Privacy

Notices of Privacy Practices.

• Delta Dental Notice of Privacy Practices
• Vision Service Plan Notice of Privacy Practice

The HIPAA Privacy Rule.

Introduction.

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule as well as standards for individuals’ privacy rights to understand and control how their health information is used.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.

To review the entire rule itself, and for other additional helpful information about how it applies, visit the OCR website.

Statutory and Regulatory Background.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.

HIPAA required the Secretary to issue privacy regulations governing individually identifiable health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA. Because Congress did not enact privacy legislation, HHS developed a proposed rule and released it for public comment on November 3, 1999. The final regulation, the Privacy Rule, was published December 28, 2000.

Who is Covered by the Privacy Rule?

• Health Plans. Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organization (“HMO’s”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: (1) those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program; and (2) those programs whose principal activity is directly providing health care, such as a community health center, or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only worker’s compensation, automobile insurance, and property and casualty insurance.

• Health Care Providers. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.

• Health Care Clearinghouses. Health care clearinghouses are entities that process nonstandard information they receive from another entity.

Business Associates.

• Business Associates Defined. A business associate is a person or organization other than a member of a covered entity’s workforce that performs certain functions that involve the use or disclosure of individually identifiable health information. Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

Sample business associate contract language is available on the OCR website.

What Information is Protected?

The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.