HIPAA
Notice of Privacy Practices
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose PHI. The notice must state the covered entity's duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals' rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity.
Security Rule
Establishes national standards to protect individuals' electronic PHI that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Covered entities
Healthcare clearinghouses, health plans and healthcare providers
Administrative simplification provisions
Required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.
Breach Notification Rule
Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information; covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.
Designated record set
That group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider's medical and billing records about individuals or a health plan's enrollment, payment, claims adjudication, and case or medical management record systems.
What is the purpose of the Privacy Rule?
The major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's protected heath information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.
When do individuals have the right to obtain an accounting of disclosures?
Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity's business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.
What information is protected by HIPAA?
Protected Health Information (PHI). The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.
Who is covered by the HIPAA Privacy Rule?
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities").
In what situations can covered entities ammend their PHI?
The Rule gives individuals the right to have covered entities amend their PHI in a designated record set when that information is inaccurate or incomplete. If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information to the individual's detriment. If the request is denied, covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record.
When does the Privacy Rule not reuqire accounting for disclosures?
(a) for treatment, payment, or health care operations. (b) to the individual or the individual's personal representative (c) for notification of or to persons involved in an individual's health care or payment for health care, for disaster relief, or for facility directories (d) pursuant to an authorization (e) of a limited data set (f) for national security or intelligence purposes (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody (h) incident to otherwise permitted or required uses or disclosures.
Business associate
A business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
What is it meant by "minimum necessary"?
A central aspect of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. The minimum necessary requirement is not imposed in any of the following circumstances: (a) disclosure to or a request by a health care provider for treatment (b) disclosure to an individual who is the subject of the information, or the individual's personal representative (c) use or disclosure made pursuant to an authorization (d) disclosure to HHS for complaint investigation, compliance review or enforcement (e) use or disclosure that is required by law (f) use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.
Permitted uses and disclosures of PHI
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures) (2) Treatment, Payment, and Health CareOperations (3) Opportunity to Agree or Object (4) Incident to an otherwise permitted use and disclosure (5) Public Interest and Benefit Activities (6) Limited Data Set for the purposes of research, public health or health care operations.
Do psychotherapy notes require authorization?
A covered entity must obtain an individual's authorization to use or disclose psychotherapy notes with the following exceptions: • The covered entity who originated the notes may use them for treatment. • A covered entity may use or disclose, without an individual's authorization, the psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity's compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner or as required by law.
When is authorization required to use or disclose an individual's PHI?
A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
A few more administrative requirements
A covered entity must: (a) maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints (b) not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.
More administrative requirements
A covered entity must: (a) must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted (b) have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule and must explain those procedures in its privacy notice
Administrative requirements include what?
A covered entity must: (a) develop and implement written privacy policies and procedures that are consistent with the Privacy Rule (b) designate a privacy official responsible for developing and implementing its privacy policies and procedures (c) train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions and have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule (d) mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule