HIPPA
Who is covered by HIPAA
1. Health plans 2. Health care providers 3. Health care clearinghouses
De-Identified Information
De-identified data (e.g., aggregate statistical data or data stripped of individual identifiers) require no individual privacy protections and are not covered by the Privacy Rule. De-identifying can be conducted through statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information [45 CFR § 164.514(b)]; or the safe-harbor method --- a covered entity or its business associate de-identifies information by removing 18 identifiers (Box 2) and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject [45 CFR § 164.514(b)]. In certain instances, working with de-identified data may have limited value to clinical research and other activities. When that is the case, a limited data set may be useful.
HIPAA
Health Insurance Portability and Accountability Act of 1996
HIPAA's purpose
was adopted to ensure health insurance coverage after leaving an employer and also to provide standards for facilitating health-care--related electronic transactions.
What is protected
"individually identifiable health information" 1. the individual's past, present or future physical or mental health or condition, 2. the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, 3. that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual - Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The HIPAA Privacy Rule
(Standards for Privacy of Individually Identifiable Health Information) (provides the first national standards for protecting the privacy of health information. The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records.
Provides patients with
1. gives patients more control over their health information; 2. sets boundaries on the use and release of health records; 3. establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information; 4. holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights; 5. strikes a balance when public health responsibilities support disclosure of certain forms of data; enables patients to make informed choices based on how individual health information may be used; 6. enables patients to find out how their information may be used and what disclosures of their information have been made; 7. generally limits release of information to the minimum reasonably needed for the purpose of the disclosure; generally gives patients the right to obtain a copy of their own health records and request corrections; 8. empowers individuals to control certain uses and disclosures of their health information.
Disclosing of PHI
1. notify individuals regarding their privacy rights and how their PHI is used or disclosed; 2. adopt and implement internal privacy policies and procedures; 3. train employees to understand these privacy policies and procedures as appropriate for their functions within the covered entity; 4. designate individuals who are responsible for implementing privacy policies and procedures, and who will receive privacy-related complaints; 5. establish privacy requirements in contracts with business associates that perform covered functions; 6. have in place appropriate administrative, technical, and physical safeguards to protect the privacy of health information; 7. meet obligations with respect to health consumers exercising their rights under the Privacy Rule.
Omnibus Rule
Mar 26, 2013 1. updates data security guidelines 2. increases penalities for violators 3. allows for more simplified access for patients
PHI - Protected Health Information
The Privacy Rule protects certain information that covered entities use and disclose. PHI, which is generally individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information.
