The HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1].

The HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (or April 14, 2004, for small health plans) [1].

As noted, the Privacy Rule, as well as all the Administrative Simplification Rules, apply to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA [3]. These groups are referred to collectively as covered entities.

Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: those whose principal purpose is not providing or paying the cost of health care (e.g., the food stamps program), and those programs whose principal activity is directly providing health care (e.g., a community health center) or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers' compensation, automobile insurance, or property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business [3].

Individually identifiable health information is defined as information, including demographic data, that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual and relates to the [3]:

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use of, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to [11]:

A covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations activities. A covered entity also may disclose PHI for the treatment activities of any healthcare provider, the payment activities of another covered entity and of any healthcare provider, or the healthcare operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the PHI pertains to the relationship [3].

For the purposes of the Privacy Rule, treatment is defined as the provision, coordination, or management of health care and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a healthcare provider to obtain payment or be reimbursed for the provision of health care to an individual [3].

Healthcare operations are any of the following activities [3]:

Most uses and disclosures of psychotherapy notes for treatment, payment, and healthcare operations purposes require an authorization. Obtaining consent (written permission from individuals to use and disclose their PHI for treatment, payment, and healthcare operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent [3].

Covered entities may disclose PHI to law enforcement officials for law enforcement purposes under the following circumstances, and subject to specified conditions [3]:

A covered entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances [3]. Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures or requests for disclosures that limits the PHI disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.

An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. Examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes [3].

All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data [3].

A covered healthcare provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients [3]:

Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a covered entity's designated record set. The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider's medical and billing records about individuals or a health plan's enrollment, payment, claims adjudication, and case or medical management record systems. The Rule excepts from the right of access the following PHI:

Individuals have a right to an accounting of the disclosures of their PHI by a covered entity or the covered entity's business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.

A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule [3].

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must [5]:

When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider [5]:

The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule [5].

A risk analysis process includes, but is not limited to, the following [5]:

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to e-PHI [5].

Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

The OCR is responsible for enforcing the Privacy and Security Rules. It does so through an established complaint resolution process. The OCR enforces the Privacy and Security Rules by [8]:

Before the OCR imposes a penalty, it will notify the covered entity and provide the covered entity with an opportunity to provide written evidence of those circumstances that would reduce or bar a penalty. This evidence must be submitted to the OCR within 30 days of receipt of the notice. In addition, if the OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty [3].

In addition, preemption of a contrary state law will not occur if the HHS determines, in response to a request from a state or other entity or person, that the state law [3]: