Chapt. 4 - Medical Privacy - HIPAA Privacy Rule & Security Rule

The Privacy Rule Methods for de-identifying data

(1) Remove all of at least 17 data elements listed in the rule, such as name, phone number and address; or (2) have an expert certify that the risk of re-identifying the individual is very small.

Security Rule requirements of covered entities and business associates

*Ensure that confidential integrity and availability of all ePHI the covered entity creates, receives, transmits. *Protect against reasonably anticipated threats or hazards to security or integrity of ePHI. *Protect against reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule. *Ensure compliance with the Security Rule by its workforce

Specific entities covered under HIPAA are

*Healthcare providers that conduct certain transactions in electronic form. *Health plans. *Healthcare clearinghouses (third party organizations that host, handle or process medical information.

Additional Security Rule requirements

*Identify an individual who is responsible for the implementation and oversight of the Security Rule compliance program. *Conduct initial and ongoing risk assessments. In particular, "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity." *Implement security awareness and training program for its workforce. non-compliant workers must be disciplined for failure to comply with policies and procedures.

Elements that a covered entity must consider when it develops a security program

*Size, complexity and capabilities of the covered entity. *Technical infrastructure, hardware and software security capabilities. *Cost of security measures. Probability and criticality of potential risks to ePHI

Activities performed by "business associate" under HIPAA privacy rule

Claims processing, data analysis, utilization review and billing as well as legal, actuarial, accounting,consulting, data aggregation, management, adminstrative, accreditation and/or financial services.

Role of the FTC

Can bring enforcement actions for unfair and deceptive trade practices even for entities covered by HIPAA.

Role of the US DOJ

Criminal enforcement authority with up to 10 years of imprisonment.

HIPAA Security Rule

Establishes minimum security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form (ePHI). It requires covered entities to implement "reasonable" security measures in a technology-neutral manner.

HITECH

Extended HIPAA privacy and security protections under written contracts that business associates signed with covered entities.

The goal of the HIPAA security rule

For all covered entities to implement "policies and procedures to prevent, detect, contain, and correct security violations."

HIPAA Key Privacy Protection - Authorizations for use & Disclosure

HIPAA authorizes the use and disclosure of PHI for essential healthcare purposes, treatment, payment and operations. Other use of PHI require individual's opt-in authorization. An authorization is an independent document that identifies the information to be used or disclosed, the purposes of the use or disclosure, the person or entity to which a disclosure may be made. A covered entity may not condition treatment on a patient signing a disclosure.

Doctors who accept only case or credit cards and do not bill for insurance

HIPAA does not apply to these healthcare providers

Privacy Rule and Fair Information Privacy Practices

HIPAA provides the most detailed implementation of the Fair Information Privacy Practices including requirements concerning privacy notices, authorizations for use and disclosure of PHI, limits on use and disclosure to the minimum necessary, individual access and accounting rights, security safeguards and accountability through administrative requirements and enforcement.

Non "covered entities"

Health information in the hands of other entities is not protected by HIPAA. EG Individual buys books about rare form of cancer. Those purchases are covered by the book store's privacy policy but not by HIPAA. The same is true of a website that provides medical information since the website is not a covered entity for purposes of HIPAA. Conversations with friends not HIPPA covered.

"Covered entities"

Healthcare providers, insurers and business associates who receive data from covered entities.

HIPAA Security Rules "standards" and "implementation specifications"

Includes administrative, technical, and physical safeguards. Some of the implementation specifications are required, while others are considered addressable. This means that the covered entity must assess whether there is an appropriate safeguard for the entity to adopt. If not, the covered entity must why it is not reasonable, and if appropriate, adopt an alternative measure.

PHI

Individually identifiable health information that is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or employer; and relates to past, present or future physical or mental condition, provision of health care or payment of healthcare for that individual.

HIPAA Key Privacy Protection - Access and accountings of disclosures

Individuals have the right to access and copy of their own PHI from a covered entity or a business associate. Individuals also have the right to get an accounting of certain disclosures of their PHI but can be charged a reasonable fee for it. Individuals can also amend the PHI possessed by a covered entity. The individual can file a statement that must be included with any future use or disclosure of the information.

Limits & Exceptions on the Privacy Rule ==> other exceptions

Information used for public health activities; to report victims of abuse; neglect or domestic violence; in judicial and administrative proceedings; for certain law enforcement activities; for certain specialized government functions. PHI must also be released to the individual to whom it pertains or to the person's representative and to the secretary of HHS to investigate compliance with privacy rules.

Limits & Exceptions on the Privacy Rule ==> De-identification

No application to information that does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual.

The Primary Enforcer of the Privacy Rule

Office for Civil Rights (OCR) which processes individual complaints and can assess civil monetary penalties of up to $1.5 million per year per type of violation. CIGNET Health was fined $4.3 million for denial of access to patient records. OCR has audited up to 150 covered entities per year for HIPAA compliance.

HIPAA Key Privacy Protection - Minimum necessary use or disclosure

Other than for treatment, covered entities make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose. Disclose to business associate only if company has contract with business associate.

HIPAA Key Privacy Protection - Safeguards

Privacy Rule implements physical and technical safeguards to protect the confidentiality and integrity of all PHI. The Security Rule requires covered entities to implement administrative, physical and technical safeguards only for electronic PHI. Aims to prevent unauthorized use or disclosure of PHI but to also maintain the integrity and availability of ePHI. The Security Rule addresses data backup and disaster recovery.

HIPAA Key Privacy Protection - Privacy notices

Requires providing a privacy notice at the date of first service delivery. Some exceptions, like the privacy notice does not have to be provided when the healthcare provider has an "indirect treatment relationship" or in the case of medical emergencies.

HIPAA Key Privacy Protection - Accountability

Subjects covered entities to a set of administrative requirements. Requires designating a "privacy official" responsible for development and implementation of privacy protections. Personnel must be trained and compliant in the procedures.

Privacy Rule requirement that a covered entity enter into a business associate contract

This agreement must include provisions that pass the privacy and security standard down to the contracting entity. It must be in writing though it can be signed electronically as long as such signatures are valid as "written signatures" under applicable state contract laws.

Business Associate under HIPAA Privacy Rule

Under the Privacy Rule, this is a person or organization, other than a member of a covered entity's workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI.

Limits & Exceptions on the Privacy Rule ==> Research

Use for medical research purposes with consent or without consent if an authorized entity such as an institutional review board approved the research as consistent with the Privacy Rule and general rules covering research on human subjects. Research is permitted on de-identified information, and rules are more flexible if only a limited data set is released to researchers.

Initial reason for HIPAA

Was not privacy and security. Instead, Congress was seeking to meet other goals, including improving the efficiency of the healthcare delivery. To improve efficiency, HIPAA required entities receiving Fed. healthcare payments such as Medicare to shift reimbursement requests to medical format. Congress realized that the change to electronic format presented a threat to privacy so the plan was to promulgate regs that protect the privacy and security of healthcare info.