The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate(s), in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." “Individually identifiable health information” or PHI, is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or the past, present, or
- future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Under the Privacy Rule:
- You have the right to access, inspect, and obtain a copy of your protected information;
- You have the right to amend your protected health information;
- You have the right to request restrictions on uses and disclosures of your protected health information;
- You have a right to an explanation of the legal duties and privacy practices of those who have your protected health information;
- You have the right to receive confidential communications regarding your protected health information;
- You have the right to request an accounting of disclosures of your protected health information;
- You have the right to file a formal written complaint with those who have your protected health information , or with the Department of Health and Hunan Services, if you believe that your privacy rights have been violated. You may not be retaliated against for filing a complaint.
Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.
These privacy rules are assured under the Health Insurance Portability & Accountability Act of 1996 and are enforced by:
U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue
S.W. Washington, D.C. 2021