This is the second in a series of three posts that cover the background of the Health Insurance Portability and Accountability Act (HIPAA), HIPAA requirements, and HIPAA compliance strategies for startups and small businesses. The aim of this series is to make the privacy provisions of HIPAA accessible and understandable to startups and small businesses. In our previous post, we provided an overview of HIPAA and the type of entities and information covered by its rules. Please read that post to become familiar with the general concepts and terminology used here. In this second post, we discuss HIPAA requirements that startups and small businesses must know.
What Type Of Protection Does HIPAA’s Privacy Rule Require?
The cornerstone of HIPAA's requirements is that covered entities and business associates may not disclose personal health information (PHI) unless such disclosure is either (i) sanctioned by HIPAA’s privacy provisions, or (ii) specifically authorized by the individual. Under the first category of permitted disclosure, HIPAA allows disclosure without individual authorization in six different areas:
- Directly to the individual to whom the PHI belongs;
- For treatment, payment, and health care operations;
- Informal consent where the individual is granted an opportunity to agree or object to disclosure;
- Incidental disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted;
- Specific public interest and benefit activities; and
- Limited disclosure for the purposes of research, public health, or health care operations.
Outside of these six areas, individual authorization is required by HIPAA. The law also espouses the principle of “minimum necessary,” requiring covered entities to “develop and implement policies and procedures to reasonably limit uses and disclosures” to the minimum amount of necessary PHI. (Read Part 1 of this series for a definition of what a covered entity means).
What Policies Does HIPAA’s Privacy Rule Require?
HIPAA requires covered entities to make implement certain policies with regard to PHI. Some of the directed implementations include:
- The adoption of written privacy procedures (including administrative safeguards and physical and technical security);
- The designation of a company privacy officer;
- The signing of confidentiality agreements with business associates;
- The provision of written notice regarding privacy practices and information access to individual consumers;
- The chance for customers to request restrictions, accountability, and alternative methods of information sharing; and
- The establishment of a complaint resolution process.
For a detailed explanation of HIPAA’s requirements, please visit the U.S. Department of Health and Human Services section on Health Information Privacy here.
DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.
