The HIPAA Privacy Rule creates national standards to protect individuals' health records and gives control over that information. It sets limits on the use and disclosure of health records and establishes health information privacy and health information security standards. Healthcare plans are HIPAA covered entities and may not use or disclose an individual’s protected health information without authorization except for treatment, payment, or healthcare operations. The average plan must:
| | •Provide plan participants with privacy right notices. |
| | •Adopt and implement privacy procedures. |
| | •Train employees to understand privacy procedures. |
| | •Assign responsibility for seeing that privacy procedures are adopted and followed. |
| | •Secure records containing individually identifiable health information. |
Compliance is relaxed for plans that share limited information with plan sponsors.
The privacy and security requirements are now directly applicable to business associates, and covered entities must provide notice of privacy and/or security breaches to effected individuals.