HIPAA is the cornerstone of safely sharing health data in the U.S. Policy experts love to point out that the “P” in HIPAA stands for Portability not Privacy. The idea is that data portability cannot be realized without creating a safe data sharing environment. HIPAA’s main two rules—the Privacy Rule and the Security Rule—lay out the security and protection standards around protected health information (PHI). In this blog, we’ll cover the basics of the Privacy Rule and what it means for health tech companies.
The Privacy Rule is essentially the cornerstone section of HIPAA. It lays out the permitted uses and disclosures of PHI that Covered Entities (CEs), such as hospitals and providers, may make without additional authorization from patients. Generally, a CE is permitted (but not required) to use and disclose PHI without an individual’s authorization for the following purposes or situations:
- Treatment, Payment, and healthcare Operations (commonly referred to as the “TPO” Exception)
- Certain public interest and benefit activities, including:
- When required by law
- Public health activities (e.g. reporting certain communicable diseases such as TB to public health authorities)
- Victims of abuse, neglect, or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Research (under certain conditions)
- Preventing or lessening a serious threat to health or safety
- Essential government functions
- Workers compensation
The Privacy Rule also details what is known as the Minimum Necessary Rule, which determines that CEs must make a “reasonable” effort to disclose only the minimum necessary PHI required to achieve their purpose.
Today, health tech companies that fall under the HIPAA umbrella are called “business associates (BAs)” and must comply with HIPAA rules in order to avoid serious financial and legal repercussions and remain in business. The Elevation team can help your company navigate your responsibilities as a BA when handling PHI. In addition, we offer engaging and effective HIPAA courses that train health technology company staff to recognize PHI and keep it safe.
Stay tuned for our next blog, where we will break down the Security Rule and offer some best practices around the Security Rule for health tech companies.