The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
The Privacy Rule assures that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care. The Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures required by Congress.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Who is covered by the HIPAA Privacy Rule:
(1) The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
(2) Business Associates: a business associate is defined as a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.
What Information is Protected by the Privacy Rule? Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
URAC is a business associate of the Applicants we accredit or certify. We may view PHI from a covered entity (i.e., a Pharmacy) or another Business Associate to URAC as another Business Associate.
Why is HIPAA training important? All employees, contractors and agents at URAC who may work on accreditation or certification of URAC Applicants must undergo HIPAA training. Violations of the Privacy Rule are severe and are enforced by the Office of Civil Rights of HHS. HIPAA training will be conducted in the first quarter of the new year and all employees are expected to participate in the training. If you are absent when the training occurs, contact Human Resources to schedule a time when you can take the training. Be HIPAA compliant.
If you have any questions on HIPAA or the Privacy Rule, please contact me at hsaad@urac.org.