Clarke & Company Benefits HIPAA Rules Description
The HIPAA Privacy Rule governs the use and disclosure of personally identifiable health information. Clarke & Company Benefits key provisions of the Privacy Rule are listed in the previous post and below.
Permitted uses and disclosures
The Privacy Rule provides that PHI may not be used or disclosed other than as permitted by the Privacy Rule. The main permitted uses are for treatment of the individual, payment for the individual’s health care and health care operations of the covered entity. PHI may also be disclosed to plan sponsors for purposes of plan administrative activities. In some cases, disclosures may be made to an individual’s family and/or friends and for specific public policy purposes.
Specific authorization must be obtained prior to any disclosure that is not expressly permitted by the Privacy Rule. Employers that sponsor health plans may not gain access to health information for employment-related purposes without the participant’s written HIPAA authorization.
Covered entities may disclose PHI to certain vendors or service providers, known as business associates, if a proper contract protecting the PHI is in place. Business associates are also required by law to comply with some provisions of the Privacy Rule. Minimum necessary standard In general, when a covered entity uses, discloses or requests PHI, it must limit its use, disclosure or request to the minimum necessary amount of information to accomplish the intended purpose. Disclosures for treatment purposes and requests made by the patient for information regarding his or her own medical records are not subject to the minimum necessary standard.
Covered entities must comply with certain administrative requirements, such as appointing a privacy official, implementing safeguards to protect PHI and training members of the workforce. There is an exception for fully insured plans that do not receive PHI from the health insurance carrier. These plans are not required to comply with the Privacy Rule’s administrative requirements, including the requirement to maintain and distribute a Notice of Privacy Practices to plan participants.
State privacy laws
Where a state has passed a law that conflicts with the Privacy Rule, the law that provides the greater privacy protections applies.
To learn more about EDI and become a certified EDI Professional please visit our course schedule page.