Privacy Rule HIPAA Week 2
Topics covered • Privacy Rule • PHI/Authorizations • NPP • Disclosure of PHI • Permitted • Authorization required • Minimum necessary • Patient Rights • Updates to rule
What does the Privacy Rule do? • Regulates the and disclosure of Protected Health Information( PHI) • Established national standards for protecting the privacy of health information. • imposed new restrictions on the use and disclosure of protected health information. • gives patients greater access to and protection of their medical records and more control over how they are used (patient rights)
Protected Health Information (PHI) • Individually identifiable health information • Transmitted or maintained in any electronic, written, or spoken format. • For example, e-mail, fax, on-line databases, voice mail, video/audio recordings, or conversations.
Examples of identifiers: • Names • Addresses • Dates directly related to an individual such as birth date, admission date, discharge date, and date of death • Telephone numbers • Fax numbers • Electronic mail addresses • Social security numbers • Medical record numb • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers • Device identifiers and serial numbers • Biometric identifiers, including fingerprints and voice prints • Full face photographic images .
Patient Rights under HIPAA • Right to receive Notice of Privacy Practices. • Right to request restrictions on use and disclosure of PHI • Right to receive Confidential Communication. • Right to Access, Inspect and Copy PHI. • Right to Amend PHI. • Right to receive an accounting of disclosures of PHI.
Notice of Privacy Practice A. An individual receiving services from a covered entity on or after April 14, 2003 is entitled to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, the individual’s rights and the covered entity’s legal obligations.
Notice of Privacy Practice • The NPP must contain specific language and descriptions of allowable uses and disclosures regarding an individual’s medical information and how they may access their information. • Each covered entity must distribute its own specific NPP to an individual seeking treatment and must make a good faith effort to document that distribution
Purpose of Notice of Privacy Practice (NPP) • To permit patients to become informed about the uses and disclosures of their Protected Health Information (PHI) • Describes the permitted and/or required uses and disclosures of PHI by the healthcare provider for Treatment, Payment and healthcare Operations (TPO)
Minimum Necessary Standard A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. • Limit who has access to protected health information. • Specify the conditions under which this information can be accessed.
Protected Health Information (PHI) Use and Disclosure • The Privacy Rule prohibits use or disclosure of protected health information unless: • It is used to provide treatment, payment, or health care operations, or • It’s use is authorized by the client, or • Not sharing the information would present a risk to public health or safety. (example: Disease Reporting as required by statute, bioterrorism activities).
Allowable uses of protected health information • May use protected health information without the client’s written authorization for the following reasons: • For treatment • To obtain payment • For department operation
Incidental Uses and Disclosures • Incidental uses and disclosures occur as a result of an initial use or disclosure that is permitted. • These are allowable as long as reasonable safeguards are taken and the sharing of protected health information is limited to the minimum necessary to do the job. • An incidental use is a re-disclosure of health information
Exceptions to the written authorization rule • can use or disclose protected health information without written authorization for the following reasons: • The law requires disclosure • For public health activities • For health oversight activities • To avert threats to health or safety • For research purposes with IRB approval
Exceptions to the written authorization rule • Law enforcement • Relating to decedents • Investigation of a crime • Medical examiners / funeral directors • suspected child abuse • Suspectedneglect, • suspected domestic violence
Other activities that occur for which written authorization is NOT required included • Public health activities - requirements to collect information about disease or other public health events • Health oversight activities - audits or inspections, regulatory related functions • To avert threats to health or safety
Use Reasonable Safeguards • Reasonable Safeguards are the actions the Department takes to ensure that protected health information remains private. • When there is incidental use or disclosure of health information, use these reasonable safeguards: • Access is limited • Authorization is obtained prior to sharing (when applicable) • Client information is physically secure
Right to Request Restrictions on Use and Disclosure of PHI • A Covered Entity (CE) must permit an individual to request restrictions on the use and disclosure of PHI: • To carry out Treatment, Payment and Operations • To use in a facility directory • To relatives and friends • For disaster relief purposes
Right to Request Restrictions on Use and Disclosure of PHI • A covered entity (CE) is not required to agree to a restriction. • A covered entity may “override” its agreement to a restriction if the individual is in need of emergency treatment and the PHI is needed for that treatment. This PHI must not be disclosed to anyone other than those providing the emergency treatment
Right to Request Restrictions on Use and Disclosure of PHI • A covered entity may terminate a restriction: • if the individual agrees to the termination. • without an individual’s agreement. In this case the termination of restriction applies only to PHI created or received after the termination date. PHI created or received prior to the termination date must continue to be restricted.
Right to Receive Confidential Communication • The CE must accommodate reasonable requests from individuals to receive communications of PHI by alternative means or at alternative locations. • The CE must accommodate all requests where the individual states that the disclosure could endanger the individual • The CE may require this request in writing.
Right to Access, Inspect and Copy PHI • Individuals have the right to access, inspect and receive copies of their own PHI except for: • Psychotherapy notes • PHI compiled for civil, criminal or administrative action or proceeding
Right to Amend • An individual may request an amendment to PHI maintained by the CE. • The CE may deny the request if the PHI: • Was not created by the CE. • Is not part of the individual’s designated record set. • Would not be available for inspection (Right #4 above). • Is accurate and complete
Right to amend • The CE: • May require requests in writing • May require a reason to support the request • Must act on the request within 60 days (with 30 day extension in certain circumstances)
Right to amend D. If denying the amendment the CE must: • Provide a timely denial in plain language • Include the basis for the denial • Allow for a statement of disagreement from the individual • Allow for a statement reflecting the request with subsequent disclosures of the PHI • Identify the complaint process
Right to Receive an Accounting of Disclosures of PHI • In general, an individual may request a listing of the disclosures of the PHI made within the previous six years. • Disclosures not requiring accounting include disclosures made: • For Treatment, Payment or Operations • To the individual subjects of the PHI • Incident to an otherwise permitted disclosure • Based on the individual’s signed authorization • For a facility directory
Disclosures requiring accounting include: • Required by law • For public health activities • Victims of abuse, neglect, violence. • Health oversight activities • Judicial/Admin proceedings • Law enforcement purposes • About decedents • Organ/eye/tissue donations • Research Purposes • To avert threat to health and safety • For specialized government functions • Workers’ compensation
Updates to rule • Breach Notification Rule-(9-23-09) • Concerns the UNAUTHORIZED acquisition, access, use or disclosure of unsecured PHI as of result of a security breach. • Brought about by American Recovery and Reinvestment Act of 2009
References • AMA (2010). What you need to know about the new HIPAA Breach Notification Rule. Available from: • American Medical Association. http://www.ama-assn.org • Hartley, C. & Jones, E. (2011). HIPAA Plain & Simple: A Health Care Professionals Guide to Achieve HIPAA and HITECH Compliance, Ed. 2, American Medical Association, USA • Hartley, C. & Jones, E. (2004). HIPAA Plain & Simple: A Compliance Guide for Health Care Professionals, American Medical Association, USA