The present paper discusses the main characteristics of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and a set of common debates, misuses, and misunderstandings happening concerning it. The Privacy Rule primarily concerns the protection of privacy of individuals having medical insurance and their medical authority. The Act formulates the main premises for the disclosure of information, stipulates the types of information that is disclosable and non-disclosable, and identifies the main conditions with which every covered authority has to comply:
The Privacy Rule standards address the use and disclosure of individuals’ health information – called ‘protected health information’ by organizations subject to the Privacy Rule – called ‘covered entities’, as well as standards for individuals’ privacy rights to understand and control how their health information is used (Summary of the HIPAA Privacy Rule, 2003: p. 1).
The Privacy Rule has been created to ensure the provision of high-quality health care for U.S. citizens, being flexible enough to correspond to the changing needs both of medical institutions and individuals subject to the medical care services. Speaking about covered entities, the Summary of the HIPAA Privacy Rule gives the complete list of entities subject to its regulations: all types of health plans (except those not providing the health care directly and those who do it directly, i.e. community health center); health care providers and health care clearinghouses (the responsibility of which is to process information and which receive selected information for that purpose, being eligible for only a certain set of provisions of the Privacy Rule) (Summary of the HIPAA Privacy Rule, 2003: pp. 2-3).
The Summary also discusses the concepts of protected health information and de-identified health information, justifying some cases of incidental use and disclosure.
Coming back to the issues inquired in the FAQ section of the HIPAA site, it is necessary to address the question of the difference between consent and authorization. According to the summary, consent is: written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations (Summary of the HIPAA Privacy Rule, 2003: p. 5).
Speaking about authorization, the essence of the issue is slightly different, as it must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data (Summary of the HIPAA Privacy Rule, 2003: p. 9).
There are some situations in which the HIPAA Privacy Rule allows the disclosure of information: this is usually done besides the cases with the individuals’ needs, treatment, payment for health operations, and conducting other medical care activities. These cases are usually applied when they: are required by law; concern victims of abuse, neglect, or domestic violence; are needed by the health oversight agencies; are required for judicial and administrative proceedings and law enforcement purposes. Other cases may include Taking care of the dead individual, making possible the donation and organ transplantation, using this information for specific types of research, the cases of threat to health or safety and the need to conduct some other specific government functions (Summary of the HIPAA Privacy Rule, 2003: pp. 4-8).