HIPAA Privacy Rule Refresher

Refresh your memory with some of the Privacy Rule points below:

  • HIPAA’s Privacy Rule goal is to protect the confidentiality of patient/resident healthcare information.
  • Protected Health Information (PHI) is individually identifiable health information collected from an individual and created or received by a health care provider, health plan, or health care clearing house relating to past, present, or future physical or mental health conditions of an individual.
  • Information is “individually identifiable” when any of the 18 types of identifiers can be used to identify an individual (e.g. name, address, dates such as birth date, account number etc.).
  • The HIPAA Privacy Rule applies to healthcare organizations, healthcare plans, healthcare clearinghouses, and business associates with access to PHI.
  • PHI can be in paper or electronic form, as well as in verbal communications. 
  • Photos and videos of patients/residents are PHI and require documented authorization to take and use.
  • Access to PHI must be restricted to the minimum access needed to accomplish the intended objective.
  • PHI cannot be used or disclosed without documented patient authorization unless it is for any of the following purposes or situations:
    • Use or disclosure to the patient
    • Use or disclosure for treatment, payment, or general healthcare operations
    • Use or disclosure if the individual can agree or object to a disclosure such as a patient bringing a family with them when discussing care with a physician
  • Covered Entities (CE) are required to provide residents/patients with a Notice of Privacy Practices (NPP) to tell how the CE may use and share their health information.
  • Disposal of documents containing PHI must be rendered unreadable.  Shredding is the most common method of disposal.  Before disposal, be sure to follow your organization’s data retention policies.

For more information regarding HIPAA Privacy, visit www.hhs.gov.