what are hipaa privacy rules

Protected Health Information Management

Core Tenets of Information Safeguarding

A fundamental framework outlining the standards for handling individually identifiable health information. This encompasses patient rights, permissible uses and disclosures, and mandated security measures to ensure confidentiality, integrity, and availability.

Definition of Protected Health Information (PHI)

Explanation of what constitutes PHI, including any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Key Provisions Relating to Patient Access

  • Right to Access: Patients have the right to inspect and obtain a copy of their PHI contained in a designated record set.
  • Right to Amend: Patients have the right to request an amendment to their PHI if they believe it is inaccurate or incomplete.
  • Right to Accounting of Disclosures: Patients have the right to receive an accounting of certain disclosures of their PHI made by a covered entity.

Permitted Uses and Disclosures

Explanation of instances where covered entities are allowed to use or disclose PHI without patient authorization, including for treatment, payment, and healthcare operations, as well as for certain public health activities, law enforcement purposes, and other legally mandated situations. Specifies the concept of the "minimum necessary" standard when using or disclosing PHI.

Business Associate Agreements

Requirements for contracts between covered entities and their business associates, outlining the obligations of business associates to protect PHI. Describes the consequences of non-compliance by business associates.

Security Safeguards for Electronic PHI (ePHI)

Overview of technical, administrative, and physical safeguards required to protect ePHI. This includes access controls, audit controls, integrity controls, transmission security, and physical access restrictions.

Breach Notification Requirements

Explanation of the obligations of covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and potentially the media in the event of a breach of unsecured PHI. Includes timeframes and content requirements for notifications.

Enforcement and Penalties for Non-Compliance

Information on the enforcement mechanisms employed by HHS's Office for Civil Rights (OCR), including investigations, corrective action plans, and civil monetary penalties for violations. Details on the tiering of penalties based on culpability and the severity of the violation.