Two types of government-funded programs are not health plans: (1) those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program; and (2) those programs whose principal activity is directly providing health care, such as a community health center,5 or the making of grants to fund the direct provision of health care. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule.71 The covered entity must explain those procedures in its privacy practices notice.72. Examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes. There may be more rigorous state laws regarding special circumstances, so it is important for you as a healthcare worker to know about the policies and procedures in place for your organization. Exception Determination. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.64, Privacy Personnel. 164.103.80 The Privacy Rule at 45 C.F.R. If requested by the plan sponsor, summary health information for the plan sponsor to use to obtain premium bids for providing health insurance coverage through the group health plan, or to modify, amend, or terminate the group health plan. In certain exceptional cases, the parent is not considered the personal representative. Radiology reports, The HITECH Act requires: The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003.46, Psychotherapy Notes.47 A covered entity must obtain an individual's authorization to use or disclose psychotherapy notes with the following exceptions:48. Receive the latest updates from the Secretary, Blogs, and News Releases. In addition, a restriction agreed to by a covered entity is not effective under this subpart to prevent uses or disclosures permitted or required under 164.502(a)(2)(ii), 164.510(a) or 164.512.63 45 C.F.R. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.70 For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. 164.522(a). For Notification and Other Purposes. It is important, andtherefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so. Each covered entity, with certain exceptions, must provide a notice of its privacy practices.51 The Privacy Rule requires that the notice contain certain elements. 1232g. See 45 CFR 164.530 (c). A group health plan and the health insurer or HMO that insures the plan's benefits, with respect to protected health information created or received by the insurer or HMO that relates to individuals who are or have been participants or beneficiaries of the group health plan. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information. Not later than the first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery); By posting the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice; and. 164.514(e)(2).44 45 C.F.R. Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric 164.502(e), 164.504(e).11 45 C.F.R. 164.501.57 A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed by a licensed health care professional (who is designated by the covered entity and who did not participate in the original decision to deny), when a licensed health care professional has determined, in the exercise of professional judgment, that: (a) the access requested is reasonably likely to endanger the life or physical safety of the individual or another person; (b) the protected health information makes reference to another person (unless such other person is a health care provider) and the access requested is reasonably likely to cause substantial harm to such other person; or (c) the request for access is made by the individual's personal representative and the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person. 164.506(b).25 45 C.F.R. 160.103.13 45 C.F.R. 160.103.67 45 C.F.R. Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs.63 For example, an individual may request that the provider communicate with the individual through a designated address or phone number. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse's uses and disclosures of protected health information.8 Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions. Vital signs In March 2002, the Department proposed and released for public comment modifications to the Privacy Rule. 164.502(a)(1)(iii).28 See 45 C.F.R. Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS. Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information in a covered entity's designated record set.55 The "designated record set" is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider's medical and billing records about individuals or a health plan's enrollment, payment, claims adjudication, and case or medical management record systems.56 The Rule excepts from the right of access the following protected health information: psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories. A person taking a reading of the temperature in a freezer in Celsius makes two mistakes: first omitting the negative sign and then thinking the temperature is Fahrenheit. The Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a "hybrid entity. 45 C.F.R. the individual: (i) Names; (ii) Postal address information, other than town or city, State and zip A covered health care provider may condition treatment related to research (e.g., clinical trials) on the individual giving authorization to use or disclose the individual's protected health information for the research. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). comparable images. A limited data set is protected health information that excludes the For example, a covered entity physician may condition the provision of a physical examination to be paid for by a life insurance issuer on an individual's authorization to disclose the results of that examination to the life insurance issuer. Small Health Plans. On unprotected computer hard drives or on copy machines 552a; and (e) information obtained under a promise of confidentiality from a source other than a health care provider, if granting access would likely reveal the source. 1320d-5.89 Pub. The EHR may include clinical data such as: Failure to comply with the HIPAA Rules can result in the following civil and criminal penalties: RECOMMENDATIONS FOR CAREGIVERS As a healthcare worker, here are recommendations to help you follow HIPAA rules and regulations regarding patient confidentiality: Ensure conversations regarding patients, such as hand-off communications, are done in a confidential area. . The Department of Justice is responsible for criminal prosecutions under the Priv. If identifiers are removed, the health information is referred to as de-identified PHI. Affiliated Covered Entity. Increased penalties for HIPAA breaches 164.520(a) and (b). 164.514(e). Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.7 In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. 164.512(e).34 45 C.F.R. 164.512(h).37 The Privacy Rule defines research as, "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge." When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose. 164.105. Increased development and monitoring of EHR security in the workplace; in other words, who is accessing EHR and do they have a "need to know" 164.512(a).30 45 C.F.R. Ensure data-encrypted computers are used for Protected Health Information (PHI). May impose fines on covered providers for failure to comply with the HIPAA Rules The State Attorney General may also enforce provisions of the HIPAA Rules. An authorization is not required to use or disclose protected health information for certain essential government functions. HIPAA is the Health Insurance Portability and Accountability Act, which sets a standard for patient data protection. Common ownership exists if an entity possesses an ownership or equity interest of five percent or more in another entity; common control exists if an entity has the direct or indirect power significantly to influence or direct the actions or policies of another entity. Health Plans. Minimum Necessary. Preemption. By disposing PHI in the trash Amendment. Privacy Policies and Procedures. A clinically-integrated setting where individuals typically receive health care from more. 164.512.29 45 C.F.R. Those plans that provide health benefits through a mix of purchased insurance and self-insurance should combine proxy measures to determine their total annual receipts. An EHR is an electronic version of a patient's medical history and is maintained by the provider. These restrictions must include the representation that the plan sponsor will not use or disclose the protected health information for any employment-related action or decision or in connection with any other benefit plan. Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.40, Essential Government Functions. 164.501.22 45 C.F.R. Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or health care operations, disclosure to persons involved in the individual's health care or payment for health care, or disclosure to notify family members or others about the individual's general condition, location, or death.61 A covered entity is under no obligation to agree to requests for restrictions. The Rule contains provisions that address a variety of organizational issues that may affect the operation of the privacy protections. Individual and group plans that provide or pay the cost of medical care are covered entities.4 Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations ("HMOs"), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.50 A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. This evidence must be submitted to OCR within 30 days of receipt of the notice. The Privacy Rule identifies relationships in which participating covered entities share protected health information to manage and benefit their common enterprise as "organized health care arrangements. A lock (LockA locked padlock) or https:// means youve safely connected to the .gov website. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment. Telephone or dictated conversations 164.502(b) and 164.514 (d).51 45 C.F.R. Marketing. 1320d-1(a)(3). See additional guidance on Personal Representatives. How can killer cells tell that a host cell The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed.43 A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set. Protecting public health - such as through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities - often requires access to or the reporting of Protected Health Information. Increased development and use of EHR in the workplace 164.501.21 45 C.F.R. A health plan may condition enrollment or benefits eligibility on the individual giving authorization, requested before the individual's enrollment, to obtain protected health information (other than psychotherapy notes) to determine the individual's eligibility or enrollment or for underwriting or risk rating. 164.530(k).77 45 C.F.R. HIPAA is a mandatory law for organizations operating in the United States that store, transmit, or use PHI data. 164.510(a).26 45 C.F.R. It is important to know that the HIPAA Privacy Rule requirements: All patients MUST receive a healthcare organization's Notice of Privacy Practices. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business. An official website of the United States government. Group Health Plan disclosures to Plan Sponsors. The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the use and disclosure of an individual's health information called protected health information by covered entities, as well as standards for providing individuals with privacy rights to understand and control how their health information is used. The notice must include a point of contact for further information and for making complaints to the covered entity. Self-insured plans, both funded and unfunded, should use the total amount paid for health care claims by the employer, plan sponsor or benefit fund, as applicable to their circumstances, on behalf of the plan during the plan's last full fiscal year. 160.202.87 45 C.F.R. 160.30488 Pub. 164.522(b).64 45 C.F.R. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity).66 A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions.67 A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.68, Mitigation. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities. Hybrid Entity. 164.502(a).17 45 C.F.R. Workers' Compensation. Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. Welcome to the updated visual design of HHS.gov that implements the U.S. Complaints. The accounting will cover up to six years prior to the individual's request date and will include disclosures to or by business associates of the covered entity. Disclosure Accounting. 2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI. Is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation. If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. 164.504(g).83 45 C.F.R. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.15, General Principle for Uses and Disclosures, Basic Principle. the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR); or. 164.520(c).55 45 C.F.R. Business associates and any of their subcontractors must . Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. 164.504(f).84 45 C.F.R. Do not post patient information or photos on social media (such as Facebook, Twitter, Instagram, etc.). To achieve the objectives of the HIPAA Administrative Safeguards, Covered Entities and Business Associates must appoint a Security Officer responsible for developing a security management program that addresses access controls, incident response, and security awareness training. Any covered entity may condition compliance with a confidential communication request on the individual specifying an alternative address or method of contact and explaining how any payment will be handled. After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established requirements under the HIPAA Transactions Rule. Avoid having conversations about patients in public places, such as elevators, public hallways, or the cafeteria. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Lower your voice when discussing patient information in person and/or over the phone. Facility Directories. Workers who violate these policies could place themselves and their organization at risk for investigative or enforcement actions by the U.S. Department of Health and Human Services. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.73 A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.74, Documentation and Record Retention. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual. (4) Incidental Use and Disclosure. (3) Uses and Disclosures with Opportunity to Agree or Object. The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.76. All group health plans maintained by the same plan sponsor. De-Identified Health Information. Health care providers include all "providers of services" (e.g., institutional providers such as hospitals) and "providers of medical or health services" (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care. L. 104-191; 42 U.S.C. the past, present, or future payment for the provision of health care to the individual. Similarly, a covered entity may rely upon requests as being the minimum necessary protected health information from: (a) a public official, (b) a professional (such as an attorney or accountant) who is the covered entity's business associate, seeking the information to provide services to or for the covered entity; or (c) a researcher who provides the documentation or representation required by the Privacy Rule for research. (6) Limited Data Set. The objectives of this paper are to: 160.103.8 45 C.F.R. See additional guidance on Notice. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. A covered entity also may rely on an individual's informal permission to disclose to the individual's family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person's involvement in the individual's care or payment for care.26 This provision, for example, allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. In addition to the above, a required implementation specification of the Access Controls Security Standard ( 164.312 (a)) stipulates that Covered Entities assign a unique name and/or number for identifying and tracking user identity. It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. 164.512(j).41 45 C.F.R. Many different types of information can identify an individual's PHI under HIPAA, including but not limited to: HOW SHOULD PHI BE USED AND DISCLOSED? Victims of Abuse, Neglect or Domestic Violence. 164.502(a)(1).19 45 C.F.R. Use these precautions to protect PHI from accidental disclosure: Avoid sending PHI by email if at all possible. Covered Entities With Multiple Covered Functions. "Individually identifiable health information" is information, including demographic data, that relates to: and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 164.530(h).75 45 C.F.R. "Research" is any systematic investigation designed to develop or contribute to generalizable knowledge.37 The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual's authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals' authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.38 A covered entity also may use or disclose, without an individuals' authorization, a limited data set of protected health information for research purposes (see discussion below).39 See additional guidance on Research and NIH's publication of "Protecting Personal Health Information in Research: Understanding the HIPAAPrivacy Rule. In addition to the removal of the above-stated identifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject of the information. The Privacy Rule requires a covered entity to treat a "personal representative" the same as the individual, with respect to uses and disclosures of the individual's protected health information, as well as the individual's rights under the Rule.84 A personal representative is a person legally authorized to make health care decisions on an individual's behalf or to act for a deceased individual or the estate. 45 C.F.R. It is a requirement under HIPAA that: a. All group health plans maintained by the same plan sponsor and all health insurers and HMOs that insure the plans' benefits, with respect to protected health information created or received by the insurers or HMOs that relates to individuals who are or have been participants or beneficiaries in the group health plans. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.17 See additional guidance on Government Access. The Department received over 11,000 comments.The final modifications were published in final form on August 14, 2002.3 A text combining the final regulation and the modifications can be found at 45 CFR Part 160 and Part 164, Subparts A and E. The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities").