While lawmakers designed the Electronic Data Interchange Transaction Code Set Rule to improve the efficiency and effectiveness of the health care system, Congress also recognized that advances in the use of electronic technology could potentially erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
In general, the Privacy rule,
Defines and limits the circumstances in which Covered Entities may use and disclose personal health information.
Establishes individual rights with respect to the personal health information.
Requires Covered Entities to adopt safeguards to protect the confidentiality of personal health information and protect against unauthorized access.
Defines Protected Health Information (PHI) that relates to an individual's health, healthcare treatment, or payment for healthcare where such information identifies the individual.
The Privacy Rule requires the use of appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. T he Privacy regulations extend to all individually identifiable health information in the hands of Covered Entities, regardless of whether the information is or has been in electronic form. This includes purely paper records and oral communications.
The Privacy Rule dictates that, under certain circumstances, Covered Entities must have permission from the individual to use or disclose PHI.
The Privacy Rule requires Covered Entities to develop role-based access rules in order to implement the requirements for "minimum necessary" uses and disclosures of PHI.
The Privacy Rule requires a log of all disclosures of PHI for purposes other than patient treatment, bill payment, or healthcare operations. A log is not required for transmitted information for purposes of payment.