HIPPA
The secretary's public health emergency announcement will provide specific details on the duration and scope of the waiver. The waiver will only apply:
-in the specified emergency area for the specified emergency period -to hospitals that have instituted a disaster protocol -to all patients at such hospitals for up to 72 hours from the time the hospital implemented its disaster protocol
HITECH (2009) extended authority to
State Attorney Generals (AGs) to bring civil actions for HIPAA violations and obtain damages. The State Attorneys General can enforce HIPAA (or a state-mandated equivalent) and impose penalties for noncompliance.
Responsibilities of the Privacy Officer
The privacy officer is responsible for overseeing activities related to the development, implementation, and maintenance of an organization's policies and procedures covering the privacy of PHI. The privacy officer also serves as the key compliance officer for federal and state laws that apply to the privacy of patient information, including HIPAA, and ensures that the organization's policies and procedures related to the privacy of, and access to, PHI are followed.
Individually Identifiable Health Information (IIHI)
any HI specific to an individual
Disclosures After Patient is Deceased
you may share information with family members and others involved in their health care or payment if the patient did not express a preference that this should be prevented. For example, you can describe the circumstances that led to an individual's passing with the decedent's sister who is asking about her sibling's death.
In the case of Hurricane Katrina, the HHS stated
that they would consider the emergency circumstances arising from the disaster, along with good faith efforts by covered entities to comply with the Privacy Rule as soon as practicable.
The HIPAA Security Rule states that safeguards are to be implemented at
various levels throughout the EMS agency
Privacy officer
-HIPAA requires the appointment of a "privacy officer." This person is appointed to receive complaints and answers questions about privacy policy. They are also responsible for providing and documenting privacy training for the entire workforce.
ARRA
American Recovery and Reinvestment Act (2009)
Breach
Any unauthorized use or disclosure of PHI, whether intentional, unintentional, or perpetrated by a third party (e.g., theft).
Patients' Right to File Complaints
Anyone (even a non-patient) has the right to file complaints about your agency's policies and procedures. Complaints can be filed regarding the use/disclosure of PHI (e.g., they are inadequate and fail to comply with HIPAA or state regulations), or your compliance with your agency's policies and procedures (e.g., they are adequate, but EMS personnel failed to follow them). Complaints involving your organization should be directed to your EMS agency's designated privacy officer. Individuals may also file complaints with the HHS.
Verbal security in public areas
Be sensitive to the fact that other people may be present nearby. Conversations about patients and their health care should not take place in areas where those without a need to know are present.
Authorization [HIPPA consent vs. authorization]
Description: A detailed document that includes specific elements giving covered entities permission to use PHI for specified purposes (beyond TPO) and/or disclose PHI to a specified third party as needed.
Fax practices [practical safeguards of the HIPPA Security Rule]
Fax machines that receive PHI should be located in a secure area, and the fax cover sheet should include a confidentiality statement. Use NPIs whenever possible in written and electronic communication.
Fees that are reasonable/permitted
Fees for copying and mailing patients' requested health records.
Fees that are not reasonable and are not permitted
Fees for searching for or retrieving a patient's records.
GINA
Genetic Information Nondiscrimination Act (2008)
Reasonable Fees
HIPAA aims to protect patients from exorbitant or unnecessary charges associated with securing a copy of their health records. Any fees passed on to patients must be considered "reasonable."
End-of-life issues [Patient Authorization]
HIPAA permits disclosure of Medical Orders for Scope of Treatment/Physician Orders for Life-Sustaining Treatment (MOST/POST) to other health care providers as necessary for treatment.
Communicating with Patients
Health care providers and plans must tell patients to whom they are disclosing their information and how it is being used. They must also comply with patients' requests for additional confidentiality, if reasonably possible.
When are limited data sets used?
Limited data sets are only to be used for research, public health, and health care operations.
MOST/POST
Medical Orders for Scope of Treatment/Physician Orders for Life-Sustaining Treatment
NPI
National Provider Identifier -should be used whenever possible in written and electronic communication.
Hardcopy (paper) practices [practical safeguards of the HIPPA Security Rule]
Patient care reports should be stored in safe and secure areas. When any paper records concerning a patient are completed, they should not be left in open bins, on desktops, or other surfaces. Only those who need the information to complete their job duties should have access to any paper records.
PHI
Protected health information
Health care providers may use and disclose patients' PHI for these 3 purposes without any written consent, authorization, or other approvals from the patient
TPO
TPO
Treatment, Payment & Operations
The minimum necessary standard does NOT apply to:
disclosures to or requests by a health care provider for treatment purposes.
The HIPAA Security Rule deals specifically with
ePHI. ePHI is information that is maintained or transmitted electronically.
You may share information to assist with identifying or locating a suspect, fugitive, material witness, or missing person. However, only certain information can be disclosed without a court order, warrant, or written request:
name address social security number date and place of birth type of injury date and time of treatment date and time of death, if applicable ABO blood type and Rh factor a description of distinguishing physical characteristics such as race, height, gender, scars and tattoos, hair and eye color, and facial hair (e.g., beard or moustache)
Provisions of HIPPA that may be waived during a state of emergency
the patient's right to request privacy restrictions the requirement to distribute a notice of privacy practices the patient's right to request confidential communications the requirement to honor a request to opt out of the facility directory the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care However, the HIPAA Privacy Rule will remain in effect.
The Omnibus Rule
-designed to incorporate the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act*, and the Genetic Information Nondiscrimination Act of 2008 (GINA).
Anyone can file a complaint with the HHS Office for Civil Rights. Complaints filed with the Office for Civil Rights must adhere to the following requirements:
-filed in writing -name the entity -filed within 180 days
PHI can only be used or disclosed without obtaining prior consent or authorization in specific situations
-for organ procurement -to report neglect or abuse -for workers' compensation -for death due to -criminal conduct -to prevent serious injury, illness, or death -to report the victim of a crime (obtain permission first, as possible) -in response to a lawsuit, court order, subpoena, warrant, summons, etc. -to locate or identify a missing person, suspect, fugitive, or material witness -to report a crime or details about a crime (e.g., location, victims, perpetrator)
Who must comply with HIPPA?
-health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically (e.g., electronic billing and fund transfers).
PHI transmission via e-mail should be
-imited whenever possible. A confidentiality statement should be used on all e-mail messages containing PHI. E-mail encryption should be used for transmission.
Under what circumstances can physician-patient privacy privileges not apply?
-in many states, this does not apply to criminal matters. Some states extend these laws to cover EMS providers while others do not. Since laws vary, it is important to be familiar with the specific laws applicable to you in your state. As an EMS provider, you can be called to testify in court, especially in criminal cases, and the laws in your jurisdiction will determine what level of patient information disclosure is considered lawful
HIPAA Enforcement Rule covers
-issues related to compliance, investigation, penalties for violations, and procedures for hearings. HIPAA's Privacy and Security Rules are enforced by the HHS Office for Civil Rights.
Health information is not PHI if
-it is held by entities not covered by HIPAA and is not handled in a manner covered by HIPAA. Examples of such information include education records maintained at a school, and employment records maintained by a human resources department.
Types of safeguards under HIPPA Security Rule
-physical -technical -administrative
HIPAA covers activities that health care providers perform including the transmission, storage, or use of patient information, such as:
-requesting payment -inquiring about the status of a claim -inquiring about patients' benefits or eligibility -requesting authorization for providing health care or referral
How many identifiers need to be removed in order for HI to be considered de-identified?
18
When did enforcement of the HIPPA's privacy standards begin?
2003
Number of titles contained within HIPPA
5
Timeline for Responding to Records Requests
-you should act within 30 days if the information is maintained or accessible on-site, and within 60 days if the information is not maintained or accessible on-site.
Complaint Investigation
Complaints filed with the HHS/Office for Civil Rights may be investigated. The investigation may consist of a review of the pertinent policies, procedures, or practices of the organization, and a review of the circumstances regarding any alleged acts or omissions concerning compliance.
Not permitted when sharing PHI to identify or locate individuals
DNA dental records body fluid or tissue typing samples, analysis
Are DNRs covered by HIPPA?
Yes they are PHI
When can PHI be used or disclosed for research purposes?
if the research participant provides authorization.
For any purposes beyond TPO, HIPAA requires
-That a signed authorization form be obtained from the patient or their authorized representative.
What is HIPPA designed to do?
-give patients more control over the use of their data -set boundaries on uses and disclosures of patient health data -establish safeguards to protect data -establish accountability for privacy breaches -balance privacy with social responsibility
Is warning others permitted?
EMS providers are permitted to share health information when it is believed in good faith that it is necessary to warn others to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. Such an act is done in "good faith" when the provider's belief is based on their knowledge of the patient (e.g., based on interacting with the patient), or credible information gathered from a person with apparent knowledge or authority (e.g., family member or credible witness).5 For example, sharing pertinent mental health records is permitted, as necessary.
Which of the 3 types of health information is/are covered by HIPPA?
Only PHI
TPO: operations
Operations (pertaining to health care): PHI may be disclosed to support health care operations such as verifying health care coverage and filling prescriptions for medication.
TPO: treatment
PHI may be disclosed to other health care providers in the course of providing medical treatment.
Email practices [practical safeguards of the HIPPA Security Rule]
PHI transmission via e-mail should be limited whenever possible. A confidentiality statement should be used on all e-mail messages containing PHI. E-mail encryption should be used for transmission.
Amendment of PHI
Patients also have a right to request that PHI about them be amended for as long as the entity maintains the information. You may deny the request if you did not create the PHI or record, or if the information in dispute is accurate and complete.
TPO: payment
Payment: PHI may be disclosed to support medical billing.
HIPPA Title 2
Contains regulations related to the privacy of individually identifiable health information
De-Identified Information
nformation in which all key identifiers have been removed so that individuals can no longer be identified is considered to be de-identified. Such information is not restricted from being shared if needed and is not covered by HIPAA. Information is only considered de-identified if it does NOT contain identifiers that indicate the individual, their relative(s), employer(s), or household member(s).
The HHS will also not take enforcement action or impose civil money penalties where the urgency of the circumstances prevented
the formalizing of the required Business Associate Agreements in sufficient time to meet the immediate needs of the evacuees. However, such agreement should be appropriately executed as soon as practicable.
Technical [safeguard under HIPPA Security Rule]
Application: -Audit logs, user logins, password security, access level controls Example: -Providing standardized encryption for patient data stored or transmitted electronically
Administrative [safeguard under HIPPA Security Rule]
Application: -Employee training, access management, security assessment, risk analysis and management Example: -Ensuring that agency policies and procedures comply with HIPAA standards
Business associates of covered entities
As part of the expansion of HIPAA in 2013 to comply with ARRA/HITECH, many of the HIPAA Privacy and Security Rules are now applicable to business associates of covered entities
Enforcement of HIPAA in Large-Scale Emergencies
Following Hurricane Katrina, the U.S. HHS issued a bulletin detailing how it would enforce HIPAA.11 This precedent can provide clarification for how HIPAA requirements may be handled during such large-scale emergencies. The HHS reported that it may not impose a civil money penalty where the failure to comply is based on reasonable cause, is not due to willful neglect, and is cured within a 30-day period (unless period is extended by HHS).
The Omnibus Rule extended HIPAA coverage for deceased individuals in this way
From the moment of an individual's death, that individual's PHI is protected by HIPAA for 50 years. The Omnibus Rule defines "family member" to include relatives up to the fourth-degree, and relatives by affinity (not necessarily biological).
HITECH
Health Information Technology for Economic and Clinical Health Act (part of ARRA)
Data Use Agreement
If a limited data set is shared, each person using it will need to sign a Data Use Agreement stating that they will NOT disclose the information to others or use it to contact individuals, to re-identify individuals, or for purposes other than for which it is intended.
Verbal security in facilities and waiting areas
If patients are in waiting areas to discuss the service provided to them or to have billing questions answered, make sure there are no other persons in the waiting area. Or, if needed, bring the patient into a private area before engaging in the discussion.
How is HIPPA enforced on the state level?
Some states or localities may impose stricter laws than HIPAA. At minimum, states and localities must meet HIPAA regulations on health information privacy and security; however, they are permitted to enact laws that exceed them.
Purpose of HIPPA
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996.* It aimed to improve the efficiency and effectiveness of the health care system by standardizing the electronic exchange of administrative and financial data.
Omitting a person's name does not mean
you are safe to discuss that person or their situation with others. The best protection is prevention. To be safe, avoid posting material related to patients, their medical conditions, or events that led up to the emergency response. If you are uncertain whether something is safe to disclose it is probably better not to do so. EMS personnel who regularly publish content in print or electronically (e.g., paid articles, personal blogging) are advised to obtain permission from their agency and seek professional legal advice specific to the nature of the subjects they discuss in their published content.
Obtaining patient consent for uses and disclosures of PHI for TPO purposes
-HIPAA permits, but does not require, health care providers to voluntarily obtain patient consent for uses and disclosures of PHI for TPO purposes. Consent was originally required under the Privacy Rule but, in practice, posed barriers to quality health care.
New HITECH revisions to HIPAA (2013) require that EMS agencies' NPP state that:
-additional authorization from the patient is needed for uses/disclosures beyond those described in the policy -patient authorization is also required for psychotherapy notes (as needed), marketing purposes, and any selling of PHI -PHI may be used/disclosed to contact an individual for fundraising purposes and individuals can opt out of such communications -the patient can restrict PHI disclosures to their health plan, if the patient pays out of pocket in full -in the event of a breach of PHI, affected individuals have the right to be notified
Patients' HIPAA Rights
-ask to see and get a copy of their health records -have corrections added to their health information -receive a notice that tells them how their health information may be used and shared -decide if they want to give their permission before their health information can be used or shared for certain purposes, such as for marketing -pay out of pocket and request that their provider not disclose to their health care plan any PHI related to their treatment -get a report on when and why their health information was shared for certain purposes
Consequences of HIPAA Violations
-civil fines and penalties, criminal fines, and imprisonment. It can also generate a negative impact on the reputation of your organization, and cause employee disciplinary action, possibly including termination.
Exceptions to the Minimum Necessary
-information can be shared with law enforcement if withholding certain PHI from police impedes their efforts or runs contrary to the patient's own wishes. -when the patient requests their own PHI -PHI is needed for treatment purposes -PHI use or disclosure is required by law -or when the patient authorizes disclosure of their own PHI.
An authorization form needs to include:
-who is authorized to use/disclose the PHI -a description of the PHI to be used/disclosed -the expiration of the authorization form based on designated date, lapse of certain time, or some event occurring -the party to whom the PHI may be disclosed -the purposes for which PHI may be used or disclosed -that authorization is not necessary for receiving treatment -that PHI disclosed to another party may be re-disclosed by that party and not covered by HIPAA -the patient's right to revoke the authorization (including how to do so and what exceptions to this right may apply) -a place for the patient's, or their authorized representative's, signature, and a description of that representative's authority/relation to the patient -that remuneration may be received directly or indirectly as result of use/disclosure of PHI (if PHI could be used for marketing purposes)
3 kinds of health information distinguished by HIPAA
1) Health Information (HI) 2) Individually Identifiable Health Information (IIHI) 3) Protected Health Information (PHI)
Criteria for EMS agencies obtaining information on patient health outcomes from admitting EDs to improve service delivery
1) Purpose must be for quality improvement 2) Hospitals must disclose minimum necessary info as needed 3) All individuals who are disclosed information must have had a relationship with the patient whose information is being shared.
3 practical safeguards of the HIPPA Security Rule
1) hardcopy (paper) 2) fax 3) email 4) software
Since 2003, the compliance issues investigated most often by the U.S. Department of Health & Human Services (HHS) have been (from most to least common):
1) impermissible uses and disclosures of protected health information (PHI) 2) lack of safeguards of protected health information 3) lack of patient access to their PHI 4) uses or disclosures of more than the minimum necessary PHI 5) lack of administrative safeguards of electronic PHI
18 Identifiers of HI
1) names 2) IP addresses 3) fax numbers 4) phone numbers 5) email addresses 6) account numbers 7) website addresses/URLs 8) SS numbers 9) medical records numbers 10) certificate/license numbers 11) health plan beneficiary numbers 12) device identifiers and serial numbers 13) full-face photographs and any comparable images 14) biometric identifiers (finger, voiceprints) 15) any other unique identifying number, characteristic, code 16) vehicle identifiers and serial numbers (license plate, VIN number) 17) geographic identifiers smaller than state-level (street address, city, county) 18) dates (if they are directly related to an individual (eg emergency response date, birth date, date of death)
The revisions to HIPAA issued in 2013 sought to expand regulations in these 2 directions
1) patients' rights to access their electronic health records 2) restrictions on the use and disclosure of PHI.
The covered entities that have been most often required to take corrective action to achieve voluntary compliance are (from most to least common):
1) private practices 2) general hospitals 3) outpatient facilities 4) health plans (group health plans and health insurance issuers) 5) pharmacies
Limited Data Sets
A limited data set is PHI in which most direct identifiers have been removed. A limited data set fulfills HIPAA's requirement that shared information be reduced to the minimum amount necessary. Information that may not need to be removed (as permitted by HIPAA) includes dates and geographic information.* Limited data sets may contain unique identifying numbers, characteristics, or codes so long as they are not one of the other 18 identifiers specified by HIPAA.
Elements of the Authorization Form
An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes beyond TPO or to disclose PHI to a specified third party.
HIPAA & Social Media
Bad: -discussing a "hypothetical" case on a social media platform that bears too much resemblance to a real case -posting a photo of yourself at an emergency scene without realizing that the patient's car is visible in the background and its license plate is facing the camera -writing about an incident just to "get something off your chest" even though your agency's policy prohibits any disclosure whatsoever -describing some unique aspects of a patient's appearance even without mentioning the person's name -complaining about a certain "frequent flyer" in an open forum that is accessible to Internet search engines -maintaining a daily blog that details where, when, and how incidents occurred, even if the specific patients are not identified
Consent [HIPPA consent vs. authorization]
Description: A voluntary act whereby the patient provides permission for use/disclosure of PHI. Applicable Situations: TPO only (if needed) Required?: No (optional)
Retaliation Prohibited
HIPAA prohibits the alleged violating party from taking retaliatory action against anyone for filing a complaint. The Office for Civil Rights must be notified immediately if retaliatory actions occur.
Requests for PHI Restrictions
HIPAA provides patients the right to request that the use and disclosure of their information be restricted. You may deny the patient's request or agree to the request. If you agree to the request, you are bound by the restrictions, even if those restrictions are more stringent than HIPAA's.
Reporting Requirements for Large Breaches
HIPAA requires covered EMS providers to notify patients of any security breaches/unauthorized uses and disclosures of "unsecured PHI." Furthermore, if a breach affects over 500 patients, the organization must notify the HHS, and the organization's name will be posted on the HHS website. Local media may also be notified (either directly or by checking the website). Notification is required whether the breach occurred externally or internally.
Authorization in an Emergency
If the patient is incapacitated or in cases of an emergency, EMS providers may use their professional judgment to determine whether disclosure of PHI is in the patient's best interests. An example of a situation in which this applies is informing relatives that a patient has suffered a heart attack and providing updates on the patient's progress and prognosis. In these situations, disclose only the PHI that is directly relevant to the person's involvement with the patient's health care.
HIPAA Waivers
In a serious emergency, such as a terrorist attack or large-scale natural disaster, the U.S. president may declare a State of Emergency and the U.S. Secretary of Health & Human Services may declare a public health emergency. In such an event, the secretary may waive HIPAA sanctions and penalties for a specified time.
What format of PHI is protected under HIPPA?
In any format, including oral statements, written material, photographic material, or electronic information.
IIHI
Individually Identifiable Health Information; IIHI includes Protected Health Information (PHI), which is a subset of IIHI.
Covered entities
Individuals or organizations required to follow HIPAA regulations
Individual Authorization
Individuals whose information is used for research purposes can also provide a waiver to allow researchers to use PHI.
Are limited data sets de-identified information?
Limited data sets are not de-identified information. For data to be considered de-identified, all identifiers would have to be removed. Because limited data sets may still contain identifiers — such as dates and geographic information — that may be essential for the purposes for which the data sets are intended (e.g., for research), they are not considered PHI. In other words, limited data sets are still protected under HIPAA.
NPI specifics
NPIs are 10-digit numbers used to identify individual or organizational health care providers (e.g., physicians, nurses, dentists, EMS providers, hospitals, nursing homes). NPIs are required (as of 2008) for providers that bill for their services and are a key provision of HIPAA standards on PHI transactions.
Software practices [practical safeguards of the HIPPA Security Rule]
Never write down or tell anyone your password, and never let anyone use your account. Don't use dictionary words, proper names, pets, hobbies, or dates for passwords. An 8-character password or longer is best. Log off when leaving, and require a password for logon. Keep laptops and mobile devices with you at all times. Be sensitive to who may be in viewing range of your monitor screen and take simple steps to shield viewing of the screen by unauthorized persons. Follow local policies on safe electronic usage.
Are couriers that deliver PHI considered business associates fo covered entities?
No -Couriers that may deliver PHI, such as the U.S. Postal Service, UPS, or Internet Service Providers (ISPs), are considered conduits; not business associates
Can patients be denied a copy of their records because of an outstanding bill?
No. They still have the right to access a copy of their records.
What Information Can be Shared in an Emergency
Patient information can be shared when providing treatment to the patient. This includes when referring patients for treatment and when coordinating patient care with others (e.g., emergency relief workers). Patient information can also be shared when seeking payment for services provided. Sharing patient information is appropriate when identifying, locating, and notifying the patient's family or others responsible for care regarding the patient's location, condition, or death. Furthermore, it is acceptable to share patient information when notifying police, the media, or the general public in order to identify or locate the patient's family or others responsible for their care.
Sharing Information with Disaster Relief Organizations
Regardless of a waiver, information can be shared with disaster relief organizations (e.g., the American Red Cross) within the permissible limitations imposed by HIPAA (e.g., for treatment, to help them locate or notify patients' family members). Additionally, although it is recommended that EMS providers obtain verbal authorization when possible, it may be unnecessary if doing so would interfere with a disaster relief organization's ability to respond to the emergency.
EMS providers need to be aware of several changes in HIPAA laws regarding breaches and breach notification that took effect through the Omnibus Rule:
The HHS now has authority to investigate breaches more broadly (rather than focusing on specific incidents). The State Attorneys General have expanded authority to enforce civil penalties for breaches. The new "low probability" standard means a breach is presumed to have occurred whenever information is used or disclosed in an unauthorized manner unless it can be demonstrated that there was a "low probability that PHI was compromised." Previously, breach notification was only required for those breaches deemed to have potential to cause significant harm (e.g., financial, organization/individual reputation) Breach notification will likely need to increase as many will likely exceed the "low probability" standard and thus will need to be reported (not only those with the possibility of causing significant harm).
Contents of the NPP
The NPP statement must use "plain" language, and explain to patients their rights under the Privacy Rule and the manner in which their information is handled. The notice must explain how the EMS agency may use/disclose PHI, the EMS agency's legal duties regarding PHI, whom the patient can contact for further information about the privacy policies, and the patient's rights (including the right to file a complaint and access their PHI). Health care providers must maintain copies of this notice to show compliance with the law.
Verbal security in other areas
You should only discuss patient care information either directly with the patient or with those who are involved in their care. Be sensitive to your level of voice and to the fact that others may be in the area when you are speaking.
GINA (2008)
[Genetic Information Nondiscrimination Act] -The HIPAA Privacy Rule was also strengthened to protect patients' genetic information in accordance with the provisions of GINA
PHI specifics
a subset of IIHI that includes any information related to an individual's physical or mental health, treatment, and billing/payment.
Protected Health Information (PHI)
any IIHI that is transmitted or maintained, except if it is held by a non-covered entity or by a non-business associate of a non-covered entity, part of education records, or part of employment records
What classifies a business associate of a covered entity?
any individual or organization that receives PHI from your EMS agency for the purpose of providing some service or performing some activity. HIPAA can cover business associates (individuals or organizations) that provide legal or accounting services, cloud server storage, as well as clearinghouses, billing agencies, health care exchange organizations, and electronic patient care report vendors.
Health Information (HI)
any information that is health-related
Physical [safeguard under HIPPA Security Rule]
application: -Natural threats, environmental threats, unauthorized physical intrusion example: -Storing data in physical locations safe from fires, floods, or theft
Exceptions to PHI disclosures
before any disclosure, the patient must be given the opportunity to verbally agree or object. These situations include disaster relief situations; notification of the patient's location, general condition, or death to a family member (or to the patient's personal representative); and disclosures to the patient's next-of-kin or to another person (designated by the patient) involved in the patient's health care, such as neighbors, colleagues, blood relatives, spouses/significant others, or roommates/domestic partners. In these situations, you can only disclose the minimum information necessary that is directly relevant to the person's involvement with the patient's health care.
How are HIPPA's privacy and security rules enforced on the federal level?
by the HHS Office for Civil Rights -However, the Omnibus Rule that took effect in 2013 extended enforcement authority to the State Attorneys General.
You may also disclose PHI for law enforcement purposes to a law enforcement officer to comply with various laws and legal orders. These may include laws that require you to report:
certain types of injuries (such as firearm injuries); a court-ordered warrant, subpoena, or summons by a judicial officer (this is different from a subpoena issued by an attorney or a party in litigation); orders by a state or federal grand jury subpoena, and an administrative request. An administrative request could include an administrative subpoena or summons by an authorized agency if the information sought is relevant and material to a legitimate law enforcement inquiry, provided the request is specific and limited in scope.
The Security Rule portion of the HIPAA regulations requires that
ePHI be protected by maintaining reasonable safeguards to ensure the confidentiality, integrity, and availability of ePHI, to identify and protect against threats to ePHI, to protect against disclosures, and ensure compliance by all personnel.
if anyone (whether patient or not) believes patients' rights are being denied or their health information is not being protected, they can
file a complaint with their provider, health insurer, or the Office for Civil Rights.
EMS agencies are required to inform patients of
heir privacy practices and policies for protecting patient information. However, HIPAA clarifies that in "emergency treatment situations" the Notice of Privacy Practices (NPP) should be provided on the date of first service delivery, and shall be provided "as soon as it is reasonably practicable to do so after the emergency situation has ended."16 In emergency situations, the NPP also does not require the patient's signature to acknowledge receipt (in emergency treatment situations only). However, the reason(s) why the signature could not be obtained must be documented. This means that EMS personnel do not have to delay important treatment to administer the NPP before or during transport. If providing it earlier is not possible, it can be given to the patient at the treating facility.
State laws regarding consent for TPO purposes
lthough HIPAA permits consent to be voluntary, state laws may require consent for TPO purposes and for specific types of PHI (e.g., HIV/AIDS, mental health). It is important to be familiar with your state's laws and local agency policies. HIPAA does not preempt state laws (unless they are contrary to HIPAA).
The Security Rule portion of the HIPAA regulations
sets federal standards for ensuring the privacy of ePHI (electronic PHI). It does not apply to PHI transmitted orally or in writing.
Methods of breach occurance
theft human error software error software vulnerability misplaced or inadequate passwords lost, misplaced, or shared devices or data hacking of computer/electronic device/database