HIPAA and Blood Borne Pathogens
Covered entities are permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:
(1) To the individual who is the subject of the information (unless required for access or accounting of disclosures). (2) Treatment, Payment, and Health Care Operations.
(3) Opportunity to agree or object. A covered entity may use or disclose PHI provided the individual is informed in advance of the "use or disclosure" and has the opportunity to agree to, prohibit, or restrict the "use or disclosure". The individual's verbal agreement or objection is acceptable.15
(4) Incident to an otherwise permitted use and disclosure. In the event the individual is not present or the opportunity to agree or disagree cannot be provided because of the individual's incapacity or in an emergency situation, the covered entity may exercise their professional judgement to determine if disclosure of PHI is in the best interest of the individual.16
Workers' Compensation. Covered entities are permitted to disclose PHI to the extent necessary to comply with laws relating to work-related health information as authorized by, and to the extent necessary to comply with, workers' compensation programs.29
(6) Limited Data Set for the purposes of research, public health or health care operations. A limited data set is protected health information that excludes the following direct identifiers: Names; address; telephone number; fax number; email address; social security number; medical record number; health plan beneficiary numbers; account numbers; certificate and license numbers; vehicle identifier information, including serial numbers and license plate numbers; device identifiers and serial numbers, URLs; IP addresses; and biometric identifiers such as finger, voice prints and full face photo images.30
Health Care Clearinghouses
are a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and valued added networks that processes or facilitates health information received from another entity into a standard or data format or vice versa.4 In most instances, health care clearinghouses will receive individually identifiable health information only when providing these processing services to a health plan or health care provider as a business associate. For these instances, only certain provisions of the Privacy Rule are relevant to the health care clearinghouse's use and disclosure of protected health information.5
Health care operations are certain administrative, legal, financial and quality improvement activities a covered entity uses to run their business and support functions of treatment and payment. These activities may include any of the following:
quality assessment and improvement activities, including case management and care coordination; competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; specified insurance functions, such as underwriting, risk rating, and reinsuring risk; business planning, development, management, and administration; business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
The Privacy Rule protects all individually identifiable information as it relates to:
the individual's past, present or future physical health, mental health, or condition the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, in which the individual can be identified or there is reason to believe the individual can be identified
Identifiable health information includes any personal identifiers such as:
the person's name the person's address the person's birth date and place of birth a social security number a medical record number a telephone number or cell phone number a fax number a personal email address photographic images of an individual a health plan beneficiary number a voice recording or any other characteristic which may identify a person
Retaliation and Waiver
If an individual files a complaint against the covered entity, the covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule the covered entity may not require the individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
De-Identified Health Information
If an individual's protected health information has been de-identified, there is no restriction on the use of this information.9 De-identified health information should not identify or provide any reasonable basis to identify an individual.
Enforcement and Penalties for Noncompliance
If the covered entities are not in compliance with the Privacy Rule and Security Rule the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards. The OCR may conduct any complaint investigations and compliance reviews. Covered entities that intentionally fail to comply with the standards may be subject to civil money penalties as well as certain violations of the Privacy Rule may be subject to criminal prosecution.
Health Oversight Activities. Cover entities may usually disclose PHI to a health oversight agency for oversight activities including audits, civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions, civil, administrative or criminal proceedings or actions authorized by law.21
Judicial and Administrative Proceedings. A covered entity may disclose PHI in the course of a judicial or administrative proceeding.22
As a nurse, you may have access to the patient's medical record in an electronic or paper format such as a chart. Examples include:
On incoming fax sheets Financial records Data used for research Patient's identification bracelets Prescription bottle labels Video recording of a patient
Physical Safeguards
Physical measures, policies and procedures are required to protect the entities or business associates electronic information systems as well as related buildings and equipment from natural and environmental hazards and unauthorized intrusions.41 In 2014, Parkview Health Systems was fined $800,000 because employees left 71 boxes with 5,000 to 8,000 patient records on a physician's front porch.42 Although healthcare facilities have assigned passwords for employees to log-on to workstations and laptops, additional measures must be in place to prevent equipment from being stolen, lost or misplaced. Procedures may include securing equipment by locking doors or by having video monitoring equipment installed for monitoring the use of workstations, property control tags, ID badges, visitor badges and using a private security patrol. Employees should have physical access to electronic equipment based on their job description. Placement of computers in areas frequented by patients and visitors should be placed where the computer screen cannot be read. Some facilities use computer safeguard screens that allow viewing the computer screen difficult for bystanders. Other physical safeguards involve proper disposal methods of protected health information. The Security Rule requires disposal of electronically stored PHI.43 This can be accomplished by clearing, purging or destroying the media. For instance, to clear electronic media one might use a software program or hardware product that overwrites media using non-sensitive data. Purging can be accomplished by exposing a strong magnetic field to the media. This is called degaussing. Other methods include disintegration, pulverization melting, incinerating or shredding. Proper disposal of paper protected health information records can be accomplished by various methods such as shredding, burning, pulping, or pulverizing the records so the protected health information is rendered unreadable, indecipherable and cannot be reconstructed. Be sure to remove the label from a patient medication bottle and render it unreadable before discarding. If the label cannot be removed or destroyed, you can discard the label and bottle or IV bag in a secure area and use a disposal vendor to pick up and shred therefore destroying the PHI. A patient's I.D. bracelet, if removed, should be disposed of in a locked confidential shred bin as well as any paper documents containing PHI. Many hospitals and private physicians' offices may place a patient's chart at the patient's bedside or outside patient exam rooms. Although the patient's chart may display protected health information such as the patient's name, this is permitted but possible safeguards can be implemented by placing the charts in their holder with the patient's name facing the wall or otherwise covered. Signs placed at the patient's bedside or at the door of the patient's hospital room indicating information such as high risk for falls or on a diabetic diet is permitted. Never leave documents with protected health information left out where this information can be viewed by patient visitors or other unauthorized staff. Documents containing protected health information not filed in the patient's medical record should be faced down or covered. Make certain all patient records and charts are stored in a manner to prevent being observed by patients, visitors or other unauthorized staff. Nurses usually have more than one patient to take care of in the hospital. If in the process of reviewing an opened medical record and get called away unexpectedly, make sure to close the medical record before walking away and store in a secure area. When faxing a document, the fax machine should be located in an area that is not accessible by unauthorized personnel. Emailing patient information to the wrong address or faxing patient information to the wrong number is non-compliant with HIPAA. Always use a coversheet that has a disclaimer. Make sure you indicate the person the document is being faxed to along with the telephone numbers. Call and let the intended receiver of the document know the report is being faxed. Promptly remove documents from the printers, copiers or fax machine and file immediately in the patient's medical chart. Do not leave the information lying around for unauthorized eyes to see. Most nursing workstations have communication and assignment board which provide patient names and the nurses assigned to them. Ensure communication boards and assignment sheets containing protected health information are not accessible to visitors or unauthorized staff. Health care providers are permitted to communicate with patients via mail or by phone so long as the information is disclosed is limited or is the minimum necessary. Physicians' offices are allowed to use sign in sheets or call a patient's name in waiting room so long as the information disclosed is limited. If your facility uses an overhead intercom system and an announcement is indicated, do not include confidential information within your announcement. Nurses should never discuss specific patient information in hallways, elevators, break rooms, cafeteria or other public areas. Communication of this type is not limited to the employment facility. When verbal discussion is required regarding a patient's health information make certain to conduct as discreetly as possible where it cannot be overheard. The following are permissible by the Privacy Rule if reasonable precautions have been taken to minimize the incidental disclosures to others who may be nearby. Reasonable precautions would include lowering your voices and talking separately from others. Nurses and healthcare workers are allowed to communicate to coordinate services at the nurses' station. Nurses and healthcare workers are allowed to discuss a patient's condition discreetly in the patient's semi-private room or in a waiting room. Nurses and other medical staff are allowed to discuss a patients' condition during rounds for academic or training associated with an educational institution.45 It is common in the workplace to uphold the HIPAA Privacy and Security rules, but the same rules must be applied at home. As a nurse, you may want to discuss how your day was at home with your spouse. Be careful not to violate HIPAA policy even at home. For example, a nurse violated the HIPAA Privacy policy when she discussed with her husband information about a Carolina Panthers quarterback's surgery date which is protected health information. It is not known if the nurse was sanctioned or not, but a simple mistake like this one could put your career at risk.
Required Disclosures
A major purpose of the Privacy Rule is to have standards or limits in which covered entities may use or disclose an individual's protected health information. The covered entity can only use or disclose protected health information as the Privacy Rule allows or permits and with a written authorization by the individual who is the subject of the information. Covered entities are required to disclose protected health information in only two situations: (1) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (2) to the Department of Health and Human Services when it is undertaking a compliance investigation, review or enforcement action.33
Criminal Penalties
A person or covered entity who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years' imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years' imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule. For example: Two covered entities inadvertently posted ePHI for 6,800 individuals to the Internet, including patient status, vital signs, medications, and laboratory results. The investigation found that neither entity made efforts to assure the security of the server hosting the ePHI or confirmed it contained adequate software protections. Neither entity developed an adequate risk management plan that addressed potential threats and hazards of ePHI. The entities agreed to pay a combined settlement of $4.8 million and enter into corrective action plans. A second example regarding criminal prosecution involved a former hospital employee who pleaded guilty to criminal HIPAA charges after obtaining PHI with the intent to use it for personal gain. He faces up to 10 years in prison.
Other Uses and Disclosures
A use or disclosure of protected health information that occurs as a result of, or as "incident to," an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards and the information being shared was limited to the "minimum necessary," as required by the Privacy Rule.52 In the course of providing healthcare to patients, healthcare providers may need to share protected health information with other healthcare providers for continuity of care and to insurance companies for payment. HIPAA allows covered entities to disclose identifiable health information for activities that fall within the definition of healthcare operations.53 Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization. Psychotherapy notes are recorded (in any medium) by a health professional documenting or analyzing the contents of conversation during a private or consulting session or a group, joint or family counseling session and should be separate from the individual's medical record. Psychotherapy notes do not contain any medication prescriptions, medication monitoring, start and stop times for counseling sessions, the modalities and frequency of treatments furnished, results of clinical tests and any summary of a diagnosis, functional status, treatment plan, symptoms prognosis and progress to date.54 The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent. A covered health care provider, such as a hospital or long term facility, may rely on the individual's informal permission to list in its directory the individual's name, general condition, religious affiliation, and location.55 This provider may disclose the individual's condition and location in the facility to anyone asking for the individual by name, as well as disclose religious affiliation to clergy.
Limited Use
All covered entities must make reasonable efforts to limit the use, disclosure, and request only the minimum protected health information necessary to accomplish their intended purpose. Covered entities must have developed and implement policies and procedures indicating reasonably limited uses and disclosures. The minimum necessary requirement does not apply to the following: disclosure to or a request by a health care provider for treatment disclosure to an individual who is the subject of the information or the individual's personal representative use or disclosure made pursuant to an authorization disclosure to HHS for complaint investigation, compliance review or enforcement use or disclosure that is required by law use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.
Notice of Privacy Practices
All covered entities must provide a notice of its privacy practice57 and distribute a notice that provides a clear, user friendly explanation of individual's rights with respect to their protected health information and the privacy practices of health plans and health care providers. This notice must contain and describe the ways in which the covered entity may use and disclose protected health information. The notice must state the covered entity's responsibilities to protect privacy, provide a notice of privacy practices and abide by these terms. An individual's rights must be on the notice along with the right to complain to HHS as well as to the covered entity if the individual believes their rights have been violated. The notice must have a point of contact for further information and how to make a complaint to the covered entity. The covered entity must follow their own procedure in accordance with their notice. Review your facilities Notice of Privacy Practices and follow it.
Authorized Uses and Disclosures
An individual must submit written authorization to the covered entity for use or disclosure of their protected health information that is not for treatment, payment or health care operations or as permitted or required by the Privacy Rule. Never release protected health information unless authorized to do so and know the procedures. All authorization forms must be written in specific terms that allows the use and disclosure of protected health information by covered entities seeking authorization. The language must be plain and contain specific information regarding disclosure and use. The authorization form must contain the person disclosing and receiving the information, expiration, and the right to revoke in writing. An authorization form is required for any use or disclosures of protected health information that is not required or otherwise permitted without authorization by the Privacy Rule. The following information must be contained on the authorization form: Identify the protected health information being used or disclosed. Provide the names of persons or organizations who will receive or disclose the PHI. Notify the individual of their right to refuse to sign the authorization without retaliation of treatment, payment or health enrollment/benefit except under specific circumstances. The authorization form must be signed and dated by the individual or individual's personal representative. The form must be written in plain language in which the individual signing can understand. The form must include the expiration date or event. The individual must acknowledge they have the right to revoke authorization at any time in writing, how to exercise that right, and any applicable exception to that right under the Privacy Rule The form must explain the potential for the information to be subject of re-disclosure by recipient and no longer protected by the Privacy Rule. The Privacy Rule does not require that an authorization be notarized or witnessed.
Safeguarding Protected Health Information
As a nurse employed within a hospital, private physician's office, outpatient clinic, outpatient surgery or long term care facilities, it is your responsibility to protect the patient's health information. With the implementation of technology within our healthcare community, many facilities are now moving toward paperless records but some covered entities still are using paper records. Per the Security Rule, all covered entities must maintain reasonable and appropriate technical, physical and administrative safeguards to prevent intention or unintentional use or disclosure of protected health information. A patient's protected health information is available on patient documents or records and in a paper or electronic format. As a nurse, you are responsible to ensure a patient's health information is protected during your day to day activities.
Who is Covered by the Privacy Rule?
Businesses that transmit individuals' health care information in a written, verbal or an electronic form are considered "covered entities" and must abide by the Privacy and Security Rules implemented under the HIPAA national standards. Health plans, health care clearinghouses and health care providers are covered entities. The Department of Health and Human Services Office of Civil Rights (OCR) is responsible for implementing and enforcing the Privacy Rule in regards to voluntary compliance activities and civil money penalties for non-compliance.
Law Enforcement Purposes. Covered entities, under specific circumstances, may disclose PHI to law enforcement officials pursuant to a court order, subpoena, or other legal order to help identify and locate a suspect, fugitive, or missing person; to provide information related to a victim of crime or a death that may have resulted from crime; or to report a crime.23
Decedents. Covered entities are allowed to disclose PHI to medical examiners and coroners for the purpose of identifying a deceased person, as well as to determine the cause of death or other duties as required by law. Covered entities may provide PHI to funeral directors to carry out their duties with respect to the decedent.24
Payment includes activities of a health plan to acquire premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual13. Payment also consists of activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual. Examples include:
Determining eligibility or coverage under a health plan. For billing and collection agency purposes. Many health plans now require pre-authorization for certain procedures and surgeries as well as for justification of charges or medical necessity.
Serious Threat to Health or Safety. Covered entities or a public health authority are permitted to disclose information regarding individuals who may have been exposed to a communicable disease or may otherwise have contracted or can spread a disease as authorized by law.27
Essential Government Functions. Covered entities may use or disclose PHI as it relates to military and veterans' activities under laws administered by the Secretary of Veterans Affairs.28
Breach Notification Rule
If there is a breach of unsecured protected health information, the HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. If a breach of information affects less than 500 individuals, each individual must be notified within 60 days of discovery and a log of the breaches must be submitted to the Health and Human Services within 60 days after the end of a calendar year. If breach of information affect over 500 individuals, the individuals, the Health and Human Services and the media must be notified within 60 days from discovery.
Access and Amendment
In some circumstances, individuals' have a right to review and obtain a copy of their protected health information held by a covered entity.58 The Privacy Rule does except the individuals' right of access to protected health information to include psychotherapy notes, information complied for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access. Covered entities may also deny access if a health care professional believes providing access to the subject of the information could cause harm to the individual or others. In such circumstances, the individual or subject of information has the right for such denials to be reviewed by a licensed health professional for a second opinion. Covered entities are permitted to impose reasonable, cost based fees for the cost of copying and postage. Individuals have the right to have their protected health information amended if inaccurate or incomplete.59 The covered entity can accept or deny the request. If the covered entity accepts the request, they must make every effort to provide the amendment to other covered entities the individual has identified as needing it. The covered entity may provide the amendment to individuals they know might need the information for the detriment of the individual. If the covered entity denies the individual's amendment request, they must provide to the individual a written denial and the individual is allowed to submit a statement of disagreement to be placed into their record.60 If a covered entity receives a receipt of notice to amend an individual's record, they must make this amendment upon the receipt of the notice.
(5) Public Interest and Benefit Activities17
Required by Law. Disclosures of PHI are permitted when required by other laws, whether federal, tribal, state, or local.18
Cadaveric Organ, Eye, or Tissue Donation. Organ-procurement organizations and other entities that engage in organ donation may disclose PHI for the purposes of facilitating transplant.25
Research. A covered entity can use PHI for health research without authorization under certain conditions, including (1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations, (2) for activities preparatory to research; and (3) for research on a decedent's information.26
Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including business consultation between providers regarding a patient and referral of a patient by one provider to another.12 Examples include:
Sending protected health information from one department to another department within the same facility so that a procedure or examination can be performed, such as from a nursing station to the surgery department. Healthcare providers and physicians sharing information regarding a patient they both treat between themselves Referring a patient to a specialist, for example, a general surgeon sending a patient to an oncologist for treatmen
Technical Safeguards
The HIPAA Security Rule describes technical safeguards as "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it."35 Healthcare organizations may determine what security measures are appropriate based on their own size, needs and characteristics. The Security Rule does not require specific technology solutions. All covered entities and business associates must have technical safeguards that include policies and procedures used to protect the technology, protected health information, and the control to access it. Technology has now become completely integrated into the health care system. Computers can easily become infected with malicious software through the use of CD-ROMs, email, flash drives and web downloads. Installing an anti-virus software is a necessary defense to protect against viruses. The Security Rule requires each employee or a workforce member be assigned a unique name and/or authorization number by their employer for identifying and tracking user identity that has access to electronic protected health information. Limited log-in attempts, voice control features and disabling speech recognition could help with authentication. A nurse's individual password, PIN number or passcode should not be shared, printed, stored online or on any electronic device, or given to others. Nursing staff and all health care workers should always log out of the computer system when they have completed their task. If you use a laptop, computer, or PDA that contains patient information off site, make sure the patient information is encrypted. This allows the electronic protected health information to be converted into encoded or encrypted data making the health data unreadable unless you have the necessary key or code to decrypt it. In 2014, an unencrypted laptop was stolen from Concentra Health Services' Springfield Missouri Physical Therapy Center. The company reported the laptop stolen to the U.S. Department of Health and Human Services Office for Civil Rights and after an audit was completed Concentra was fined $1.7 million dollars. If you are using a PDA, most clinical uses are within compliance of HIPAA. Applications such as for a drug reference program, guides for diagnostic tests, clinical calculators, body mass index calculators and decision support programs are safe to use because they do not contain any patient identifiers. If you beam data from one PDA to another PDA and keep the two PDAs within a foot of each other, using the infrared light usually does not need encryption. Use precautions when carrying your PDA, transmitting data or if your PDA is being repaired and remove all patient data storage. If it is the policy of your employer to allow emailing of protected health information, the employer must have policies and procedures implemented to restrict access to an individual's health information, to protect the integrity of the patient and guard against any unauthorized access to ePHI. The standard transmission security includes addressable specification for integrity controls and encryption. In this age of social media, it is important to remember that the internet is a public domain. You have an obligation to safeguard PHI regardless of the setting. Do not post identifying information about patients or their images. Any photographs taken while in the hospital or office environment may inadvertently have a patient in the background.
Introduction to HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996. The purpose of HIPAA was to publicize national standards for the exchange of privacy and security of health information identified in Sections 261 through 264. These standards are collectively known as the Administrative Simplification provisions. HIPAA is a civil rights law that gives patients important rights regarding their protected health information. Within the Administrative Simplification provision there are two rules: the Privacy Rule and the Security Rule. The Standards for Privacy of Individually Identifiable Health Information, known as the "Privacy Rule", implements the national standards set by the HIPAA Act which addresses the use and disclosure of protected health information.1 Health plans, health care clearinghouses and health care providers are "covered entities". The Privacy Rule addresses how may utilize an individual's protected health information and provides to individual's their privacy rights and control of the use of their health information. The Privacy Rule's main goal is to ensure the individuals' health information is protected as the individual seeks quality patient care and healing. When an individual is seeking healthcare, the individual's information can move across different medical providers, such as hospitals, doctors' offices, physical therapy centers, insurance companies and third party payers for continuity of care and medical payments. Prior to the Privacy Rule, there were no rules addressing to whom an individual's health information was shared. Information collected by the individual's health plan could have been shared resulting with the individual's inability to obtain financial capabilities such as home mortgages, credit cards or to an employer to make personnel decisions unless otherwise forbidden by State or local law. The Privacy Rule provides a balance between protecting an individual's health information and allowing "covered entities" access to certain protected health information to conduct their business. The Security Standards for the Protection of Electronic Protected Health Information, known as the "Security Rule" was adopted to implement the provisions of the HIPAA Act. With the implementation of technology within health care facilities, the Security Rule imposes the protection of health information identified within the Privacy Rule. The Security Rule addresses the physical, technical and administrative safeguards in which "covered entities" must have in place to ensure the confidentiality, integrity and availability of an individuals' electronic protected health information (e-PHI).
Civil Money Penalties
The Office of Civil Rights may impose penalties to covered entities for a failure to comply with a requirement of the Privacy Rule. For violations factors regarding the penalties vary depending on certain information such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity's failure to comply was due to willful neglect. A penalty will not be imposed for violations in certain circumstances, such as if: the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR); or the Department of Justice has imposed a criminal penalty for the failure to comply Penalty amounts can range from $100 to $50,000 or more per violation and for identical violations can be in excess of $1,500,000.62 Penalties may be reduced by the OCR if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance.63 Before the Office of Civil Rights imposes a penalty, they will notify the covered entity and provide the covered entity an opportunity to submit written evidence of the circumstances that would reduce or bar a penalty. This evidence must be submitted to OCR within 30 days of receipt of the notice.64 If OCR determines a penalty should be imposed, the covered entity has the right to request an administrative hearing to appeal the proposed penalty.
Permitted Uses and Disclosures
The Privacy Rule defines and limits the circumstances in which an individual's protected health information may be used or disclosed by covered entities. Covered entities may only use or disclose protected health information according to the Privacy Rule or as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.10
What is Protected Health Information?
The Privacy Rule protects all "individually identifiable health information" that is held or transmitted by a covered entity or its business associate. This information can be in any form or media such as electronic, paper, or oral. This information is called "protected health information (PHI)".
Administrative Requirements
The Security Rule defines administrative safeguards as, "administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information." 47 All covered entities must have policies and procedures in place to guide their employees on HIPAA safeguard compliance.48 The policies must include risk management and risk analysis procedures to ensure they have a strategy to protect the confidentiality, integrity and availability of ePHI. Covered entities must be able to identify and protect against reasonably anticipated threats to the security and integrity of the information.49 Covered entities must have a designated individual responsible for developing and implementing its privacy policies and procedures. Some entities based on their size, complexity and technical abilities designate a Privacy and Security Officer to ensure the protection of ePHI.50 A designated contact person or contact office should be responsible for receiving complaints as well as providing information on the covered entity's privacy practices. Covered entities must have workforce security policy and procedures in place that ensures employees have access to ePHI if needed to perform their employment duties. Employees may be given access to ePHI based on their job using a uniquely assigned password or access code. Upon termination of the employee, this access code must be deactivated. It is a HIPAA Security Rule requirement that all employees of covered entities participate in security training to ensure the covered entity's security policies and procedures are being followed. Policies must ensure employees are not sharing passwords or access codes and are limiting the number of log-in attempts to determine if employees are trying to access ePHI inappropriately. In the security awareness and training workshop, employees should be reminded to protect against malicious software. If an employee does not comply with the covered entities training, either by participating or non-compliance, the covered entity must implement appropriate sanctions against the employee and follow through with the sanction(s) as stated in their policies and procedures.51 In the event of an incident violation of the privacy and security of ePHI, the covered entity must follow their security incident procedures. The covered entity must have procedures in place to protect any reasonably anticipated threats or hazards to the security or integrity of such information. The security incident policy and procedures should include what type of risk the covered entity may encounter and who they notify in the event of an incident. Employees must be aware of the various types of situations they may encounter and how to react to ensure the security of ePHI. A contingency plan must be included as an administrative safeguard. For example, in the event of a natural disaster or a loss of power, what policies and procedures does the covered entity have in place to recover access to ePHI? Covered entities must have policies and procedures to continuously monitor and evaluate their plans. These plans should be evaluated periodically so covered entities can adjust to any environmental or operational changes that affect the security of ePHI. Remember when viewing protected health information, this is on a need to know basis only. If you do not need the patient's health information to do your job or perform a task especially for this patient, you should not be reviewing the patient's records.
This information is created or can be received by a health care provider, health plan, public health authority, life insurer, or health care clearinghouse.
The Security Rule protects information used in an electronic format such as when a covered entity creates, receives, maintains or transmits protected health information. The Security Rule only applies to electronic protected health information.
Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
The use and disclosure of psychotherapy notes require an authorization by the patient or from their representative. Authorization is not required for treatment, payment and health care operations.31 When covered entities obtain "consent" from individuals to use and disclose their protected health information for treatment, payment, and health care operations, the core information must be included on the consent form. This information includes a description of what protected information is requested, the name of the patient or individual authorized to make use or disclosure, the name of the person requesting use and the purpose for the request, an expiration date or event and the patient or patient's representative's signature. A copy of the authorization must be provided to the patient.32
Public Health Activities. PHI can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to public health surveillance, investigations, interventions in regards to food, drug and medical devices.19
Victims of Abuse, Neglect or Domestic Violence. PHI may be disclosed to report abuse, neglect, or domestic violence under specified circumstances.20
Health Care Providers
are those who provide a medical service, bills for a service or are paid for health care services in the normal course of their daily business, regardless of size. Health Care Providers include hospitals, outpatient clinics, nurse practitioners, medical physicians, laboratories, physical therapy centers, dentists, chiropractors, nursing homes, pharmacies and other types of providers who directly or electronically transmit transactions. Examples of such include insurance claims, eligibility of benefits inquiries, requests for authorization to refer a patient to another health care provider, or other transactions of which the Health and Human Services have established standards under the HIPAA Transactions Rule3 and must comply with the Privacy Rule. The same applies if the Health Care Provider uses a third party billing service to bill on their behalf. Using electronic technology, such as using email, does not qualify a health care provider as a covered entity.
Health Plans
individual's health plan that pay or partially cover the cost of medical care.2 Health plans may include health, dental, vision and prescription plans; health maintenance organizations; Medicare; Medicaid; Medicare+Choice and Medicare supplement insurers, such as AARP.