The HIPAA Privacy Rule

Our business law firm assists physicians and other healthcare providers with regard to regulatory compliance, including HIPAA issues. We offer services to prevent HIPAA legal issues (e.g., risk assessments) and defend our clients’ interests where a HIPAA issue has occurred (e.g., HIPAA audit defense). Our law firm can assist your medical practice or other healthcare business in avoiding or resolving costly HIPAA issues.

Atlanta and Augusta Healthcare Law Firm

Naturally, patients take the privacy of their health information very seriously. HIPPA was designed to standardize the processing of administrative and financial transactions to better protect personal and private information. The price of breaking the privacy and security standards of HIPAA can be severe for physicians and physician practices.

The privacy and security standards are two of four major information standards found in HIPAA and are designed to protect confidentiality and availability of an individual’s healthcare information. These are the two standards that provide the most legal hazards and headaches for physicians and physician practices. The Privacy Rule was a requirement set in 2003 that created a national minimum standard for the protection of patients’ protected health information (PHI). This rule stipulates how PHI can be used and disclosed by any entity that comes into contact with it, allows greater rights to individuals to gain access to and control the use of their PHI, and creates new mandates on covered entities to respect those rights.

The purpose of the HIPAA Privacy Rule is to set clear boundaries on what circumstances allow a covered entity to use or disclose an individual’s PHI. Any circumstance outside of what the Privacy Rule requires or permits is not allowed unless the individual patient gives written authorization prior to the specified use or disclosure. Generally speaking, the HIPAA Privacy Rule only requires a covered entity to disclose PHI in two scenarios:

  1. To individuals specifically when they request access to their PHI or an account of disclosures of their PHI
  2. To the Department of Health and Human Services when it is conducting a compliance investigation

The HIPAA Privacy Rule does not require but does permit a covered entity to disclose a patient’s PHI without their authorization for these situations:

  1. To the individual (unless required as mentioned in #1 above) or to the personal representative of a minor child (when not inconsistent with state or other law)
  2. For treatment, payment, and healthcare operations purposes
  3. In certain specified situations, where the individual has been given a chance to agree or object beforehand
  4. When it is incidental or a by-product of an otherwise permitted use or disclosure
  5. For public interest and benefit activities such as reporting victims of abuse, domestic violence, etc. (except where prohibited by federal or state law)
  6. In a limited data set for research or public health when personally identifiable information has been removed from the data

Any other use or disclosure of an individual’s PHI that is not listed above is prohibited under the Privacy Rule. Any circumstances outside of those listed require the written permission of the individual to use or disclose their PHI through the use of a HIPAA authorization document. Physicians and physician practices should be mindful that any such authorization document must be written in plain language for the individual and must specify in detail what PHI will be used, how it will be used and disclosed, and include a provision for the patient to revoke their authorization at any time.

While legislations like HITECH and HIPAA help to better protect patients’ health information, it also provides the opportunity for countless headaches on the administrative end of a physician practice. Physicians and office managers should always seek the assistance of experienced healthcare lawyers to clear the myriad of webs created by regulatory compliance laws.

A Georgia and South Carolina Healthcare Law Firm

Our business law firm focuses on representing physicians and healthcare businesses with regard to many unique legal issues they confront in today's healthcare business environment, including HIPAA compliance. We have offices in midtown Atlanta (404-685-1662) and downtown Augusta, Georgia (706-722-7886) or email us at info@hamillittle.com.