The Privacy Rule ensures that patients have the right to request to review and submit corrections to a “covered entity” (i.e., an eligible provider or hospital) for any inaccurate PHI maintained by the covered entity. In general, PHI is any information held by a covered entity which concerns a patient’s health status; the provision of health care; or payment for said health care that is associated with an individual. Covered entities (CE) are required under HIPAA to disclose PHI to the patient within 30 days upon request, with certain caveats. The US Department of Health and Human Services (HHS)’ Office of Civil Rights (OCR) maintains resources on HIPAA Privacy for individuals and for professionals.
Additionally, the Privacy Rule also requires CEs to take reasonable steps to ensure the confidentiality of communications with individuals. For example, an individual can ask to be called at his or her work number instead of home or cell phone numbers.
Furthermore, the Privacy Rule requires covered entities to notify individuals of uses of their PHI. As such, CEs must also keep track of disclosures of patients’ PHI and provide patients with documentation regarding privacy policies and procedures.