The Privacy Rule
The HIPAA Privacy Rule is intended to give patients the ability to control who has access to their private healthcare data. You may already have been exposed to the effects of the Privacy Rule at your doctor's office. The statement of Privacy Policies is part of the requirements for HIPAA compliance for healthcare providers. Similarly, healthcare providers are required to obtain patients' permission before releasing any protected health information (PHI) to other entities.
Specifically, the Privacy Rule requires the following:
Healthcare providers must disclose their privacy policies to patients.
Patients must be given full access to their PHI and medical records.
Patients must provide permission to the healthcare provider in order for the provider to release PHI to another entity.
The disclosure of PHI is limited to the minimum details necessary for treatment or basic business practices.
The majority of the burden of the Privacy Rule falls on the healthcare provider. However, under the Business Associate Contract rules, IT solution providers are also responsible for implementation of the Privacy Rule; the rule is shared between the IT provider and the healthcare provider. Under the rule, healthcare providers are required to share PHI information with the IT provider for management purposes, but the IT provider is also responsible for tracking access to the material, and subject to possible audit for privacy violations. Violations would result in the termination of the Business Associate Contract, and subject the IT provider to possible civil or criminal action.