HIPAA Privacy Laws for Employees

Use and Disclosure of Information Laws

• The rule of minimum necessary applies to any use and disclosure of protected health information, meaning that the minimum amount of information is disclosed to the minimum amount of people for its intended use. Cases where full disclosure is allowed include requests by a health care provider for use with treatment, request by the protected individual or individual's representative, request with authorization from protected individual, disclosure or use required by law or other compliance investigation.

Laws for Organization

• Administrative staff are require by law to take certain steps to insure that the organization, large or small, is compliant with HIPAA and the Privacy Rule. These steps include implementing policies and procedures, appointing a privacy official responsible for educating staff and regulating policies and procedures, training employees regarding the Privacy Rule, creating safeguards to protect health information, addressing complaints, and educating the protected individuals as to their rights.

State Law

• In case a state law contradicts the Privacy Rule, meaning that it would be impossible for an employee to comply with the state law and the Privacy Rule, the federal law and Privacy Rule prevail.

Enforcement and Penalties

• The Privacy Rule is enforced in several ways. Complaints are investigated, compliance reviews are conducted,and education and outreach is performed to insure compliance with the rules and regulations for the Privacy Rule. If noncompliance is found, certain steps are taken. The organization or violator is given the chance to comply voluntarily and is offered assistance in doing so. Failing to comply will result in civil money penalties and certain violations may result in criminal prosecution.