Welcome to our new series on HIPAA!

Whether you are feeling a little rusty on HIPAA issues or trying to figure out the new Omnibus rule, we hope you will find this information helpful.  Each week, we will be discussing a new aspect of HIPAA including:

  • HIPAA basics
  • New Omnibus regulations
  • Responding to subpoenas
  • HIPAA disasters
  • Enforcement ABC’s

This week, we are starting with the basics of HIPAA.  The basic tenet of HIPAA is that a covered entity may not use or disclose an individual’s protected health information (PHI), except as otherwise permitted or required. The following entities are covered by HIPAA: healthcare providers, healthcare clearinghouses, health plans and business associates.  HIPAA applies to protected health information and does not apply to de-identified health information.

A covered entity may use or disclose PHI for purposes related to treatment, payment and operations.  HIPAA requires covered entities to have an authorization for all other disclosures.  This authorization may be provided by the individual or his or her personal representative.  A covered entity’s disclosures of PHI are governed by the minimum necessary standard, which means that a covered entity must develop policies and procedures that reasonably limit its disclosures of PHI for payment and healthcare operations to the minimum necessary.  The minimum necessary standard does not apply to disclosures for treatment purposes.

Covered entities must inform individuals of their rights regarding the use and disclosure of their PHI through a notice of privacy practices.  Further, HIPAA imposes administrative burdens on covered entities including that they must:

  1. Appoint a privacy officer;
  2. Safeguard disclosures of PHI;
  3. Establish grievance procedures;
  4. Sanction employee violations; and
  5. Prevent retaliation.