Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Privacy

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

by Priyanka FormentinLeave a Comment on Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology

Updated by Health Information Technology for Economic and Clinical HealthAct of 2009 (HITECH)

Regulated by the Department of Health and Human Services(HHS)

Does not preempt stricter state privacy laws (Ex: California Medical Information Privacy Act)

No private right of action

FERPA applies to student health records. HIPAA applies to non-student health records.

PHI – any individually identifiable health information”

“transmitted or maintained in any form or medium

“held by a covered entity or its business associate;”

“identifies the individual or offers a reasonable basis for identification”

“is created or received by a covered entity or an employer”

“relates to a past, present or future physical or mental condition, provision of health care, or payment for healthcare to that individual”

e-PHI – “any PHI that is transmitted or maintained in electronic media”

computer hard drives, magnetic tapes or disks, or digital memory cards, all of which are considered electronic storage media

NOT e-PHI – “Paper records, paper-to-paper fax transmissions, and voice communications (e.g., telephone)”

COVERED ENTITIES –

Healthcare providers (e.g., doctors’ offices, hospitals) that conduct certain transactions in electronic form

Health plans (e.g., health insurers)

Healthcare clearinghouses (e.g., third-party organizations that host, handle or process medical information)

Business associates (Ex: PHI stored on the cloud)

OUTSIDE HIPAA SCOPE

Some doctors accept only cash or credit cards and do not bill for insurance.

Individuals purchasing books about healthcare

Surfing on healthcare websites

Posting medical information online

Privacy Rule: Requires a covered entity to provide a detailed privacy notice
date of first service delivery

Exception: No notice when a healthcare provider

1. Indirect treatment relationship with the patient

2. Medical emergency services

3. Deidentification: The Privacy Rule provides two methods for deidentifying data:
(1) remove all of at least 18 data elements listed in the rule, such as name, phone number, and address or
(2) have an expert certify that the risk of reidentifying the individuals is very small.

4. Research: The Privacy Rule has detailed provisions for how PHI is used for medical research purposes. Research can occur with the consent of the individual, or without consent, if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects. Research is permitted on de-identified information, and rules are more flexible if only a limited data set is released to researchers.

5. Public health activities

6. To report victims of abuse, neglect, or domestic violence

7. Judicial and administrative proceedings

8. Certain law enforcement activities

9. Certain specialized governmental functions

Authorization for uses and disclosures: PHI use and disclosure for treatment, payment, and operations (TPO). Other uses require individuals to opt-in.

Minimum Necessary use or disclosure: Covered entities must limit use and disclosure to the minimum necessary. Business associates must be bound by this standard.

Access and accountings of disclosures: Individuals have the right to access and copy their own PHI. Individuals have the right to amend PHI, and if denied, individuals may file a statement that must then be included in any future use or disclosure of info.

Safeguards: Covered entities and businesses associated must implement administrative, physical, and technical safeguards to protect confidentiality and integrity of PHI and ePHI.

Accountability: Entities must designate privacy officials and personnel must be trained.Must have complaint procedures in place.

Enforcement:

  • Office of Civil Rights(OCR).
  • U.S. Department of Justice (DOJ) has criminal enforcement authority (prison sentences up to 10 years).
  • FTC can enforce under section 5 “unfair and deceptive practices.” State AGs.

The Security Rule:

  • Minimum security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form.
  • Ensure confidentiality, integrity, and availability of all ePHI
  • Protect against any reasonably anticipated threats to ePHI
  • Protect against any reasonably anticipated disclosures of ePHI
  • Ensure compliance with the SecurityRule by its workforce
  • Each covered entity must have an individual responsible for oversight and implementation
  • A covered entity must conduct initial and ongoing risk assessments
  • A covered entity must implement a security awareness and training program for workforce

Qualified Protective Order (QPO) prohibits litigating parties from using or disclosing the protected health info for any purpose other than the litigation or proceeding for which such info was requested. It also requires the return to the covered entity or destruction of PHI (including copies) at the end of litigation.

Disclosure under HIPAA pursuant to a court order or subpoena is permitted if three criteria are met:

  • The info sought is relevant and material to legit law enforcement inquiry
  • The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the info is sought
  • De-identified info could not be reasonably used
  • Permits disclosure of PHI to authorized federal officials for the conduct of lawful intelligence, counterintelligence, and other national security under the National SecurityAct.
Website https://privacypriyanka.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Back To Top