HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives clients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Business Associates are directly liable for uses and disclosures of PHI that are not covered under their BAA or the HIPAA Privacy Rule itself.
The Privacy Rule requires Business Associates to do the following:
- Do not allow any impermissible uses or disclosures of PHI.
- Provide breach notification to the Covered Entity.
- Provide either the individual or the Covered Entity access to PHI.
- Disclose PHI to the Secretary of HHS, if compelled to do so.
- Provide an accounting of disclosures.
- Comply with the requirements of the HIPAA Security Rule.