Not a Member? Get access to HR news and resources that you can trust.
HR professionals can play a key role in creating business efficiency—starting with their own department.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
We don't just visit a city, we take it over. Join us in NOLA -- June 18 - 21, 2017.
The Health Insurance Portability and Accountability Act (HIPAA) offers protections for millions of American workers that improve portability and continuity of health insurance coverage.
HIPAA Protects Workers And Their Families By
Preexisting Condition Exclusions
Certificates Of Creditable Coverage
Special Enrollment Rights
Ensure that individuals are not excluded from coverage, denied benefits, or charged more for coverage offered by a plan or issuer, based on health status-related factors
The Medical Privacy Rule at a Glance
The medical privacy rule implements certain privacy protections required by the Health Insurance Portability and Accountability Act of 1996. The standards appear at 45 CFR parts 160 and 164.
Covered entities. Public and private sector entities including health plans, health care clearinghouses, and health care providers who conduct administrative or financial transactions electronically are subject to the rules. Certain business associates who serve the health care industry are also affected.
Information protected. Covered information includes medical records or other data that contain individually identifiable health information that may be used or disclosed in any form such as electronically, on paper, or orally.
New patient rights. Patients must be given a clear written explanation of how health information will be used or disclosed, with such use or disclosure generally occurring only upon the patients’ written consent. Prior consents which provide equal or better protection may be relied upon. In addition, patients will generally have a right of access to their own medical information and may request an amendment to records and restrictions in use. A complaint procedure must be provided to resolve privacy violations.
Limits on use and release. Disclosures of health information should be limited to the minimum amount necessary for specified purposes, and nonmedical disclosures are permitted only upon a patient’s written authorization. Disclosures for public health or law enforcement purposes are permitted when required or permitted by law.
Organizational responsibilities. Covered organizations must adopt written privacy policies, designate a privacy officer, and conduct training for employees on the privacy policies.
Enforcement. The privacy rule is enforced by the Office of Civil Rights of the U.S. Health and Human Services Department. Civil and criminal penalties may be used when violations are found. Criminal penalties can go as high as $250,000.00 and 10 years in prison.
Enhanced standards improve privacy protections and security safeguards for consumer health data
Effective March 26, 2013, the U.S. Department of Health and Human Services (HHS) issued privacy rules to strengthen the privacy and security protections for health information established under HIPAA.
The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced expanded many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Individual rights have also been expanded in the following ways:
The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
Click here to download full text of the regulations.
Source:US Department of LaborUpdated 01/28/2013
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies