HIPPA Training

Group Health Plans

are defined as providing health coverage and include insured and self-funded employee health benefit plans governed by the Employee Retirement Income Security Act of 1974 (ERISA). Also included in the definition are group health plans maintained by churches, and state and local governments. A group health plan with fewer than 50 participants is generally exempt from the HIPAA privacy regulations if it is not administered by another entity. To constitute "group health," the plan must provide health coverage. Disability plans, whether short or long term, provide income-replacement and not health benefits. Workers' compensation is likewise not health coverage, although it is likely governed by privacy requirements arising under a State's GLB enabling legislation.

Business associate agreements should include the following provisions:

•Business associates and their subcontractors should use the information only for the purposes for which they were engaged by the covered entity; •Business associates should safeguard the information from misuse; •Business associates should help the group health plan comply with its duties to provide individuals with access to health information about them and a history of certain disclosures; and •The new requirements of the HITECH Act, including the new privacy and security obligations, the actions that must be taken in the event of a breach of the business associate agreement by the group health plan, the new breach notification requirements, the changes to individual privacy rights (i.e., restrictions on certain disclosures, access to e-health records), and any other necessary changes.

HITECH Act Makes Changes to "Minimum Necessary" Requirement.

Current rules allow disclosure of PHI, payment or health care operations only to the minimum extent necessary to accomplish the intended purpose. Uses and disclosures for treatment purposes are not subject to the minimum necessary requirement.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As further described in this training exercise, HIPAA mandates that "covered entities" may not use or disclose "protected health information" except with the consent of, or as authorized by, the subject individual or as legally required or permitted by the HIPAA privacy regulations.

Insured Plan Exception

Certain insured group health plans are excepted from most of the administration requirements. To qualify for the exception, the group health plan must provide health benefits solely through an insurance issuer or HMO, and not create or receive protected health information except for: •Summary health information; •Information on whether the individual is participating in the group health plan; or, •Information on whether the individual is enrolled in or has dis-enrolled from health insurance or an HMO offered by the plan. A qualifying fully insured group health plan is excepted from the following administrative requirements: •Designate a privacy official; •Set up training; •Set up security procedures; •Provide a process for complaints; •Impose sanctions; •Take mitigating steps; and •Provide notice of privacy policies.

In the absence of the subject individual's valid authorization, a group health plan may disclose which of the following to its non-certified plan sponsor:

De-identified information & Information that is summary health information Information that is truly de-identified is not subject to the HIPAA privacy rule. As such, this information may be shared by a group health plan with its non-certified plan sponsor. Information that is summary health information may also be disclosed by a group health plan to its plan sponsor under HIPAA's privacy rule if provided solely for the purpose of obtaining premium bids, or providing health insurance coverage, or modifying, amending, or terminating the group health plan, subject to the restriction on the use or disclosure of genetic information for underwriting purposes. A group health plan participant's claims experience is protected health information, and as such may only be disclosed by the plan to its sponsor that is certified or pursuant to the subject individual's valid authorization.

A group health plan must obtain the subject individual's valid authorization for which of the following activities:

Disclosing the subject individual's PHI for purposes of shopping for group term life and disability coverage on behalf of the employer.

Upon the subject individual's request, HIPAA requires a group health plan to provide an accounting of disclosures for purposes of treatment, payment, or health care operations.

FALSE HIPAA does not require covered entities such as group health plans to provide an accounting of disclosures made for purposes of treatment, payment or health care operations. HIPAA does require that disclosures made for reasons other than treatment, payment or health care operations or without the subject individual's valid authorization be accounted for upon the subject individual's request

Disclosing PHI to the Employer/Plan Sponsor

Plan sponsors and employers are not covered entities governed by HIPAA. The regulations do, however, require plans to take certain steps when disclosing PHI to plan sponsors. To enable the disclosure of PHI to its plan sponsor, the plan may either: •Obtain the specific written authorization of the subject individual; or, •"Certify" the plan sponsor as being able to receive PHI from the plan. The HITECH Act provides that covered entities must agree to an individual's request not to disclose PHI to a health plan or a health plan's business associate for payment or health care operation purposes if the individual, or a family member or another person on the individual's behalf, has paid for the service out of his/her pocket in full.

Disclosure to the Subject Individual

The regulations generally permit a covered entity to disclose PHI to the subject individual.

Many of HIPAA's security and privacy rules now apply directly to business associates as a result of the passage of The HITECH Act.

True

Health care operations

generally encompasses business management and general administrative activities necessary for a covered entity to conduct its business.

Confidentiality

generally refers to the obligation of keeping non-public information from the public.

Privacy

is a concept that takes the obligation of confidentiality further. In general, privacy refers to protections intended to increase the ability of individuals to control how their protected financial or health information is used and disclosed in many instances. Privacy protections are largely governed by the following principles: •Notice is the obligation of another to advise individuals how it will obtain, maintain, use and disclose their protected information; •Choice is the ability of an individual to choose how his or her protected information is obtained, maintained, used or disclosed by another; •Access refers to the ability of an individual to obtain, review and modify his or her protected information that is in the possession of another; and, •Security is the obligation of employing certain measures that safeguard information from unintended access or disclosure.

Marketing

A covered entity must obtain an authorization for any use or disclosure of PHI for marketing purposes and must inform the individual if the covered entity will receive direct or indirect payments from a third party in exchange for making the communication. does not include communications that encourage individuals to purchase or use a product or service if the communication: •Describes a health-related product or service included in the group health plan, including communications about entities participating in the provider network, replacement of or enhancements to the health plan, and health-related products or services available only to a health plan participant that adds value to, but are not part of the plan; •Is for treatment of the individual; or •Is for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. However, the HITECH Act provided that if the covered entity receives direct or indirect payments from a third party to make the communication, an authorization will be required unless the communication is made (1) face-to-face by the covered entity to the individual, or (2) the communication consists of a promotional gift of nominal value provided by the covered entity. There is also an additional exception for refill reminders and other communications that describe a drug or biologic that is currently being prescribed for the recipient of the communication, provided that any payment received by the covered entity in exchange for the communication is "reasonable in amount", which DHHS has limited to costs of labor, supplies and postage associated with making the communication. A business associate who sends a communication described above will not be considered to be in violation of this provision merely because the business associate is paid by the covered entity in accordance with the terms of the business associate agreement.

Disclosure to Family Members or Personal Representatives

A group health plan or other covered entity may disclose to the subject individual's family or close personal friend, or any other person identified by the individual, PHI directly relevant to the person's involvement with the individual's care or health care payment. Similarly, information relating to an individual's location, general condition, or death may be disclosed or used to notify a family member, personal representative or other person responsible for care of the individual

An insurance broker has access to PHI held by a group health plan as the plan's business associate. Question: In the absence of a valid authorization from the subject individual, the broker may use and disclose PHI as the plan's Business Associate to:

A) Secure a quote for coverage under the group health plan. & B) Help resolve claims disputes arising under the brokered coverage. In the absence of a valid authorization, covered entities and their Business Associates may generally use and disclose PHI for purposes of treatment, payment, and health care operations. While the activities identified in the first two answers qualify as treatment, payment, and health care operations, the third activity does not.

Certification and plan documentation

An additional step in the process of plan sponsor certification is the amendment of controlling plan documents. Plan documents must: •Describe the permitted uses and disclosures of PHI; •Specify that disclosure is permitted to the plan sponsor only upon receipt or a certification from the plan sponsor that the plan documents have been amended and the plan sponsor has agreed to certain conditions regarding the use or disclosure of PHI; and, •Provide adequate firewalls to identify the employees or classes of employees who will have access to PHI, restrict access solely to the employees identified and only for the functions performed on behalf of the plan, and provide a mechanism for resolving issues of noncompliance.

Amending Protected Information

An individual has a right to have protected health information changed. The covered entity must keep appropriate records of each such matter, and may refuse to make the change under certain circumstances, such as when the information was not created by the covered entity, would not be available for inspection, or is accurate and complete. The group health plan or other covered entity must generally respond to a request within 60 days. The covered entity is permitted to extend the response period by 30 days if it notifies the individual of the reasons for the delay and when the individual may expect to have a response. If the plan grants the request, it must follow through. If it denies the request, it must do so in writing giving the reason for denial, and explaining the individual's right to disagree in writing and to complain.

Accounting of PHI Disclosures.

An individual is entitled to a written accounting for all disclosures made during the prior six years of PHI about that individual. The six-year look-back applies only to information that arises after the plan's or other covered entity's date to begin complying with the privacy rules. There are exceptions to accounting for disclosures, such as to carry out treatment, payment and health care operations, and to individuals of protected health information that was subject to authorization. And, the covered entity is not required to account for subsequent disclosures by others that receive the information from the covered entity or its business associate.

Opt-Out Opportunity for Fundraising

Any fundraising communication that uses PHI to target the recipient must state, in a clear and conspicuous manner, the opportunity for the recipient to elect not to receive further communications. The method for the individual to opt out may not be unduly burdensome or involve more than a nominal cost. For example, DHHS has indicated that requiring an individual to write and send a letter asking not to receive further communications is an undue burden. However, requiring the individual to opt out by mailing back a pre-paid, pre-printed postcard would not be an undue burden.

Use and Disclosure For Treatment, Payment, or Health Care Operation

Except in those instances where the PHI in question is psychotherapy notes, a covered entity may generally use or disclose PHI for its own treatment, payment, or health care operations, or disclose PHI to another covered entity for the treatment, payment, or health care operations of such other entity. These disclosures may occur in the absence of the subject individual's authorization. The Privacy Rule now prohibits the use or disclosure of genetic information by a health plan (other than a long-term care plan) for underwriting purposes, even though a use or disclosure of this type would otherwise be considered to fall within the definition of "payment" or "health care operations". The HITECH Act provides that covered entities must agree to an individual's request not to disclose PHI to a health plan or a health plan's business associate for payment or health care operation purposes if the individual, or a family member or another person on the individual's behalf, has paid for the service out of his/her pocket in full.

Sue is an employee of ABC Company. She advises her employer, ABC Company, that as a result of her medical condition she is unable to perform her job. She is seeking unpaid leave under the Family and Medical Leave Act of 1993 (FMLA). True or False: Individually identifiable health information provided by Sue regarding her request for FMLA leave enjoys protections under HIPAA's privacy rule.

False The HIPAA privacy rule does not apply to employers or to their employment functions when they are acting in their role as employers. Administration of FMLA leave is an employment function, and not a function of any group health plan. Even if confidential in nature, individual medical information provided solely in association with an employment function is not protected health information under HIPAA. However, if the same PHI is received by the employer from the group health plan, it is protected and subject to the HIPAA privacy rule.

Authorized Disclosures.

Generally, a covered entity may disclose PHI for uses other than treatment, payment, and health care operations only if such covered entity has secured a valid "authorization" from the subject individual. To be valid, the regulations mandate that an authorization include specific core elements, and statements regarding certain rights enjoyed by the subject individual. The regulations further identify certain defects that will render an attempted authorization invalid.

Disclosures in the absence of the subject individual's consent or authorization

Generally, a covered entity may disclose PHI without allowing the subject individual an opportunity to object or consent in the following instances: •As required by law; •For public health activities, such as preventing or controlling disease; •About victims of abuse, neglect or domestic violence; •For civil or criminal investigations, inspections or licensure; •For judicial and administrative proceedings, such as qualified medical child support orders; •For law enforcement, such as an administrative request or subpoena; and •To comply with workers' compensation laws. The HITECH Act provides that covered entities must agree to an individual's request not to disclose PHI to a health plan or a health plan's business associate for payment or health care operation purposes if the individual, or a family member or other person on the individual's behalf, has paid for the service out of his/her pocket in full.

Privacy Official

Group health plans and other covered entities must designate, and document the designation of, a privacy official responsible for development and implementation of the entity's policies and procedures. The requirement is scalable, with compliance steps varying by size and other characteristics of the covered entity.

Policies and Procedures

Group health plans and other covered entities must establish policies and procedures to comply with the standards, implementation specifications or other requirements of the privacy rules. If a group health plan's policies or procedures change due to changes in legal requirements, the plan must document and implement the changes immediately. All policies and procedures, communications, actions, and designations must be documented in paper or electronic form. Required documentation must be kept for the later of six years from the effective date of creation, or the date when it last was in effect.

Security

Group health plans and other covered entities must have in place appropriate administrative, technical, and physical safeguards to secure the privacy of PHI. In addition, covered entities must have policies and procedures that reasonably limit access to and use of PHI to the minimum necessary given the job responsibilities of the workforce and the nature of their business.

Complaint Procedures

Group health plans and other covered entities must provide a valid process for individuals to file complaints about the plan's security policies and procedures, and designate a person or office responsible for this function. There must be sanctions for those who violate privacy and security policies and procedures. Sanctions must be documented.

Training

Group health plans and other covered entities must train their workforce on their privacy policies and procedures. Training at all levels and stages must be documented. These requirements are scalable, and include: •Training the workforce by the entity's compliance date; •Training new members within a reasonable time of joining the workforce; and •Retraining members on material changes within a reasonable time after the change in policies or procedures if that member's functions are affected by the changes. This means only those employees who handle or have access to PHI must be retrained.

Covered Entities

HIPAA directly governs "covered entities" that are defined to include the following: •Health plans (group health plans, certain long-term care plans, insurers, and HMOs); •Health care providers; and, •Health care clearinghouses.

Permitted uses and disclosures

HIPAA's privacy regulations generally permit covered entities to disclose PHI: •To the subject individual, or his/her family member or personal representative; •Pursuant to, and in compliance with, the subject individual's authorization; •As necessary to carry out medical treatment, payment or health care operations; and, •In certain other instances without the individual's consent, authorization or opportunity to object.

What are the operational and administrative requirements imposed upon covered entities under HIPAA?

HIPAA's privacy rule imposes the following operational and administrative requirements upon all covered entities, with an exception for certain insured group health plans: •Appoint a privacy official; •Distribute notice of privacy practices; •Training; •Security; and, •Implement privacy policies and procedures

The Genetic Information Nondiscrimination Act (GINA).

The Genetic Information Nondiscrimination Act (GINA) provides certain privacy protections for genetic information. Specifically, GINA provides that genetic information is health information and prohibits the use or disclosure of genetic information by health plans (other than long-term care plans) for underwriting purposes. The HIPAA privacy regulations have been revised to address the use and disclosure of genetic information.

Disclosure to Business Associates

In the absence of an authorization, a group health plan may disclose PHI to its business associate only to help the plan to carry out its health care functions, and not for independent use by the business associate. In addition, a group health plan or covered entity is required to secure certain contractual assurances, in the form of a "business associate agreement," from the business associate with whom PHI is to be shared. Each business associate is in turn required to enter into an agreement with its subcontractors, so the group health plan does not need to enter into business associate agreement with the subcontractors of its business associates.

What privacy rights do individuals enjoy under HIPAA regarding their PHI?

Individual Rights. HIPAA grants individuals with certain rights as to PHI that include: •The right to access, amend, and have an accounting of PHI; and, •The right to request privacy protections. Access to PHI by Individuals/Parents as Personal Representatives. Individuals, or their personal representatives, generally have a right to obtain PHI pertaining to them, except for information in psychotherapy notes or compiled in anticipation of criminal, civil or administrative action. Access to PHI by Subject Individual's Parent. Because a parent usually has authority to make health care decisions about his or her unemancipated minor child, a parent is generally a "personal representative" of such a child under the privacy rule and has the right to health information about the child. This would also apply to a guardian.

De-Identified Health Information

Information that is "de-identified" falls outside the scope of the HIPAA privacy regulations. As such, this information is not subject to HIPAA privacy protections.

Enforcement Provisions - Civil Penalties

Previously, failure to comply with the privacy and security rules could result in a civil penalty of up to $100 per violation, not to exceed $25,000 for all violations of an identical requirement during a calendar year. In addition, a penalty would not be imposed if the person did not know, and by exercising reasonable diligence would not have known, that the person violated the provision. The HITECH Act significantly increases the civil penalties, creating the following tier system: •Tier A: A penalty of $100-$50,000 for each violation, not to exceed $1,500,000 for violations of identical requirements during a calendar year. •Tier B: A penalty of $1,000-$50,000 for each violation, not to exceed $1,500,000 for violations of identical requirements during a calendar year. •Tier C: A penalty of $10,000-$50,000 for each violation, not to exceed $1,500,000 for violations of identical requirements during a calendar year. •Tier D: A penalty of $50,000 for each violation, not to exceed $1,500,000 for violations of identical requirements during a calendar year. In determining the amount of the penalty, DHHS will consider the nature and extent of the violation, as well as the harm resulting from the violation. •Violation Unknown: Penalties for violations where the person did not know, and by exercising reasonable diligence would not have known, can be assessed under Tier A. No penalty may be imposed if the failure is corrected within 30 days of the date the person liable for the penalty knew, or exercising reasonable diligence would have known, that the failure to comply occurred. •Violation Due to Reasonable Cause: Penalties for violations due to reasonable cause and not to willful neglect can be assessed under Tier B. No penalty may be imposed if the failure is corrected within 30 days of the date the person liable for the penalty knew, or exercising reasonable diligence would have known, that the failure to comply occurred. The penalty may also be waived if payment would be excessive relative to the compliance failure involved. •Violation Due to Willful Neglect: Penalties for violations due to willful neglect where the violation is corrected can be assessed under Tier C. If the violation is not corrected, the penalty will be assessed under Tier D. DHHS must formally investigate any complaint filed with its office if a preliminary investigation indicates a possible violation due to willful neglect.

A covered entity must obtain an authorization for any use or disclosure of PHI for marketing purposes and must inform the individual if the covered entity will receive direct or indirect remuneration, subject to certain exceptions.

TRUE A covered entity must obtain an authorization for any use or disclosure of PHI for marketing purposes and must inform the individual if the covered entity will receive direct or indirect remuneration. Marketing does not include communications that encourage individuals to purchase or use a product or service if the communication: * Describes a health-related product or service included in the group health plan, including communications about entities participating in the provider network, replacement of or enhancements to the health plan, and health-related products or services available only to a health plan participant that adds value to, but are not part of the plan; * Is for treatment of the individual; or * Is for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. The HITECH Act clarifies that such activities will be considered a health care operation and will not require an authorization, only if the covered entity does not receive direct or indirect payment in exchange for making such communication, subject to limited exceptions. A covered entity can receive direct or indirect payment in exchange for a communication made (1) face-to-face by the covered entity to the individual, or (2) the communication consists of a promotional gift of nominal value provided by the covered entity. No authorization is needed for a communication that describes only a drug or biologic that is currently being prescribed for the recipient of the communication and any payment received by the covered entity is "reasonable in amount", which DHHS has limited to costs of labor, supplies and postage associated with making the communication.

Genetic Information

The HIPAA Privacy Rule now includes prohibitions on the use and disclosure of "genetic information" to a health plan for underwriting purposes. Genetic information is information about an individual's genetic tests, the genetic test of family members of the individual, the manifestation of a disease or disorder in family members of the individual (family medical history), or any request for or receipt of, or participation in clinical research which includes genetic services, by the individual or any family member or the individual. Genetic tests include tests that involve an analysis of human DNA, RNA, chromosomes, proteins or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. It does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder or pathologic condition. Genetic services include genetic tests, genetic counseling, and genetic education. The definition of family members includes fourth-degree relatives, and includes those related by marriage and adoption, as well as blood.

Employment Records Exemption

The HIPAA privacy rule does not apply to employers or to their employment functions when they are acting in their role as employers. In so doing, the privacy rule distinguishes health-related information that constitutes employment records not covered by the privacy rules from the same information that is PHI. Thus, the privacy rule does not conflict with an employer's obligations under other laws, such as the Family and Medical Leave Act (FMLA) and workers' compensation. Sick leave information is an example of this distinction. When an individual gives medical information to his or her employer, such as when submitting a doctor's statement to document sick leave, that medical information becomes part of the employment record. As a part of the employment record, the information is likely not protected health information under HIPAA. However, the employer may be subject to other laws applicable to use or disclosure of information in an employee's employment record. If this medical information is provided to a group health plan or other covered entity, it is likely protected under HIPAA. In these instances, issues of HIPAA privacy compliance exist.

Prohibition on Sale of PHI

The HITECH Act prohibits a covered entity or business associate from receiving direct or indirect remuneration (including in-kind benefits) in exchange for any PHI of an individual unless the covered entity obtained a valid authorization from the affected individual, subject to certain exceptions. The authorization must state whether the PHI can be further exchanged for payment by the entity receiving such information. The prohibition does not apply to exchanges where the purpose is for: •Public health activities; •Research (and the price charged reflects the costs of preparation and transmittal of the data); •Treatment of the individual; •Health care operations involving the sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity (or an entity that will become a covered entity); •Payment that is provided by a covered entity to a business associate for activities involving the exchange of PHI that the business associate undertakes on behalf of and at the specific request of the covered entity; •For providing an individual with a copy of his/her PHI; •Disclosures required by law; or •Any other exceptions allowed by DHHS.

The HITECH Act

The Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), which was part of the American Recovery and Reinvestment Act of 2009, made some significant changes to the privacy and security rules under HIPAA. Most of the changes were effective on, or after February 17, 2010, although some of the requirements have earlier or later effective dates. As healthcare providers move toward exchanging large amounts of health information electronically, this legislation aims to ensure that such information remains private and secure. The HITECH Act makes business associates subject to certain security and privacy requirements. Certain privacy and security requirements now apply directly to business associates. For example, to comply with the privacy rule, business associates now have to develop written policies and procedures and train their workforce on how to protect PHI.

Exceptions to PHI by Subject Individual's Parent

There are exceptions in which a parent might not be the "personal representative" with respect to certain health information about a minor child. For example, when the child is emancipated. Also, the privacy rule defers to determinations under other law that the parent does not control the minor's health care decisions and, thus, does not control the PHI related to that care, for example. •When state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service, the parent is not the minor's personal representative under the privacy rule; and, •When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, the parent is not the personal representative of the minor for the relevant services. The privacy rule also does not preempt state laws that specifically address disclosure of health information about a minor to a parent. This is true whether the state law authorizes or prohibits such disclosure. The parental access provisions do not affect a minor's HIPAA privacy right to access his or her PHI.

Plan sponsor certification

To certify, a plan sponsor must agree to: •Not use or further disclose PHI other than as permitted or required by the plan documents or as required by law, and ensure that any subcontractors or agents to whom the plan sponsor provides PHI likewise agrees to the same restrictions; •Not use or disclose PHI for employment related actions; •Provide an accounting of its disclosures, and report to the plan any use or disclosure that is inconsistent with the plan documents or the HIPAA privacy regulation; •Make PHI accessible to the subject individual, and allow the subject individual to amend PHI; •Make its practices available to HHS for determining compliance; •Return or destroy all PHI when no longer needed, if feasible; and, •Ensure that appropriate firewalls have been established

Continuing the facts from the previous question, Sue seeks assistance from ABC Company's Human Resource Department regarding the payment of claims under ABC Company's group health plan. These claims arise from the condition with regard to which she is seeking FMLA leave. True or False: Individually identifiable health information provided by Sue to the Human Resource Department as a part of her request for claims resolution assistance is likely protected under HIPAA.

True The HIPAA privacy rule applies to most group health plans maintained by employers. When assisting with claims issues, an employer's Human Resource Department is likely performing service not as an employment function, but as a part of the employer's group health plan. Individually identifiable health information received by the Human Resource Department in this capacity is likely subject to HIPAA's privacy rule.

Covered entities must agree to an individual's request not to disclose PHI to a health plan or a health plan's business associate for payment or health care operation purposes if the individual or family member or other person on behalf of the individual, has paid for the service out of his/her pocket in full.

True The HITECH Act provides that covered entities must agree to an individual's request not to disclose PHI to a health plan or a health plan's business associate for payment or health care operation purposes if the individual, or a family member or other person on the individual's behalf, has paid for the service out of his/her pocket in full.

Breach Notification Requirements

Under The HITECH Act covered entities and business associates are required to notify affected individuals if there is an unauthorized acquisition, access, use, or disclosure of unsecured PHI, subject to certain limited exceptions. PHI is considered unsecured unless it is encrypted or destroyed through the use of methodologies and technologies specifically approved in guidance issued by DHHS. Unless the covered entity has delegated the notification function to the business associate, the covered entity is responsible for notifying individuals affected by a breach. The business associate, in turn, is obligated to notify the covered entity of any breach, to allow the covered entity to comply with its notification obligations. If unsecured PHI has been breached, affected individuals must be notified by first-class mail or by e-mail if e-mail is specified by the individual. If contact information for fewer than 10 individuals is insufficient or out-of-date, notice may be provided by an alternative form of written notice, telephone, or other means. If contact information for 10 or more individuals is insufficient or out-of-date, the covered entity must post a notice on the homepage of its website (or through a hyperlink on its homepage) for 90 days or publish a conspicuous notice in print or broadcast media in geographic areas where individuals affected by the breach reside. If more than 500 individuals in a single state or jurisdiction are affected, notice must be provided to prominent media outlets serving such state or jurisdiction (e.g., in the form of a press release). If there exists the possibility of imminent misuse of the unsecured PHI, telephone calls to affected individuals may also be appropriate. Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notice must include certain specific information. If the breach involves 500 or more individuals, DHHS must be notified immediately, which will subsequently post the breach on its website. If the breach involves less than 500 individuals, the covered entity must maintain a log and submit the log to DHHS on an annual basis.

Uses and Disclosures as Minimally Necessary to Accomplish the Intended Purpose.

When using or disclosing PHI or when requesting PHI from another covered entity, the privacy regulation requires a covered entity to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose.

When is a covered entity required to use or disclose PHI?

With respect to individually identifiable health information, "use" is defined by the regulation as the sharing, employment, application, utilization, examination, or analysis of such information by the entity that maintains such information. The privacy rule defines "disclosure" as meaning the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. Covered entities are required to disclose PHI: •To the subject individual in accordance with the individual's right to access PHI or receive an accounting of certain PHI disclosures; and •When required by DHHS to determine compliance with the privacy regulations.

Protected health information" or "PHI"

is all individually identifiable health information in any form,electronic or non-electronic, that is held or transmitted by a covered entity, including oral communications. Protected health information or PHI includes information (including demographic information) collected from an individual that identifies, or can reasonably be used to identify, an individual and relates to the individual's past, present or future physical or mental health condition, the provision of health care to the individual or the past, present or future payment for the provision of health care to the individual.

De-Identified information

is information that does not identify an individual, and no reasonable basis exists to believe that the information can be used to identify an individual. To ensure de-identification, DHHS issued guidance describing how all identifiers embedded in information are to be removed. Alternatively, HHS has advised that information be declared as de-identified through expert opinion.

Choice

is the ability of an individual to choose how his or her protected information is obtained, maintained, used or disclosed by another;

Notice

is the obligation of another to advise individuals how it will obtain, maintain, use and disclose their protected information;

Security

is the obligation of employing certain measures that safeguard information from unintended access or disclosure

Treatment

is the provision, coordination, or management of health care and related services by one or more health care providers.