Two federal rules help protect the privacy of consumers’ health information. The “Privacy Rule” and the “Security Rule” were implemented by the United States Department of Health and Human Services under the Health Insurance Portability and Accountability Act, commonly known as “HIPAA.”
The following is a brief summary of each rule. If you want more detailed information about the rules, HIPAA or the enforcement of HIPAA and the rules, please visit the Department’s website at www.hhs.gov.
The Privacy Rule addresses the use and disclosure of consumers’ protected health information by organizations subject to the Rule. The Rule also provides standards to help consumers understand and control how their health information is used.
Who Must Comply with the Privacy Rule?
The Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions that are covered under HIPAA.
What Information Is Protected?
The Rule protects consumers’ “individually identifiable health information,” which includes information that identifies or can be used to identify a consumer (name, address, birth date or Social Security number), as well as demographic data about:
Generally, a covered entity may not use or disclose a consumer’s protected health information without the consumer’s written authorization. However, the entity may disclose the consumer’s information without authorization:
A covered entity must obtain a consumer’s written authorization to use or disclose protected health information for marketing purposes. However, several exceptions to this rule exist and the definition of “marketing” is limited. For a complete discussion of this topic, please visit www.hhs.gov.
Who Enforces the Rule?
The Department of Health and Human Service’s Office for Civil Rights enforces the Privacy Rule and consumers who believe a covered entity has violated the Rule can file a complaint with the office. Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.
The Security Rule establishes standards that dictate what technical and non-technical safeguards all HIPAA-covered entities must implement to secure consumers’ electronic protected health information (e-PHI).
A more detailed discussion of the Rule, including compliance and enforcement issues, is available at www.hhs.gov.
What Standards Does the Rule Require?
To protect e-PHI, covered entities must maintain reasonable and appropriate administrative, technical and physical safeguards that
What Must a Covered Entity Do If My Information Is Released?
Covered entities must notify affected consumers of the security breach. Notice must be in writing and sent by mail or email within 60 days of the breach. The notice must provide:
Where Can I File a Complaint If I Suspect a Security Breach?
The U.S. Department of Health and Human Service’s Office of Civil Rights enforces the Security Rule. Complaint packets, along with detailed instructions, are available at: www.hhs.gov/ocr.
You also can report suspected security breaches to the Federal Trade Commission, which has independent authority over personal health record vendors and their third-party service providers under the Health Information Technology for Economic and Clinical Health (HITECH) Act. You can file a complaint with the FTC at www.ftc.gov.
Credit & Loans
Identity Theft & Privacy
Jobs & Making Money