HIPAA: PRIVACY COMPLIANCE
The HIPAA Privacy Rule — finalized on August 14, 2002 — ensures that personal medical information you share with doctors, hospitals and others who provide and pay for healthcare is protected. It is part of the Health Insurance Portability and Accountability Act (HIPAA) enacted by Congress.
Basically, the Privacy Rule does the following:
- Imposes new restrictions on the use and disclosure of personal health information
- Gives patients greater access to their medical records
- Gives patients greater protection of their medical records
You can make sure you protect personal patient data by learning the basics of the final HIPAA Privacy Rule outlined in this handbook.
WHO IS COVERED BY THE HIPAA PRIVACY RULE?
You’re covered by the HIPAA Privacy Rule — and termed a covered entity if you are a:
- Healthcare provider
- Health plan
- Healthcare clearinghouse
HIPAA also indirectly affects business associates who have access to patient records.
WHAT IS PROTECTED HEALTH INFORMATION?
When a patient gives personal health information to a covered entity, that information becomes Protected Health Information — or PHI.
PHI includes any information — oral, recorded, on paper, or sent electronically — about a person’s physical or mental health, services rendered or payment for those services, and that includes personal information connecting the patient to the records.
Examples of information that might connect personal health information to the individual patient include:
- The individual’s name or address
- Social security or other
- identification numbers
- Physician’s personal notes
- Billing information
WHAT ARE THE RULES FOR THE USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION?
HIPAA’s Privacy Rule is all about the use and disclosure of Protected Health Information or PHI. With few exceptions, PHI can’t be used or disclosed by anyone unless it is permitted or required by the Privacy Rule.
PHI is used when:
PHI is disclosed when it is released, transferred or made accessible to anyone outside the covered entity in any way.
You are permitted to use or disclose PHI:
- For treatment, payment, and healthcare operations
- With authorization or agreement from the individual patient
- For disclosure to the individual patient
- For incidental uses such as physicians talking to patients in a semi-private room
You are required to release PHI for use and disclosure:
- When requested or authorized by the individual — although some exceptions apply
- When required by the Department of Health and Human Services (HHS) for compliance or investigation
WHEN IS AUTHORIZATION REQUIRED?
The final ruling makes consent for routine health care optional. But you are required to get a signed authorization from the patient if you use or disclose his or her Protected Health Information for purposes other than:
- Healthcare operations.
Generally, authorization is required to use PHI:
- For use or disclosure of psychotherapy notes
- For research purposes, unless a documented waiver is obtained from the Institutional Review Board (IRB) or a privacy board
- For use and disclosure to third parties for marketing activities such as promoting services or selling lists of patients
- However, covered entities may communicate freely with patients about treatment options and health-related information
WHAT IS INCLUDED IN AN AUTHORIZATION FORM?
Each authorization form only covers the use/disclosure outlined in that form. The form must contain:
- A description of the PHI to be used/disclosed, in clear language
- Who will use/disclose PHI, and for what purpose
- Whether or not it will result in financial gain for the covered entity
- The patient’s right to revoke the authorization
- A signature of the patient whose records are used/disclosed, and a date of signing
- An expiration date
WHEN IS AUTHORIZATION NOT REQUIRED?
PHI can be used/disclosed without authorization, but with a patient agreement, for the following reasons:
- To maintain a facility’s patient directory
- To inform family members or other identified persons involved in the patient’s care, or notify them on patient location, condition or death
- To inform appropriate agencies during disaster relief efforts
Other permitted uses/disclosures that do not require patient authorization include:
- Public health activities related to disease prevention or control
- To report victims of abuse, neglect, or domestic violence
- Health oversight activities such as audits, legal investigations, licensure or for certain law enforcement purposes or
- For coroners, medical examiners, funeral directors or tissue/organ donations
- To avert a serious threat to health and safety
WHAT IS MINIMUM NECESSARY?
In general, use/disclosure of PHI is limited to the minimum amount of health information necessary to get the job done right. That means:
- Covered entities must develop policies and practices to make sure the least amount of health information is shared
- Employees must be identified who regularly access PHI along with the types of PHI needed and the conditions for access
The Minimum Necessary requirement does not apply to use/disclosure of medical records for treatment, since healthcare providers need the entire record to provide quality care. But it does apply in all other circumstances.
WHAT IS THE NOTICE OF PRIVACY PRACTICES?
Patients have the right to adequate notice concerning the use! disclosure of their PHI on the first date of service delivery, or as soon as possible after an emergency. And new notices must be issued when your facility’s privacy practices change.
The Notice of Privacy Practices must:
- Contain the patient’s rights and the covered entities’ legal duties
- Be made available to patients in print
- Be displayed at the site of service, and posted on a website whenever appropriate
Once a patient has received notice of his or her rights, covered entities must make an effort to get written acknowledgment of receipt of notice from the patient, or document reasons why it was not obtained. And copies must be kept of all notices and acknowledgments.
WHAT ARE PATIENT PRIVACY RIGHTS?
The Privacy Rule grants patients new rights over their PHI. It’s your job to make sure they can exercise their rights, including the following:
- Receive Notice of Privacy Practices at time of first delivery of service
- Request restricted use and disclosure, although the covered entity is not required to agree
- Have PHI communicated to them by alternate means and at alternate locations to protect confidentiality
- Inspect and amend PHI, and obtain copies, with some exceptions. Request a history of disclosures for six years prior to the request, except for disclosures made for treatment, payment, healthcare operations or with prior authorization
- Contact designated persons regarding any privacy concern or breach of privacy within the facility or at HHS
WHAT ABOUT THE PRIVACY RIGHTS OF MINORS?
In general, parents have the right to access and control the PHI of their minor children — except when state law overrides parental control. Examples include:
- HIV testing of minors without parental permission
- Cases of abuse
- When parents have agreed to give up control over their minor child
WHAT MUST ADMINISTRATION DO TO COMPLY?
- Allow patients to see and copy their PHI
- Designate a full- or part-time privacy official responsible for implementing the programs
- Designate a contact person or office responsible for receiving complaints
- Develop a Notice of Privacy Practices document
- Develop policies and safeguards to protect PHI and limit incidental use or disclosure
- Institute employee-training programs, so everyone knows about the privacy policies and procedures for safeguarding PHI
- Institute a complaints process, and file and resolve formal complaints
- Make sure contracts with business associates comply with the Privacy Rule
WHAT HAPPENS TO THOSE WHO DON’T COMPLY?
If you violate the Privacy Rule, HIPAA set civil and criminal penalties including:
- A $100 civil penalty up to a maximum of $25,000 per year for each standard violated
- A criminal penalty for knowingly disclosing PHI — a penalty that may escalate to a maximum of $250,000 for conspicuously bad offenses
But if you unknowingly make a mistake, remember: the Department of Health and Human Services is mandated to give you and your organization advice and technical assistance — and help you work out problems
WHAT CAN YOU DO TO PROTECT PATIENTS’ PRIVACY AND CONFIDENTIALITY?
HIPAA protects our fundamental right to privacy and confidentiality. And that means HIPAA’s Privacy Rule is everyone’s business — from the CEO to the healthcare professional to the maintenance staff. To do your part:
- Make sure you fully understand your facility’s privacy practices
- Protect your patients’ personal health information
- Encourage others to do the same