of Civil Rights Provides Guidance on HIPAA Privacy Rule
The Office of
Civil Rights has issued guidance that provides valuable
information related to the Standards for Privacy of Individually
Identifiable Health Information [the Health Insurance Portability
and Accountability Act (HIPAA) Privacy Rule], established
by the U.S. Department of Health and Human Services (HHS).
The privacy rule created, for the first time, national standards
to protect individuals’ medical records and other
personal health information.
standards apply to three types of covered entities: health
plans, health-care clearinghouses, and health-care providers
that conduct certain transactions electronically. Compliance
was required by April 2003 for large plans; small plans
were given until April 2004. To comply, covered entities
must implement standards to protect and guard against the
misuse of individually identifiable health information.
Failure to implement these standards may, under certain
circumstances, trigger civil or criminal penalties.
The rule establishes
basic federal protections for health information privacy.
It does not replace federal, state, or other laws that grant
individuals even greater privacy protections, and covered
entities are free to retain or adopt more protective policies
benefits are received by patients; for more information,
the source for the information below. The privacy rule:
Gives patients more control over their health information;
Sets boundaries on the use and release of health records;
Establishes appropriate safeguards that health-care providers
and others must achieve to protect the privacy of health
Holds violators accountable, with civil and criminal penalties
that can be imposed if they violate patients’ privacy
Strikes a balance when public responsibility supports
disclosure of some data (e.g., to protect public health);
Enables patients to find out how their information may
be used, and how certain disclosures of their information
may have been made;
Limits release information to the minimum reasonably needed
for the disclosure’s purpose;
Gives patients the right to examine and obtain a copy
of their own health records and to request corrections;
Empowers individuals to control certain uses and disclosures
of their health information.
rule requires the average health-care provider or health
plan to perform the following activities:
Notify patients about their privacy rights and how their
data can be used;
Adopt and implement privacy procedures for its practice,
hospital, or plan;
Train employees so that they understand the privacy procedures;
Designate a responsible individual to see that privacy
procedures are adopted and followed; and
Secure patient records containing individually identifiable
health information so that they are not readily available
to those who do not need them.
bound by the privacy standards even if they contract with
business associates to perform some of their essential functions.
The law does not give HHS the authority to regulate other
types of private businesses or public agencies through this
regulation. For example, HHS does not have the authority
to regulate employers, life insurance companies, or public
agencies that deliver social security or welfare benefits.
McLafferty CPA, FACMPE, is a senior manager in the
health-care services group at Amper, Politziner & Mattia,
P.C., with 20 years of health-care experience. He can be contacted
at (732) 287-1000, ext. 284, or firstname.lastname@example.org.
CPA Journal is broadly recognized as an outstanding, technical-refereed
publication aimed at public practitioners, management, educators,
and other accounting professionals. It is edited by CPAs for CPAs.
Our goal is to provide CPAs and other accounting professionals
with the information and news to enable them to be successful
accountants, managers, and executives in today's practice environments.
The New York State Society of CPAs. Legal