The Privacy Rule controls the use and disclosure of certain information held by “covered entities,” such as health care clearinghouses, health insurers, and medical service providers.
The Privacy Rule sets a policy in place for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which includes any part of an individual’s medical records or payment history.
The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take practical measures to ensure the privacy of communications with individuals. For example, an individual can request to be called at their work number, instead of home or cell phone number.
In addition, The Privacy Rule requires covered entities to inform individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must assign a Privacy Official and a contact person in charge of receiving complaints and training all members of their workforce in procedures concerning PHI.
An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).