The HIPAA Privacy Rule consists of numerous administrative, physical and technical standards to protect individuals' health information privacy and the confidentiality of their health information. These standards are national in scope and apply for example, to certain health care providers (including at FSU, which providers may be referred to as covered or "health care" components) as well as to certain health plans such as group health or other medical insurance (including insurance provided to FSU employees, Medicare and Medicaid) that conduct certain health care transactions electronically. Once deemed subject to the HIPAA Privacy Rule these health care providers and health plans are officially referred to as "covered entities". An individual's identifiable health information that covered entities use or disclose for covered functions such as furnishing, billing and paying for health care (including treatment, supplies and services), regardless as to its form or format (e.g., paper, verbal, audio as well as electronic) may be referred to as "Protected Health Information" or PHI. Persons or entities that perform certain functions on behalf of covered entities and to whom a covered entity uses or discloses PHI are referred to as "business associates", to which the HIPAA Privacy Rule also applies.
Most basically, the HIPAA Privacy Rule establishes limits, restrictions and conditions on the use and/or disclosure of PHI, including the requirement that such use and/or disclosure is ONLY permitted AFTER an individual (or their legal personal representative), about whom the PHI pertains, provides a specific authorization ("HIPAA Authorization") for such use and/or disclosure. Some limited exceptions may apply, including uses and/or disclosures for research purposes but only under very specific conditions. The HIPAA Privacy Rule also establishes rights that individuals have with regard to their PHI, including being informed about a covered entity's privacy practices; a written accounting of disclosures for research; inspecting and obtaining a copy of their health records; requesting corrections to their health information; and restricting certain uses and disclosures of PHI. Covered entities must provide a notice of their privacy practices on a publicly-facing web page.
Visit the U.S. Department of Health and Human Services to access their summary of the HIPAA Privacy Rule.