The primary objective of the Privacy Rule is to protect the privacy of all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. As such, HIPAA establishes the first “set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care”. Here is what the Privacy standards do:
1. They give patients new rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed.
2. They Restrict most disclosures of protected health information to the minimum needed for healthcare treatment and business operations
3. They provide that all patients are formally notified of covered entities’ privacy practices.
4. They Enable patients to decide if they will authorize disclosure of their protected health information (PHI) for uses other than treatment or healthcare business operations.
5. They establish new criminal and civil sanctions for improper use or disclosure of PHI.
6. They Establish new requirements for access to records by researchers and others
7. They also establish business associate agreements with business partners that safeguard their use and disclosure of PHI.
The Privacy standards also implement a comprehensive compliance program, including conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements, reviewing functions and activities of the organization’s business partners to determine where Business Associate Agreements are required, developing and implementing enterprise-wise privacy policies and procedures to implement the Rule, assigning a Privacy officer who will administer the organizational privacy program and enforce compliance, training all members of the workforce on HIPAA and organizational privacy policies and updating systems to ensure they provide adequate protection of patient data.