OCR Privacy Rule Summary 2 Last Revised 05/03
three years of the passage of HIPAA. Because Congress did not enact privacy
legislation, HHS developed a proposed rule and released it for public comment on
November 3, 1999. The Department received over 52,000 public comments. The
final regulation, the Privacy Rule, was published December 28, 2000.
2
In March 2002, the Department proposed and released for public comment
modifications to the Privacy Rule. The Department received over 11,000 comments.
The final modifications were published in final form on August 14, 2002.
3
A text
combining the final regulation and the modifications can be found at 45 CFR Part
160 and Part 164, Subparts A and E on the OCR website:
http://www.hhs.gov/ocr/hipaa.
Who is
Covered by the
Privacy Rule
The Privacy Rule, as well as all the Administrative Simplification rules, apply to
health plans, health care clearinghouses, and to any health care provider who
transmits health information in electronic form in connection with transactions for
which the Secretary of HHS has adopted standards under HIPAA (the “covered
entities”). For help in determining whether you are covered, use the decision tool at:
http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
.
Health Plans. Individual and group plans that provide or pay the cost of medical
care are covered entities.
4
Health plans include health, dental, vision, and
prescription drug insurers, health maintenance organizations (“HMOs”), Medicare,
Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care
insurers (excluding nursing home fixed-indemnity policies). Health plans also
include employer-sponsored group health plans, government and church-sponsored
health plans, and multi-employer health plans. There are exceptions—a group health
plan with less than 50 participants that is administered solely by the employer that
established and maintains the plan is not a covered entity. Two types of government-
funded programs are not health plans: (1) those whose principal purpose is not
providing or paying the cost of health care, such as the food stamps program; and (2)
those programs whose principal activity is directly providing health care, such as a
community health center,
5
or the making of grants to fund the direct provision of
health care. Certain types of insurance entities are also not health plans, including
entities providing only workers’ compensation, automobile insurance, and property
and casualty insurance.
Health Care Providers. Every health care provider, regardless of size, who
electronically transmits health information in connection with certain transactions, is
a covered entity. These transactions include claims, benefit eligibility inquiries,
referral authorization requests, or other transactions for which HHS has established
standards under the HIPAA Transactions Rule.
6
Using electronic technology, such as
email, does not mean a health care provider is a covered entity; the transmission must
be in connection with a standard transaction. The Privacy Rule covers a health care
provider whether it electronically transmits these transactions directly or uses a
billing service or other third party to do so on its behalf. Health care providers
include all “providers of services” (e.g., institutional providers such as hospitals) and
“providers of medical or health services” (e.g., non-institutional providers such as
physicians, dentists and other practitioners) as defined by Medicare, and any other
person or organization that furnishes, bills, or is paid for health care.