The HIPAA Privacy Rule went into effect April 14, 2003. It protects the confidentiality of patients' health data, or protected health information (PHI).
The Privacy Rule:
- Requires reasonable security measures to protect patients' health information
- E.g. ensuring all staff receive HIPAA training
- Limits the use and disclosure of PHI
- E.g. using and disclosing only the minimum PHI necessary to accomplish its intended purpose, such as resulting the requested test
- Gives patients rights regarding their health information
- E.g. the right to access their PHI and to request PHI-disclosing restrictions
The Privacy Rule requires that a Privacy Officer or Official is instated. They are responsible for developing and implementing policies and procedures that help the covered entity remain HIPAA compliant.
The Privacy Rule outlines PHI safeguards that ensure patient data is protected. Examples of these safeguards include training on HIPAA, limiting building access by key cards, and tracking digital changes to PHI.