.
.
MEDICAL: RECORDS :
PRIVACY :
MEDICAL: PATIENTS :
LEGAL ISSUES:
Summary of the HIPAA Privacy Rule
.
.
Summary of the HIPAA Privacy Rule
This is a summary of key elements of the Privacy Rule including who is
covered, what information is protected, and how protected health
information can be used and disclosed. Because it is an overview of the
Privacy Rule, it does not address every detail of each provision.
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
.
.
Introduction
Statutory and Regulatory Background
Who is Covered by the Privacy Rule
Business Associates
What Information is Protected
General Principle for Uses and Disclosures
Permitted Uses and Disclosures
Authorized Uses and Disclosures
Limiting Uses and Disclosures to the Minimum Necessary
Notice and Other Individual Rights
Administrative Requirements
Organizational Options
Other Provisions: Personal Representatives and Minors
State Law
Enforcement and Penalties for Noncompliance
Compliance Dates
Copies of the Rule & Related Materials
End Notes
.
.
Introduction
The Standards for Privacy of Individually Identifiable Health Information
(Privacy Rule) establishes, for the first time, a set of national
standards for the protection of certain health information. The U.S.
Department of Health and Human Services (HHS) issued the Privacy Rule to
implement the requirement of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).1 The Privacy Rule standards address
the use and disclosure of individuals health informationcalled protected
health information by organizations subject to the Privacy Rule called
covered entities, as well as standards for individuals' privacy rights to
understand and control how their health information is used. Within HHS,
the Office for Civil Rights (OCR) has responsibility for implementing and
enforcing the Privacy Rule with respect to voluntary compliance activities
and civil money penalties.
A major goal of the Privacy Rule is to assure that individuals health
information is properly protected while allowing the flow of health
information needed to provide and promote high quality health care and to
protect the public's health and well being. The Rule strikes a balance
that permits important uses of information, while protecting the privacy
of people who seek care and healing. Given that the health care
marketplace is diverse, the Rule is designed to be flexible and
comprehensive to cover the variety of uses and disclosures that need to be
addressed.
This is a summary of key elements of the Privacy Rule and not a complete
or comprehensive guide to compliance. Entities regulated by the Rule are
obligated to comply with all of its applicable requirements and should not
rely on this summary as a source of legal information or advice. To make
it easier for entities to review the complete requirements of the Rule,
provisions of the Rule referenced in this summary are cited in the end
notes. Visit our Privacy Rule section to view the entire Rule, and for
other additional helpful information about how the Rule applies. In the
event of a conflict between this summary and the Rule, the Rule governs.
.
.
What Information is Protected
Protected Health Information. The Privacy Rule protects all "individually
identifiable health information" held or transmitted by a covered entity
or its business associate, in any form or media, whether electronic,
paper, or oral. The Privacy Rule calls this information "protected health
information (PHI)."12
Individually identifiable health information is information, including
demographic data, that relates to:
the individuals past, present or future physical or mental health or
condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to
the individual,
and that identifies the individual or for which there is a reasonable
basis to believe it can be used to identify the individual.13
Individually identifiable health information includes many common
identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment
records that a covered entity maintains in its capacity as an employer and
education and certain other records subject to, or defined in, the Family
Educational Rights and Privacy Act, 20 U.S.C. 1232g.
De-Identified Health Information. There are no restrictions on the use or
disclosure of de-identified health information.14 De-identified health
information neither identifies nor provides a reasonable basis to identify
an individual. There are two ways to de-identify information; either: (1)
a formal determination by a qualified statistician; or (2) the removal of
specified identifiers of the individual and of the individuals relatives,
household members, and employers is required, and is adequate only if the
covered entity has no actual knowledge that the remaining information
could be used to identify the individual.15
.
.
General Principle for Uses and Disclosures
Basic Principle. A major purpose of the Privacy Rule is to define and
limit the circumstances in which an individuals protected heath
information may be used or disclosed by covered entities. A covered entity
may not use or disclose protected health information, except either: (1)
as the Privacy Rule permits or requires; or (2) as the individual who is
the subject of the information (or the individuals personal
representative) authorizes in writing.16
Required Disclosures. A covered entity must disclose protected health
information in only two situations: (a) to individuals (or their personal
representatives) specifically when they request access to, or an
accounting of disclosures of, their protected health information; and (b)
to HHS when it is undertaking a compliance investigation or review or
enforcement action.17 See additional guidance on Government Access.
.
.
Permitted Uses and Disclosures
Permitted Uses and Disclosures. A covered entity is permitted, but not
required, to use and disclose protected health information, without an
individuals authorization, for the following purposes or situations: (1)
To the Individual (unless required for access or accounting of
disclosures); (2) Treatment, Payment, and Health Care Operations; (3)
Opportunity to Agree or Object; (4) Incident to an otherwise permitted use
and disclosure; (5) Public Interest and Benefit Activities; and (6)
Limited Data Set for the purposes of research, public health or health
care operations.18 Covered entities may rely on professional ethics and
best judgments in deciding which of these permissive uses and disclosures
to make.
(1) To the Individual. A covered entity may disclose protected health
information to the individual who is the subject of the information.
(2) Treatment, Payment, Health Care Operations. A covered entity may use
and disclose protected health information for its own treatment, payment,
and health care operations activities.19 A covered entity also may
disclose protected health information for the treatment activities of any
health care provider, the payment activities of another covered entity and
of any health care provider, or the health care operations of another
covered entity involving either quality or competency assurance activities
or fraud and abuse detection and compliance activities, if both covered
entities have or had a relationship with the individual and the protected
health information pertains to the relationship. See additional guidance
on Treatment, Payment, & Health Care Operations.
Treatment is the provision, coordination, or management of health care and
related services for an individual by one or more health care providers,
including consultation between providers regarding a patient and referral
of a patient by one provider to another.20
Payment encompasses activities of a health plan to obtain premiums,
determine or fulfill responsibilities for coverage and provision of
benefits, and furnish or obtain reimbursement for health care delivered to
an individual21 and activities of a health care provider to obtain payment
or be reimbursed for the provision of health care to an individual.
Health care operations are any of the following activities: (a) quality
assessment and improvement activities, including case management and care
coordination; (b) competency assurance activities, including provider or
health plan performance evaluation, credentialing, and accreditation; (c)
conducting or arranging for medical reviews, audits, or legal services,
including fraud and abuse detection and compliance programs; (d) specified
insurance functions, such as underwriting, risk rating, and reinsuring
risk; (e) business planning, development, management, and administration;
and (f) business management and general administrative activities of the
entity, including but not limited to: de-identifying protected health
information, creating a limited data set, and certain fundraising for the
benefit of the covered entity.22
Most uses and disclosures of psychotherapy notes for treatment, payment,
and health care operations purposes require an authorization as described
below.23 Obtaining consent (written permission from individuals to use and
disclose their protected health information for treatment, payment, and
health care operations) is optional under the Privacy Rule for all covered
entities.24 The content of a consent form, and the process for obtaining
consent, are at the discretion of the covered entity electing to seek
consent.
(3) Uses and Disclosures with Opportunity to Agree or Object. Informal
permission may be obtained by asking the individual outright, or by
circumstances that clearly give the individual the opportunity to agree,
acquiesce, or object. Where the individual is incapacitated, in an
emergency situation, or not available, covered entities generally may make
such uses and disclosures, if in the exercise of their professional
judgment, the use or disclosure is determined to be in the best interests
of the individual.
Facility Directories. It is a common practice in many health care
facilities, such as hospitals, to maintain a directory of patient contact
information. A covered health care provider may rely on an individuals
informal permission to list in its facility directory the individuals
name, general condition, religious affiliation, and location in the
providers facility.25 The provider may then disclose the individuals
condition and location in the facility to anyone asking for the individual
by name, and also may disclose religious affiliation to clergy. Members of
the clergy are not required to ask for the individual by name when
inquiring about patient religious affiliation.
For Notification and Other Purposes. A covered entity also may rely on an
individuals informal permission to disclose to the individuals family,
relatives, or friends, or to other persons whom the individual identifies,
protected health information directly relevant to that persons involvement
in the individuals care or payment for care. 26 This provision, for
example, allows a pharmacist to dispense filled prescriptions to a person
acting on behalf of the patient. Similarly, a covered entity may rely on
an individuals informal permission to use or disclose protected health
information for the purpose of notifying (including identifying or
locating) family members, personal representatives, or others responsible
for the individuals care of the individuals location, general condition,
or death. In addition, protected health information may be disclosed for
notification purposes to public or private entities authorized by law or
charter to assist in disaster relief efforts.
(4) Incidental Use and Disclosure. The Privacy Rule does not require that
every risk of an incidental use or disclosure of protected health
information be eliminated. A use or disclosure of this information that
occurs as a result of, or as incident to, an otherwise permitted use or
disclosure is permitted as long as the covered entity has adopted
reasonable safeguards as required by the Privacy Rule, and the information
being shared was limited to the minimum necessary, as required by the
Privacy Rule.27 See additional guidance on Incidental Uses and
Disclosures.
(5) Public Interest and Benefit Activities. The Privacy Rule permits use
and disclosure of protected health information, without an individuals
authorization or permission, for 12 national priority purposes.28 These
disclosures are permitted, although not required, by the Rule in
recognition of the important uses made of health information outside of
the health care context. Specific conditions or limitations apply to each
public interest purpose, striking the balance between the individual
privacy interest and the public interest need for this information.
Required by Law. Covered entities may use and disclose protected health
information without individual authorization as required by law (including
by statute, regulation, or court orders).29
Public Health Activities. Covered entities may disclose protected health
information to: (1) public health authorities authorized by law to collect
or receive such information for preventing or controlling disease, injury,
or disability and to public health or other government authorities
authorized to receive reports of child abuse and neglect; (2) entities
subject to FDA regulation regarding FDA regulated products or activities
for purposes such as adverse event reporting, tracking of products,
product recalls, and post-marketing surveillance; (3) individuals who may
have contracted or been exposed to a communicable disease when
notification is authorized by law; and (4) employers, regarding employees,
when requested by employers, for information concerning a work-related
illness or injury or workplace related medical surveillance, because such
information is needed by the employer to comply with the Occupational
Safety and Health Administration (OHSA), the Mine Safety and Health
Administration (MHSA), or similar state law.30 See additional guidance on
Public Health Activities and CDC's web pages on Public Health and HIPAA
Guidance.
Victims of Abuse, Neglect or Domestic Violence. In certain circumstances,
covered entities may disclose protected health information to appropriate
government authorities regarding victims of abuse, neglect, or domestic
violence.31
Health Oversight Activities. Covered entities may disclose protected
health information to health oversight agencies (as defined in the Rule)
for purposes of legally authorized health oversight activities, such as
audits and investigations necessary for oversight of the health care
system and government benefit programs.32
Judicial and Administrative Proceedings. Covered entities may disclose
protected health information in a judicial or administrative proceeding if
the request for the information is through an order from a court or
administrative tribunal. Such information may also be disclosed in
response to a subpoena or other lawful process if certain assurances
regarding notice to the individual or a protective order are provided.33
Law Enforcement Purposes. Covered entities may disclose protected health
information to law enforcement officials for law enforcement purposes
under the following six circumstances, and subject to specified
conditions: (1) as required by law (including court orders, court-ordered
warrants, subpoenas) and administrative requests; (2) to identify or
locate a suspect, fugitive, material witness, or missing person; (3) in
response to a law enforcement officials request for information about a
victim or suspected victim of a crime; (4) to alert law enforcement of a
persons death, if the covered entity suspects that criminal activity
caused the death; (5) when a covered entity believes that protected health
information is evidence of a crime that occurred on its premises; and (6)
by a covered health care provider in a medical emergency not occurring on
its premises, when necessary to inform law enforcement about the
commission and nature of a crime, the location of the crime or crime
victims, and the perpetrator of the crime.34
Decedents. Covered entities may disclose protected health information to
funeral directors as needed, and to coroners or medical examiners to
identify a deceased person, determine the cause of death, and perform
other functions authorized by law.35
Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or
disclose protected health information to facilitate the donation and
transplantation of cadaveric organs, eyes, and tissue.36
Research. Research is any systematic investigation designed to develop or
contribute to generalizable knowledge.37 The Privacy Rule permits a
covered entity to use and disclose protected health information for
research purposes, without an individuals authorization, provided the
covered entity obtains either: (1) documentation that an alteration or
waiver of individuals authorization for the use or disclosure of protected
health information about them for research purposes has been approved by
an Institutional Review Board or Privacy Board; (2) representations from
the researcher that the use or disclosure of the protected health
information is solely to prepare a research protocol or for similar
purpose preparatory to research, that the researcher will not remove any
protected health information from the covered entity, and that protected
health information for which access is sought is necessary for the
research; or (3) representations from the researcher that the use or
disclosure sought is solely for research on the protected health
information of decedents, that the protected health information sought is
necessary for the research, and, at the request of the covered entity,
documentation of the death of the individuals about whom information is
sought.38 A covered entity also may use or disclose, without an
individuals authorization, a limited data set of protected health
information for research purposes (see discussion below).39 See additional
guidance on Research and NIH's publication of "Protecting Personal Health
Information in Research: Understanding the HIPAA Privacy Rule."
Serious Threat to Health or Safety. Covered entities may disclose
protected health information that they believe is necessary to prevent or
lessen a serious and imminent threat to a person or the public, when such
disclosure is made to someone they believe can prevent or lessen the
threat (including the target of the threat). Covered entities may also
disclose to law enforcement if the information is needed to identify or
apprehend an escapee or violent criminal.40
Essential Government Functions. An authorization is not required to use or
disclose protected health information for certain essential government
functions. Such functions include: assuring proper execution of a military
mission, conducting intelligence and national security activities that are
authorized by law, providing protective services to the President, making
medical suitability determinations for U.S. State Department employees,
protecting the health and safety of inmates or employees in a correctional
institution, and determining eligibility for or conducting enrollment in
certain government benefit programs.41
Workers Compensation. Covered entities may disclose protected health
information as authorized by, and to comply with, workers compensation
laws and other similar programs providing benefits for work-related
injuries or illnesses.42 See additional guidance on Workers Compensation.
(6) Limited Data Set. A limited data set is protected health information
from which certain specified direct identifiers of individuals and their
relatives, household members, and employers have been removed.43 A limited
data set may be used and disclosed for research, health care operations,
and public health purposes, provided the recipient enters into a data use
agreement promising specified safeguards for the protected health
information within the limited data set.
.
.
Authorized Uses and Disclosures
Authorization. A covered entity must obtain the individuals written
authorization for any use or disclosure of protected health information
that is not for treatment, payment or health care operations or otherwise
permitted or required by the Privacy Rule.44 A covered entity may not
condition treatment, payment, enrollment, or benefits eligibility on an
individual granting an authorization, except in limited circumstances.45
An authorization must be written in specific terms. It may allow use and
disclosure of protected health information by the covered entity seeking
the authorization, or by a third party. Examples of disclosures that would
require an individuals authorization include disclosures to a life insurer
for coverage purposes, disclosures to an employer of the results of a
pre-employment physical or lab test, or disclosures to a pharmaceutical
firm for their own marketing purposes.
All authorizations must be in plain language, and contain specific
information regarding the information to be disclosed or used, the
person(s) disclosing and receiving the information, expiration, right to
revoke in writing, and other data. The Privacy Rule contains transition
provisions applicable to authorizations and other express legal
permissions obtained prior to April 14, 2003.46
Psychotherapy Notes47. A covered entity must obtain an individuals
authorization to use or disclose psychotherapy notes with the following
exceptions48:
The covered entity who originated the notes may use them for treatment.
A covered entity may use or disclose, without an individuals
authorization, the psychotherapy notes, for its own training, and to
defend itself in legal proceedings brought by the individual, for HHS to
investigate or determine the covered entitys compliance with the Privacy
Rules, to avert a serious and imminent threat to public health or safety,
to a health oversight agency for lawful oversight of the originator of the
psychotherapy notes, for the lawful activities of a coroner or medical
examiner or as required by law.
Marketing. Marketing is any communication about a product or service that
encourages recipients to purchase or use the product or service.49 The
Privacy Rule carves out the following health-related activities from this
definition of marketing:
Communications to describe health-related products or services, or payment
for them, provided by or included in a benefit plan of the covered entity
making the communication;
Communications about participating providers in a provider or health plan
network, replacement of or enhancements to a health plan, and
health-related products or services available only to a health plans
enrollees that add value to, but are not part of, the benefits plan;
Communications for treatment of the individual; and
Communications for case management or care coordination for the
individual, or to direct or recommend alternative treatments, therapies,
health care providers, or care settings to the individual.
Marketing also is an arrangement between a covered entity and any other
entity whereby the covered entity discloses protected health information,
in exchange for direct or indirect remuneration, for the other entity to
communicate about its own products or services encouraging the use or
purchase of those products or services. A covered entity must obtain an
authorization to use or disclose protected health information for
marketing, except for face-to-face marketing communications between a
covered entity and an individual, and for a covered entitys provision of
promotional gifts of nominal value. No authorization is needed, however,
to make a communication that falls within one of the exceptions to the
marketing definition. An authorization for marketing that involves the
covered entitys receipt of direct or indirect remuneration from a third
party must reveal that fact. See additional guidance on Marketing.
.
.
State Law
Preemption. In general, State laws that are contrary to the Privacy Rule
are preempted by the federal requirements, which means that the federal
requirements will apply.85 Contrary means that it would be impossible for
a covered entity to comply with both the State and federal requirements,
or that the provision of State law is an obstacle to accomplishing the
full purposes and objectives of the Administrative Simplification
provisions of HIPAA.86 The Privacy Rule provides exceptions to the
general rule of federal preemption for contrary State laws that (1) relate
to the privacy of individually identifiable health information and provide
greater privacy protections or privacy rights with respect to such
information, (2) provide for the reporting of disease or injury, child
abuse, birth, or death, or for public health surveillance, investigation,
or intervention, or (3) require certain health plan reporting, such as for
management or financial audits.
Exception Determination. In addition, preemption of a contrary State law
will not occur if HHS determines, in response to a request from a State or
other entity or person, that the State law:
Is necessary to prevent fraud and abuse related to the provision of or
payment for health care,
Is necessary to ensure appropriate State regulation of insurance and
health plans to the extent expressly authorized by statute or regulation,
Is necessary for State reporting on health care delivery or costs,
Is necessary for purposes of serving a compelling public health, safety,
or welfare need, and, if a Privacy Rule provision is at issue, if the
Secretary determines that the intrusion into privacy is warranted when
balanced against the need to be served; or
Has as its principal purpose the regulation of the manufacture,
registration, distribution, dispensing, or other control of any controlled
substances (as defined in 21 U.S.C. 802), or that is deemed a controlled
substance by State law.
.
.
Combined Regulation Text of All Rules
Copies of the Rule and Related Materials
See our Combined Regulation Text of All Rules section of our site for the
full suite of HIPAA Administrative Simplification Regulations and
Understanding HIPAA for additional guidance material.
.
.
The complete document may be read at the URL above.
.
.
Sincerely,
David Dillard
Temple University
(215) 204 - 4584
[log in to unmask]
http://workface.com/e/daviddillard
Net-Gold
http://groups.yahoo.com/group/net-gold
http://listserv.temple.edu/archives/net-gold.html
Index: http://tinyurl.com/myxb4w
http://groups.google.com/group/net-gold?hl=en
Handouts
http://tinyurl.com/6pvglb4
General Internet & Print Resources
http://guides.temple.edu/general-internet
COUNTRIES
http://guides.temple.edu/general-country-info
EMPLOYMENT
http://guides.temple.edu/EMPLOYMENT
TOURISM
http://guides.temple.edu/tourism
DISABILITIES
http://guides.temple.edu/DISABILITIES
INDOOR GARDENING
http://tech.groups.yahoo.com/group/IndoorGardeningUrban/
Educator-Gold
http://groups.yahoo.com/group/Educator-Gold/
K12ADMINLIFE
http://groups.yahoo.com/group/K12AdminLIFE/
The Russell Conwell Learning Center Research Guide:
THE COLLEGE LEARNING CENTER
http://tinyurl.com/yae7w79
Information Literacy
http://guides.temple.edu/infolit
Nina Dillard's Photographs on Net-Gold
http://tinyurl.com/36qd2o
and also
http://www.flickr.com/photos/neemers/
Twitter: davidpdillard
Bushell, R. & Sheldon, P. (eds),
Wellness and Tourism: Mind, Body, Spirit,
Place, New York: Cognizant Communication Books.
Wellness Tourism: Bibliographic and Webliographic Essay
David P. Dillard
http://tinyurl.com/p63whl
http://tinyurl.com/ou53aw
INDOOR GARDENING
Improve Your Chances for Indoor Gardening Success
http://tech.groups.yahoo.com/group/IndoorGardeningUrban/
http://groups.google.com/group/indoor-gardening-and-urban-gardening
SPORT-MED
https://www.jiscmail.ac.uk/lists/sport-med.html
http://groups.google.com/group/sport-med
http://groups.yahoo.com/group/sports-med/
http://listserv.temple.edu/archives/sport-med.html
HEALTH DIET FITNESS RECREATION SPORTS TOURISM
http://health.groups.yahoo.com/group/healthrecsport/
http://groups.google.com/group/healthrecsport
http://healthrecsport.jiglu.com/
http://listserv.temple.edu/archives/health-recreation-sports-tourism.html
.
.
Please Ignore All Links to JIGLU
in search results for Net-Gold and related lists.
The Net-Gold relationship with JIGLU has
been terminated by JIGLU and these are dead links.
http://groups.yahoo.com/group/Net-Gold/message/30664
http://health.groups.yahoo.com/group/healthrecsport/message/145
Temple University Listserv Alert :
Years 2009 and 2010 Eliminated from Archives
https://sites.google.com/site/templeuniversitylistservalert/
.
.
|