Frequently Asked Questions about the HIPAA Privacy Rule

What is the HIPAA Privacy Rule?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law with multiple goals. It is best known as the law that established the right for individuals to maintain health insurance coverage when they move from job to job. Other portions of the law affect health care providers. The privacy section of HIPAA, called the Privacy Rule, imposes restrictions on the use and disclosure of patient information. It gives new rights to patients and requires health care providers to adopt safeguards that protect patient privacy.

Why was the Privacy Rule issued?

One of the major goals of the HIPAA legislation is to improve the efficiency of health care by standardizing electronic transactions. All electronic health care billing soon will follow uniform federal standards. In order to protect those transactions, Congress required the Department of Health and Human Services to develop federal regulations that govern the privacy of health information.

Whom does the Rule cover?

The law governs "covered entities" which include health plans, health care clearinghouses, and health providers who bill for their services electronically. The law also reaches to a provider's business partners and vendors, since those partners must sign HIPAA-compliant contracts in which they agree protect the health information they handle.

What information is covered?

The law covers Protected Health Information (PHI). HIPAA defines PHI as: individually-identifiable information, created or received by a covered entity, that relates to the past, present, or future physical or mental health condition, the delivery of health care or payment for health care. The Privacy Rule applies not only to information maintained in electronic format, but also to any identifiable patient information on paper or transmitted verbally.

What must health care providers do?

Providers must inform patients about their rights through a Notice of Privacy Practices. Under HIPAA, health information may be used only for treatment, payment or health care operations unless the patient gives written permission or federal law specifically allows the use. Apart from treatment activities, providers must use only the "minimum necessary" information to accomplish the intended purpose. Clinics and hospitals must implement new levels of office security and define appropriate levels of access to patient information for employees. Organizations must establish "business associate agreements" with vendors who handle their patient information, in order to ensure that those agents comply with the law. Policies and procedures must be established, and a "privacy official" must be appointed to ensure the organization's compliance. And finally, the regulations require that each member of our workforce receives special training about privacy protections.

What rights do patients have?

The Privacy Rule sets forth individual rights of access and control for patients and  responsibilities for "covered entities" - health plans, healthcare clearing houses, and health care providers who bill electronically for services.  Patients have the following rights:

  • Right to receive a written Notice of Privacy Practices that describes how the institution will use patient information
  • Right to access and copy one's own medical record
  • Right to amend the record, where appropriate
  • Right to request special accommodations for communicating health information in a confidential manner
  • Right to request restrictions on the uses and disclosures of health information
  • Right to obtain an a list of all non-routine disclosures
  • Right to complain about privacy violations to the institution and to the Department of Health and Human Services

How does HIPAA affect patient care?

HIPAA was written to minimize disruption in direct patient care. There are no restrictions on exchanging information to accomplish treatment. Providers can continue to disclose patient information related to referrals and consultations. Students and trainees are allowed to have access to all information that is appropriate to their participation in patient care. If providers believe that HIPAA implementation is hampering patient care, they are encouraged to consult with their institution's privacy official.

Can I use patient data for research?

HIPAA will affect the way researchers access patient data. If informed consent is being sought from the research subject, the subject must be informed of the planned uses and disclosures of their information through a privacy section in the consent form. The Privacy rule also affects the process of research recruitment. Different requirements exist for projects that do not involve informed consent, such as retrospective chart reviews. When informed consent is not required, the researcher must meet certain standards for protecting the privacy of the data, depending on the source of the research data and the nature of identifiers that are associated with the medical information being collected. Please refer to the Institutional Review Board (Human Sujects Committee) HIPAA Resources section of the KUMC website for detailed information.

How does the Privacy Rule affect other laws?

As a general rule, federal law supercedes state laws. However, the HIPAA Privacy Rule does not preempt state laws that offer stronger protections for patient privacy. Additionally, the Privacy Rule leaves intact any state law that relates to reporting of disease or injury, child abuse, birth, or death, or public health activities and investigations. State laws about the treatment of minors also will prevail.

Who will enforce the Privacy Rule?

The Privacy Rule is administered by the DHHS Office of Civil Rights.

How will the components of KUMC work together?

Under the HIPAA law, affiliated organizations can create a joint compliance program. The University of Kansas Medical Center, the University of Kansas Hospital Authority and its affiliates, the University of Kansas Physicians, Inc., and KU HealthPartners, Inc., have formed an "organized health care arrangement" whereby we can deliver a joint privacy notice and share patient information for joint activities in treatment, payment, and health care operations. The four partners of KU Medical Center also coordinate efforts in order to share resources and harmonize procedures. HIPAA contacts are:

Juli Wessel, University of Kansas Medical Center
jwessel@kumc.edu - 913.588.0940

Terri Thompson, The University of Kansas Physcicians, Inc.
tthompson3@kumc.edu - 913.588.2526

Michelle Naus, KU HealthPartners, Inc.
mnaus@kumc.edu - 913.588.1604

Bob Spaniol, KU Hospital Authority
bspaniol@kumc.edu - 913.945-5216

Last modified: Feb 12, 2016