HIPAA Privacy Standards

Privacy vs. Security Rule

The Privacy Rule requires certain policies and procedures to be instituted by all covered entities. The Security Rule specifically outlines certain standards, which must be met or addressed by alternative methods. Additionally, there is a difference with regards to the areas where security measures are applied. The Privacy Rule outlines security measures that are to be implemented in all business areas and processes, electronic as well as physical processes. The Security Rule applies only to security measures for electronic protected health information (EPHI) that is transmitted, stored, or manipulated.

Privacy Standards

On August 14, 2002 the Department of Health and Human Services released the final Privacy regulations. The Privacy regulations required all covered entities to comply with the regulations by April 14, 2003.

The Privacy regulations establish safeguards to protect an individual's health information by restricting the uses and disclosures of protected health information. In addition, individuals have more rights including the right to access and amend an individual's protected health information. Whether the information is spoken, electronically transmitted, or written on paper, an individual's health information is protected by this rule.

For additional information, visit the Health & Human Services website for details on the Privacy Rule or to contact the Office for Civil Rights.

Highlights of the Privacy Rule

Privacy Notice - All health plans and health care providers are required to provide their members with a copy of their Notice of Privacy Practices. The Notice describes the policies, safeguards, and practices for protecting the individual's confidential information as well as how to exercise an individual right and file a privacy-related complaint.

Individual Rights - Individuals have the right to access, copy and request amendments to their own information from CareFirst. Individuals may also request an accounting of to whom their information has been provided for certain purposes not related to treatment, payment or health care operations. An example would be a release of information for a subpoena or to resolve a worker's compensation claim. The forms to invoke an individual right are available online in the Member Resources section.

Authorizations and Personal Representatives - A member can authorize another person to call CareFirst on their behalf to discuss protected health information by completing an Authorization for Release of Information or Personal Representative forms. General or benefit information can be provided without submitting either form. Members have the right to cancel an authorization or personal representative by contacting Member Services, writing a letter or submitting a Revocation form.

CareFirst is committed to protecting the confidentiality of members' health care information. Please call the CareFirst Privacy Office with any privacy-related inquiries at 800-853-9236.