What does the HIPAA Privacy Rule do?

The HIPAA Privacy Rule was issued by the United States Department of Health and Human Services to restrict the use and disclosure of personally identifiable information that pertains to a patient or consumer of healthcare services. This information is called protected health information (PHI). The rule was created to protect patients’ privacy.
Under HIPAA, a covered entity (CE) must make practical efforts to use, disclose and request only the minimum necessary amount of PHI required for any particular task. The Privacy Rule also gives patients rights over their health information and the right to access their own medical records.

• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
• And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
• It empowers individuals to control certain uses and disclosures of their health information.