The Privacy Rule

The Privacy Rule took effect on April 14, 2003The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)[10] It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[11] This is interpreted rather broadly and includes any part of an individual's medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request.[12] They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.[13] A covered entity may disclose PHI to facilitate treatment, payment, or health care operations,[14] or if the covered entity has obtained authorization from the individual.[15] However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.[16] The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI.[17] It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals.[18] For example, an individual can ask to be called at his or her work number, instead of home or cell phone number. The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures.[19] They must appoint a Privacy Official and a contact person[20] responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.[21]