Chapter 11 HIPAA Privacy Rule Part II HIMT 1200
Privacy Rule expands Common Rule
By regulating both privately and federally funded research, equalizing information privacy protections in both types of research.
When requests are granted
CE must provide access to PHI in form or format requested If not available in form or format, a readable hard-copy form or other form or format must be produced
Clinical Laboratory Improvement Amendments of 1988 (CLIA)
CLIA regulations aim to ensure quality laboratory testing May prohibit access to to PHI
Will NOT Be Preempted by HIPAA: D: The state law requires a health plan to report or provide access to information
For MGMT or financial audits, program monitoring and evaluation, or licensure or certification of facilities or individuals.
Waived Authorization
No authorization
Will NOT Be Preempted by HIPAA A): The State Law is determined by the Secretary of Health and Human Services as Necessary to:
Prevent HC fraud and abuse Ensure appropriate regulation of insurance and health plans to the extent authorized by law Complete State reporting on HC delivery or costs Serve a compelling need related to public health, safety, or welfare, and the intrusion into privacy is warrante when balanced against the need
There are exceptions to access
Psychotherapy notes; Information compiled for civil or criminal actions PHI held by clinical laboratories or research laboratories
Will NOT be Preempted by HIPAA: B: The state law regulates
The manufacture, registration, distribution, or dispensing of any controlled substance as identified by state law
As of March 31, 2016
The most frequent violations were impermissible uses and disclosures, followed by safeguard violations and violations relating to access and the minimum necessary requirement.
If a request for amendment was denied and the individual did not write a statement of disagreement,
The request for amendment and denial must only accompany future disclosures if the individual requests it.
In responding to an individual's request for access to PHI
CE must arrange a convenient time and place of inspection with the individual or mail copies
Documentation and Record Retention
Privacy Rule: 6 years for Privacy Related Documents Date document was created, last effective date of the document Policies and Procedures, NPP, complaint dispositions, other actions, activities, and designation per Privacy Rule requirements.
Accounting includes:
-Date of disclosure -Name and address of entity or person who received the information -Brief statement of the purpose of the disclosure or copy of request for accounting are required -Include public interest and benefit disclosures from an accounting
Breach Notification: Must Inform Affected Individuals Of:
-Description of what occurred (including date of breach and date of discovery) -Types of unsecured PHI involved (Name, SSN, DOB, Home Address, Account Number) -Steps individual may take to protect him/herself -Entity's steps to investigate, mitigate, prevent in the future -Contact information for individuals to ask questions and receive updates
Reasonable fee may be imposed on individual's request
-Labor and supplies •Search and retrieval fees may not be charged to individuals for their own records -Postage, when individual has requested information to be mailed -Preparation of an explanation summary, if agreed to by the individual in advance •Stricter state laws may apply to fees
Penalty categories
-Unknowing -Due to reasonable cause and not willful neglect -Due to willful neglect/corrected within 30 days of discovery -Due to willful neglect and not corrected as required
Under a Limited Data Set (LDS)
16 of 18 identifiers must be removed EX: Names, Fax Numbers, SSN's, Medical Record Numbers, Certificate/License Numbers Only data elements permitted are items 3 (Dates) and 18 Unique Code for Reidentification Researcher assurance of this is required.
If a breach affects 500+ individuals, immediate notification is required to
:-Local media outlets -Secretary of HHS for posting on breach portal
Individuals cannot be required to purchase portable media if they prefer their PHI be mailed or e-mailed
A flat $6.50 fee for electronic copies of PHI has been recommended
Examples of Control Over Info
Access Request amendment Accounting of disclosures Request confidential communications Request restrictions of PHI Complain of privacy rule violations
CE's must report all breaches using an online breach reporting system
All breaches within a calendar year must be entered into the online system no later than 60 days of the following calendar year
Erroneous disclosures (facsimile transmitted to the wrong patient)
Also subject to accounting of disclosures, regardless if recipient read the information
January 2013 Final Rule States That
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or BA demonstrates that there is a low probability that the PHI has been compromised.
CE's and BA's must document Training
And all steps to ensure compliance Show that Privacy traininghas occurred Signed statement by workforce members Workforce members should complete nondisclosure agreements- commitment to Privacy of patient info and compliance with Privacy Rule
Authorization is NOT Required: The Use or Disclosure Will Only Be for Research on Decendents' PHI
And it is necessary for research Researcher assurance of this is required.
Mitigation Includes
Apology Disciplinary action against the responsible employee or employees Repair of the process that resulted in the breach Payment of a bill or financial loss that resulted from the infraction Gestures of goodwill and good public relations (awarding gift certificates)
Combined Conditioned and Unconditioned Authorizations
Are permitted for research if the form clearly distinguishes between the two components and provides individuals with the ability to opt in to the unconditioned research activities.
A CE must act on a request no later than 60 days after its receipt with one 30 day extension
As long as it notifies the individual in writing of the reasons for delay and when the accounting will be made available HITECH proposes to limit the response period to 30 days with one 30 day extension.
Unconditioned Authorization
Authorization is not required in order to receive treatment or some other service or benefit.
Altered Authorization
Authorization is required, but one or more standard authorization elements may be Omitted.
Submit Complaints
CE must provide process for individual to complain about policies and procedures, noncompliance with them, or noncompliance with Privacy Rule Notice of Privacy Practices (NPP) must inform individuals of right to complain at CE level and to the US Department of Health and Human Services, along with contact information.
Conditioned Authorization
CE's condition treatment, payment, and health plan enrollment or benefit eligibility on an authorization. Discourages coercing individuals to sign authorizations to receive services.
Retaliation and Waiver
CE's may not retaliate against anyone who exercises his/her rights under the privacy rule, assists in an investigation by HHS or other appropriate investigative authority, opposes an act or practice that the person believes is a violation of Privacy Rule Individuals cannot be required to waive the rights they hold under the privacy rule in order to obtain treatment, payment or enrollment/benefits eligibility.
Data Safeguards
CE's must have administrative, technical, and physical safeguards to protect privacy of PHI from intentional and unintentional use/disclosure Limit incidental uses/disclosures Include shredding of paper documents that contain PHI, limiting access to areas containing PHI through keycards, passwords, or locks.
Mitigation
CE's must mitigate harmful effects that result from wrongful use/disclosure of PHI CE determine possible courses of action
Right of Access
Can access one's own PHI contained in a designated record set
Compound authorization
Combines consent to participate in a research study with authorization to use/disclose PHI is permitted, although this type of authorization is generally prohibited otherwise
Policies and Procedures
Conduct ongoing review of privacy policies and procedures Policy changes are consistent with changes in privacy/security regulations Update NPP- like those introduced by HITECH Current topics addressed- high risk areas- -mobile devices, social media, camera phones, body-worn cameras in law enforcement,
Privacy Officer and Contact Person
Designate Privacy officer to be responsible for developing and implementing privacy policies and procedures Expertise in Health Information Management Contact Person must be able to provide further information about matters covered by the entity's NPP
The accounting requirement includes
Disclosures made in writing, electronically, by telephone, or orally.
Exceptions to Breach
Disclosures made to unauthorized recipients if they would not reasonably be able to retain the disclosed information Workforce member or individual acting under CE or BA authority unintentionally acquires, accesses, or uses the PHI if it was in good faith, within scope of authority, and couldn't be further disclosed or used in an impermissible manner. Inadvertent disclosure by individual at a CE or BA to another authorized person at a CE or BA and info is not further disclosed/used in impermissible manner.
Will NOT be preempted by HIPAA: C: The state law provides for the reporting of
Disease or injury, child abuse, birth, or death or for the conduct of public health surveillance, investigation, or intervention
$1,000 - $50,000
Due to reasonable cause CE or BA knew or would have known with reasonable diligence but not willful neglect
Request Amendment: Identify the records n the DRS that are affected by the amendment and append the information through a link to the amendment's location
EX: If the Dx was incorrect, the amendment would have to appear and be linked to each record or report in the DRS.
Individuals DO have right to review Denial of Access
Endanger life or physical safety of individual or other person Cause substantial harm to another person (not HC provider) mentioned in PHI Cause substantial harm to the individual or another person if the individual's personal representative requests access
Workforce Training and MGMT
Every member of CE workforce must be trained in PHI policies and procedures New members must be trained within reasonable time after hire/orientation Material changes= additional training Includes janitorial staff, outsourced vendors employees Heightened consequences for CE's or BA's that violate Privacy Rule BA's Should train their own workforce members
Labor
Excluding costs associated with reviewing requests , or searching for and retrieving PHI Such as locating and reviewing the PHI in the record and segregating and preparing the PHI
Search and Retrieval Fees
Expressly prohibited for requests by individuals for their own records, although permitted for requests by other
Civil Monetary Penalties (CMP)
Fines imposed by CE or BA because of HIPAA violation Based on intent or neglect.
The first accounting within any 12-month period must be provided without charge
For any other request within a 12-month period, the CE may charge a reasonable cost-based fee. Entity must inform individuals of the fee in advance and give them the opportunity to withdraw or modify the request.
Privacy Board
Group formed by CE to review research studies where authorization waivers are requested and to ensure the HIPAA Privacy Rights of research subjects are upheld.
Penalties and Enforcement
HIPAA Enforcement Rule (2006) •Penalties for non-compliance apply to both CEs and BAs -Civil+Criminal
HITECH makes it easier for schools to obtain student immunization records where state or other law may require them prior to admission
HITECH permits CE's to disclose a child's immunization records (considered public health activity) to a school with the oral consent of the parent or guardian
Authorization is NOT Required An IRB or Privacy Board
Has approved the study pursuant to a waived authorization or altered authorization. Waiver is only permitted if the use or disclosure provides only a minimal risk to individual's privacy The research could not practicably be conducted unless access to and use of PHI was granted
Breach Notification
Imposes obligations on entities when PHI in their custody has been wrongfully used or disclosed Extend consequences to entities not previously bound by HIPAA
Stand-Alone Authorization:
Includes the core elements of a valid authorization
Accounting of Disclosures
Individuals have the right to know about instances where his or her PHI has been disclosed Timely response to request for accounting First accounting within a 12-month period is free Must account for disclosures in past 3 years
Confidential Communications
Individuals have the right to request alternative routing/destination of PHI HC providers and Health Plans must honor a request without requiring a reason if the request is reasonable and states that disclosure could pose a safety risk. Requests may be refused if information is not provided as to how payment will be handled or if they do not provide an alternative address or method by which he or she can be contacted.
Request Restrictions
Individuals may request restrictions on uses and disclosures of PHI to carry out TPO Covered entity does not have to agree to the requested restriction Must document and abide by request if covered entity agrees to it, unless and until terminated with notice to the other party
Breach
Is an "unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information" -Several exceptions -An impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates a low probability the PHI has been compromised
Mandatory Public Health Reporting
Is not part of a CE's operations Requirements by states to report births- birth certificates, communicable diseases, and incidents of abuse or suspected abuse of children, individuals who are mentally disabled, and the elderly.
Fee limits apply whether PHI
Is sent to the individual or whether the individual directs that it be sent to any third party. Both are access requests by the individual
Authorization is NOT required: The Use/Disclosure of PHI
Is solely preparatory to research and the researcher will not remove PHI from the covered entity and the PHI is necessary for the proposed research Researcher assurance is required
When CE terminates agreement,
It must inform the individual that it is doing so. Termination is only effective with respect to the PHI created or received after the individual has been informed.
Denial of access
May be subject to review (appeal) May not be subject to review (appeal)
Statement explaining how, if the individual does not submit a disagreement to the denial, he or she
May request that both the original amendment request and the CE's denial accompany any future disclosures of the PHI that is the subject of the amendment.
Requesting Access to One's Own PHI
May require that request in writing Covered entity must respond within 30 days after request received Per HITECH, covered entities with EHRs must make PHI available electronically, or must send it to designated person or entity electronically if individual requests
Breach Notification: HITECH Requires Breach Notification as
Mitigation -Notification to individuals affected -Notification to HHS via online portal •HIPAA-covered entities and BAs subject to HHS regulations •Non HIPAA-covered entities and non-BAs subject to FTC regulations -Includes PHR vendors, third-party service providers of PHR vendors
Institutional Review Board (IRB)
Must approve federally funded human subjects research, even if the patient has signed an informed consent.
All requests for amendments, denials, the individual's disagreement, and the CE's rebuttal
Must be appended or linked to the record or PHI that is the subject of the amendment request. When future disclosures are made, this material or summary of it must accompany them
CE's that use or maintain an EHR
Must include TPO disclosures in their accounting of disclosures Separate access report for EHR's, allowing individuals to see who has viewed their DRS in the previous three years. Displayed in access report rather than accounting of disclosures
Request Amendment: Act on individuals request
No later than 60 days after its receipt by either allowing the requested amendment or denying it in writing
Exception to Request Restrictions
Per HITECH, covered entity must agree if disclosure would be made to health plan for payment or operations, and PHI pertains solely to an item or service that has been paid for in full by other than the health plan
30 days from receipt of request
Permitted 30-day extension if written statement includes reason for delay and date covered entity will complete its action. Extended time permitted for records not maintained on site May extend the time for action on a request for access only once
HIPAA Privacy Rule
Provides individuals with rights to provide some control over their health information
Denials NOT Subject to Appeals Process
Request for access to PHI in psychotherapy notes PHI held by CE's that are correctional institutions, if it jeopardizes safety (inmate still has the right to inspect his/her PHI) PHI created or obtained as part of the DRS by a covered HC provider in the course of research- subject agrees to suspend his/her right to access PHI PHI obtained from someone other than a HC provider under a promise of confidentiality- access would reveal source of info PHI contained in records that are subject to federal Privacy Act if denial of access under Privacy Act would meet requirements of that law
Research: When authorization is required•
Research is a public interest and benefit authorization exception, but IRB or privacy board must approve variations to authorization requirement
Resolution Agreements
Settlements compelling them to perform obligations per the agreements (including payments) and to submit reports to HHS for three years.
Disclosures Where Accounting Is NOT required
TPO disclosures (CE's without EHR's) Individuals to whom the information pertains Incident to an otherwise permitted or required use or disclosure Pursuant to an authorization For use in the facility's directory, to persons involved in the individual's care, or for other notification purposes To meet national security or intelligence requirements To correctional institutions or law enforcement officials As part of a limited data set Those that occurred before the compliance date for the CE
Authorization is NOT Required: The Covered Entity and the Researcher will enter into a Data Use Agreement
That Provides the researcher will receive only a limited data set for research, public health, or HC operations.
Encryption is a technology
That safeguards PHI against breaches.
Breach Requirements apply only to unsecured PHI:
That which technology has not made unusable, unreadable, or indecipherable to unauthorized persons
If the individual submits a disagreement
The CE can prepare a written rebuttal and it must provide a copy to the individual
Request Amendment: Inform the individual that the amendment was accepted and have him/her identify the persons with whom the amendment needs to be shared and then obtain his/her agreement to notify those persons.
The CE must make reasonable efforts to provide the amendment within a reasonable amount of time to anyone who has received the PHI.
When a denial subject to review is made,
The CE must write the denial in plain language and include a reason Must explain that the individual has the right to request review of denial and how the individual can complain to the CE Including name or title and phone number of the person or office to contact How individual can lodge a complain to DHHS Right to have denial reviewed by licensed HC professional who did not participate in the original denial and who is designated by CE to conduct review- CE must grant or deny based on reviewing professionals decision.
For individuals who choose not to complain to the CE or who submit complaints at both levels,
The OCR maintains a complaint submission process. CE must document all complaints it receives, along with the disposition of each complaint.
Within the required 60 days, the CE must write a denial in plain language that contains the following information
The basis for the denial The individual's right to submit a written statement disagreeing with the denial The process by which the individual can submit his/her disagreement A description of how the individual may complain to the CE, including the name or title and telephone number of the contact person or office
A CE may account for disclosures of its BA's or provide for the BA to make its own accounting
Under HITECH, BA's must respond to accounting requests made directly to them.
Violation Category: $100- $50,000
Unknowing violations Would not have known violation was committed even with reasonable dilligence
Breaches are deemed discovered
When the breach is first known or when it reasonably should have been known Individuals must be notified without reasonable delay and within 60 days by first-class mail or faster method such as telephone
If a third party intitiates a request for PHI on its own behalf,
With HIPAA Authorization, fee limits do not apply OCR encourages providing individuals with free copies of their PHI
Example of Request for Confidential Communications
Woman who requests that billing information from her psychiatrist, from whom she is seeking treatment because of domestic violence, be sent to her work address instead of to her home.
Disclosure pursuant to a court order without patient authorization
Would also be subject to accounting of disclosures
Individuals right to accounting of PHI disclosure may be suspended at written request of HC oversight agency or law enforcement official
Written request from the appropriate agency or law enforcement official must indicate that such an accounting would impede its activities and how long suspension is required.
Request Amendment: May extend its response
by 30 days if it explains reasons for the delay in writing and gives a date by which it will complete its actions. There can be no additional extensions
Enforcement per HITECH
•HHS contracts with a private entity to conduct random audits (no longer complaint-driven only) •State attorneys general may bring civil actions in federal court representing citizens affected by HIPAA violations •Individuals can now be individually prosecuted •Recommendations for compensating individuals harmed by violations
Preemption- Sometimes it is impossible to follow both HIPAA and State Laws
•HIPAA is a federal floor, or minimum, on patient privacy requirements. •State laws contrary to HIPAA apply if they are "more stringent" -Provide greater privacy protections -Provide greater patient rights regarding their PHI -Fulfill specific purposes enumerated in the law (i.e., are less stringent but serve purposes such as controlling regulated substances or preventing healthcare fraud and abuse)
Right to Request Amendment
•Individual has the right to request an amendment to his or her health information •May require the amendment request to be in writing- in CE's Notice of Privacy Practices (NPP) •HIPAA provides reasons that an amendment request may be denied •Timely response to the request is required •HIPAA provides process for denial of amendment requests
Research: In what form authorization may occur:
•Standalone •Compound (informed consent + authorization) •Conditioned + unconditioned •Altered•Waived
Administrative Requirements:
•Standards for Policies and procedures/Changes •Designation of privacy officer and contact person to receive complaints * Requirements for Privacy training •Workforce training-Non-disclosure agreements •Mitigation of wrongful use/disclosure -Include process for handling privacy complaints •Data safeguards •Prohibition against Retaliation and waiver •Document and record retention (HIPAA standard is 6 years)