[45 CFR §§ 160, 162, 164]
The HIPAA Privacy Rule applies to HIPAA Covered Entities and their Business Associates. By complying with the required safeguards defined by the HIPAA Security Rule, the Privacy Rule protects all individually identifiable health information in any form or media: electronic, paper, or oral. This information is referred to as Protected Health Information (PHI).
The Privacy Rule excludes from PHI any employment records that a Covered Entity maintains in its capacity as an employer and any student health information contained in education records subject to protection under the Family Educational Rights and Privacy Act (FERPA), 20 USC § 1232(g).
There are no restrictions on the use or disclosure of de-identified health information that neither identifies nor provides a reasonable basis to identify an individual.
A Covered Entity may not use or disclose PHI unless:
A Covered Entity must disclose PHI to:
A Covered Entity is permitted, but not required, to use and disclose PHI without an individual authorization:
Each individual has a right to adequate notice of
The notice must be in plain language, include an effective date, and include contact information for individuals to receive more information about the Covered Entity’s privacy policies. The notice must be made available to any person who asks for it and should be prominently posted on any web site the Covered Entity maintains that provides information about its customer services or benefits.
Covered Entities who provide treatment must provide the notice to the individual no later than the date of first service delivery and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgement of receipt of the notice. If the first service delivery is provided electronically, then the Covered Entity must send an electronic notice automatically and contemporaneously in response to the individual’s first request for service.
Violation of HIPPA and the HIPAA Privacy Rule includes both civil and criminal penalties.
To assist in auditing compliance with HIPAA privacy requirements, NIU follows guidelines and checklists established by the National Institute of Standards and Technology (NIST), specifically NIST’s Special Publication (SP) 800-53, Revision 4, Appendix J: the Privacy Control Catalog in Security and Privacy Controls for Federal Information Systems and Organizations