Copyright Goodheart-Willcox Co., Inc 124 Unit 2 The Healthcare Environment • receive a notice that informs them of how their health information may be used and shared • decide if they want to give permission before their health information can be used or shared for certain purposes (such as marketing) • obtain a report that explains when and why their health information was shared for certain purposes The Privacy Rule sets limits on who can look at and receive health information. Patient information can be shared to ensure treatment and care coordination, to pay doctors and hospitals for healthcare services, to protect the public’s health (if a patient has a contagious disease, for example), and to make required reports to the police (such as reporting gunshot wounds). Health information cannot be used or shared without obtaining the patient’s written permission unless this law allows it. For example, without patient authorization, providers generally cannot give patient information to employers, use or share information for marketing or advertising purposes, or share private notes about a patient’s healthcare. The Security Rule is related to electronic protected health informa- tion (e-PHI). This rule ensures confidentiality of all e-PHI that the cov- ered entity receives, maintains, and transmits. The standards in this rule HIPAA Regulations and Covered Entities Entities that must follow the HIPAA regulations are referred to as covered entities. The Privacy Rule and Security Rule apply only to covered entities, which include the following. A Healthcare Provider A Health Plan A Healthcare Clearinghouse a provider of services who conducts certain business ­ electronically, such as electronically billing health insurance companies Examples: • chiropractors • clinics • dentists • doctors • hospitals • nursing homes • pharmacies • psychologists with certain exceptions, an individual or group plan that provides or pays the cost of medical care includes many types of organizations and ­ government programs Examples: • health insurance companies • health maintenance ­ organizations (HMOs) • government programs that pay for healthcare (military and veteran health plans, ­ Medicare, Medicaid) entities that process ­ nonstandard health ­ inf ormation they receive from another entity into a standard format ­ (st andard electronic format or data ­ content), or vice versa Example: • billing service that ­processes or facilitates the processing of data from one format into a standardized billing format Source: US Department of Health & Human Services Figure 7.5 Covered entities must follow HIPAA’s Privacy Rule and Security Rule.