The Health Insurance Portability and Accountability Act (HIPAA) is a federal law implemented in 1996 to protect patients from the disclosure of their sensitive health information without their knowledge or consent. A HIPAA violation may result in criminal or civil monetary penalties.

HIPAA Privacy Rules

The HIPAA Privacy Rule was published in December 2000. It ensures an individual’s health information is protected yet accessible enough that it can be used to promote excellent healthcare. The Privacy Rule strives for a balance between these two goals:

  • Addressing how an individual’s protected health information (PHI) is used by the entities subject to the Privacy Rule — also called covered entities.
  • Outlining the standards for an individual’s right to understand and control the use of their health information.

The Privacy Rule applies to information in written, oral, and electronic formats.

Covered Entities

Covered Entities

The following are covered entities that must follow the HIPAA Privacy Rule.

Healthcare Providers

Healthcare providers include all practices that transmit health information electronically for claims, referral authorization requests, benefit eligibility inquiries, and other transactions. This category includes:

  • Doctors
  • Psychologists
  • Dentists
  • Chiropractors
  • Hospitals and clinics
  • Pharmacies
  • Nursing homes

Health Plans

Health plans are the entities that pay for medical care costs, including those sponsored by employers, multiemployers, the government, and churches. Examples of health plans include insurers for:

  • Vision, health, prescription drug, and dental plans.
  • Medicaid, Medicare, Medicare+Choice, and Medicare supplements.
  • Long-term care.
  • Health maintenance organizations (HMOs).

Healthcare Clearinghouses

Healthcare clearinghouses receive nonstandard information from an entity and turn it into a standard or vice versa. These entities receive individually identifiable health information to process it for health plans or healthcare providers.

Business Associates

Business associates are persons and organizations outside a covered entity that use or disclose individually identifiable health information for billing, data analysis, utilization review, and claims processing for a covered entity. Some examples of business associates are:

  • Lawyers, accountants, and IT specialists.
  • Companies that process healthcare claims.
  • Companies that administer health plans.

Permitted Uses and Disclosures

Covered entities can use and disclose PHI without the individual’s authorization for these purposes:

  • Limited dataset for healthcare operations, research, and public health.
  • Incident to a permitted use and disclosure.
  • Treatment, payment, and healthcare operations.
  • Public interest and benefit activities.
  • Disclosure to the individual.
  • Opportunity to object to or agree with PHI disclosure.

HIPAA Security Rule

The HIPAA Security Rule was published in February 2003 to protect electronic protected health information (e-PHI), the individually identifiable health information that a covered entity transmits, receives, creates, and maintains electronically. It does not apply to information transmitted orally or in writing.

Contact Agio Today

Agio helps healthcare organizations achieve HIPAA compliance by ensuring e-PHI is protected. Learn more about our HIPAA compliance assessment service today.