Policy
Emergency Situations AUMC Policy