Summary of HIPAA Privacy Rule

The Privacy Rule is a set of national standards for the protection of certain health information. These standards address the use and disclosure of individual's health information called, "Protected Health Information", by covered entities or hybrid entities, as well as standards for individual's privacy rights.

A major goal of the Privacy Rule is to assure that individual's health information is properly protected while allowing  the flow of health information needed to provide high quality health care and to protect the public's health and well-being.

This is a summary of key elements of the Privacy Rule and not a complete or comprehensive guide to compliance. Because this is an overview, it does not address every detail of each provision. For the complete UNC HIPAA Policy . For additional information go to: U.S. Department of Health and Human Services

• Who is Covered by the Privacy Rule

  The Privacy Rule applies to:

  • Health Plans - Includes employer-sponsored health plans, government and church sponsored health plans, and multi-employer health plans
  • Health Care Providers - Every health care provider, regardless of size, who electronically transmits health information, including Insurance claims, benefit eligibility, referrals and authorizations, requests, or other transactions. Health Care Providers include all "providers of service" (e.g. institutional providers, providers of medical or health services, physicians, dentists and other practitioners, any person or organization that furnishes, bills, or is paid for health care)
  • Business Associates - Persons or Organizations whose functions or services involve the use or disclosure of protected health information and those who may have access to any protected health information. The Privacy Rule requires a "Business Associate Agreement" when a covered entity or hybrid entity uses a contractor or other non-workforce member to perform services or activities that may involve use or access to individually identifiable information
  • Hybrid Entities- A "hybrid entity" means an institution with both HIPAA-covered and non-covered functions.  UNC is a hybrid entity.  The HIPAA-covered functions of the institution are often referred to as the "health care components."  For example, the Student Health Center, is a part of UNC's health care components, while the School of Music is not.
• What Information is Protected

  The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or verbal. The Privacy Rule refers to this information as PHI - Protected Health Information. Click here for a list of PHI.

• Uses and Disclosures of Individually Identifiable Health Information

  A major purpose of the Privacy Rule is to limit the circumstances in which an individual's protected health information may be used or disclosed by Hybrid Entities. A covered entity may not use or disclose PHI, except (1) as the Privacy Rule permits or requires, or (2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.

  Required Disclosures - A covered entity must disclose PHI to:

  • Individuals specifically when they request access to, or an accounting of disclosures of their protected health information (must sign authorization to release PHI)
  •  To Health and Human Services when it is undertaking a compliance investigation or review or enforcement action (see Government Access for more information).
  • To Public Health when required by law

  For more information go to Permitted Uses and Disclosures

•  Authorized Uses and Disclosures

   A Hybrid Entity must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.

  For more information go to Authorizations

• Limiting Uses and Disclosures to the Minimum Necessary

  A central aspect of the Privacy Rule is the principle of "minimum necessary". A covered entity must make reasonable efforts to use and request only the minimum amount of PHI needed to accomplish the intended purpose.

  To learn more go to Minimum Necessary

• Notice and Other Individual Rights

  Each covered entity must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements and must describe the ways in which the covered entity may use and disclose PHI.

  For more detailed information and an example go to Notice of Privacy Practice and Privacy Rights

• Administrative Requirements

   The Privacy Rule requires certain administrative requirements. These requirements can be found at:

  Administrative Requirements

• Research Requirements

   The HIPAA Privacy Rule establishes conditions under which PHI may be used or disclosed by covered entities for research purposes. The Privacy Rule protects the privacy of individual identifiable health information while at the same time ensuring that researchers continue to have access to information necessary to conduct vital research. For more information from Health and Human Services go to Research or open the University of Northern Colorado Data Security Policy for Research Projects.