Office of Civil Rights Provides Guidance on HIPAA Privacy Rule

By Mike McLafferty

E-mail Story
Print Story
The Office of Civil Rights has issued guidance that provides valuable information related to the Standards for Privacy of Individually Identifiable Health Information [the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule], established by the U.S. Department of Health and Human Services (HHS). The privacy rule created, for the first time, national standards to protect individuals’ medical records and other personal health information.

The rule’s standards apply to three types of covered entities: health plans, health-care clearinghouses, and health-care providers that conduct certain transactions electronically. Compliance was required by April 2003 for large plans; small plans were given until April 2004. To comply, covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to implement these standards may, under certain circumstances, trigger civil or criminal penalties.

The rule establishes basic federal protections for health information privacy. It does not replace federal, state, or other laws that grant individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.

The following benefits are received by patients; for more information, visit, the source for the information below. The privacy rule:

  • Gives patients more control over their health information;
  • Sets boundaries on the use and release of health records;
  • Establishes appropriate safeguards that health-care providers and others must achieve to protect the privacy of health information;
  • Holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights;
  • Strikes a balance when public responsibility supports disclosure of some data (e.g., to protect public health);
  • Enables patients to find out how their information may be used, and how certain disclosures of their information may have been made;
  • Limits release information to the minimum reasonably needed for the disclosure’s purpose;
  • Gives patients the right to examine and obtain a copy of their own health records and to request corrections; and
  • Empowers individuals to control certain uses and disclosures of their health information.

The privacy rule requires the average health-care provider or health plan to perform the following activities:

  • Notify patients about their privacy rights and how their data can be used;
  • Adopt and implement privacy procedures for its practice, hospital, or plan;
  • Train employees so that they understand the privacy procedures;
  • Designate a responsible individual to see that privacy procedures are adopted and followed; and
  • Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Entities are bound by the privacy standards even if they contract with business associates to perform some of their essential functions. The law does not give HHS the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits.

Mike McLafferty CPA, FACMPE, is a senior manager in the health-care services group at Amper, Politziner & Mattia, P.C., with 20 years of health-care experience. He can be contacted at (732) 287-1000, ext. 284, or




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices