.

.



MEDICAL: RECORDS :

PRIVACY :

MEDICAL: PATIENTS :

LEGAL ISSUES:

Summary of the HIPAA Privacy Rule

.

.


Summary of the HIPAA Privacy Rule

This is a summary of key elements of the Privacy Rule including who is 
covered, what information is protected, and how protected health 
information can be used and disclosed.  Because it is an overview of the 
Privacy Rule, it does not address every detail of each provision.

U.S. Department of Health and Human Services

200 Independence Avenue, S.W.

Washington, D.C. 20201

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

.

.



Introduction
Statutory and Regulatory Background
Who is Covered by the Privacy Rule
Business Associates
What Information is Protected
General Principle for Uses and Disclosures
Permitted Uses and Disclosures
Authorized Uses and Disclosures
Limiting Uses and Disclosures to the Minimum Necessary
Notice and Other Individual Rights
Administrative Requirements
Organizational Options
Other Provisions: Personal Representatives and Minors
State Law
Enforcement and Penalties for Noncompliance
Compliance Dates
Copies of the Rule & Related Materials
End Notes

.

.


Introduction


The Standards for Privacy of Individually Identifiable Health Information 
(Privacy Rule) establishes, for the first time, a set of national 
standards for the protection of certain health information. The U.S. 
Department of Health and Human Services (HHS) issued the Privacy Rule to 
implement the requirement of the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA).1 The Privacy Rule standards address 
the use and disclosure of individuals health informationcalled protected 
health information by organizations subject to the Privacy Rule  called 
covered entities, as well as standards for individuals' privacy rights to 
understand and control how their health information is used. Within HHS, 
the Office for Civil Rights (OCR) has responsibility for implementing and 
enforcing the Privacy Rule with respect to voluntary compliance activities 
and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals health 
information is properly protected while allowing the flow of health 
information needed to provide and promote high quality health care and to 
protect the public's health and well being. The Rule strikes a balance 
that permits important uses of information, while protecting the privacy 
of people who seek care and healing. Given that the health care 
marketplace is diverse, the Rule is designed to be flexible and 
comprehensive to cover the variety of uses and disclosures that need to be 
addressed.

This is a summary of key elements of the Privacy Rule and not a complete 
or comprehensive guide to compliance. Entities regulated by the Rule are 
obligated to comply with all of its applicable requirements and should not 
rely on this summary as a source of legal information or advice. To make 
it easier for entities to review the complete requirements of the Rule, 
provisions of the Rule referenced in this summary are cited in the end 
notes. Visit our Privacy Rule section to view the entire Rule, and for 
other additional helpful information about how the Rule applies. In the 
event of a conflict between this summary and the Rule, the Rule governs.

.

.


What Information is Protected

Protected Health Information. The Privacy Rule protects all "individually 
identifiable health information" held or transmitted by a covered entity 
or its business associate, in any form or media, whether electronic, 
paper, or oral. The Privacy Rule calls this information "protected health 
information (PHI)."12

Individually identifiable health information is information, including 
demographic data, that relates to:
the individuals past, present or future physical or mental health or 
condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to 
the individual,

and that identifies the individual or for which there is a reasonable 
basis to believe it can be used to identify the individual.13 
Individually identifiable health information includes many common 
identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment 
records that a covered entity maintains in its capacity as an employer and 
education and certain other records subject to, or defined in, the Family 
Educational Rights and Privacy Act, 20 U.S.C. 1232g.

De-Identified Health Information. There are no restrictions on the use or 
disclosure of de-identified health information.14 De-identified health 
information neither identifies nor provides a reasonable basis to identify 
an individual. There are two ways to de-identify information; either: (1) 
a formal determination by a qualified statistician; or (2) the removal of 
specified identifiers of the individual and of the individuals relatives, 
household members, and employers is required, and is adequate only if the 
covered entity has no actual knowledge that the remaining information 
could be used to identify the individual.15

.

.


General Principle for Uses and Disclosures

Basic Principle. A major purpose of the Privacy Rule is to define and 
limit the circumstances in which an individuals protected heath 
information may be used or disclosed by covered entities. A covered entity 
may not use or disclose protected health information, except either: (1) 
as the Privacy Rule permits or requires; or (2) as the individual who is 
the subject of the information (or the individuals personal 
representative) authorizes in writing.16

Required Disclosures. A covered entity must disclose protected health 
information in only two situations: (a) to individuals (or their personal 
representatives) specifically when they request access to, or an 
accounting of disclosures of, their protected health information; and (b) 
to HHS when it is undertaking a compliance investigation or review or 
enforcement action.17 See additional guidance on Government Access.

.

.



Permitted Uses and Disclosures

Permitted Uses and Disclosures. A covered entity is permitted, but not 
required, to use and disclose protected health information, without an 
individuals authorization, for the following purposes or situations: (1) 
To the Individual (unless required for access or accounting of 
disclosures); (2) Treatment, Payment, and Health Care Operations; (3) 
Opportunity to Agree or Object; (4) Incident to an otherwise permitted use 
and disclosure; (5) Public Interest and Benefit Activities; and (6) 
Limited Data Set for the purposes of research, public health or health 
care operations.18 Covered entities may rely on professional ethics and 
best judgments in deciding which of these permissive uses and disclosures 
to make.

(1) To the Individual. A covered entity may disclose protected health 
information to the individual who is the subject of the information.

(2) Treatment, Payment, Health Care Operations. A covered entity may use 
and disclose protected health information for its own treatment, payment, 
and health care operations activities.19 A covered entity also may 
disclose protected health information for the treatment activities of any 
health care provider, the payment activities of another covered entity and 
of any health care provider, or the health care operations of another 
covered entity involving either quality or competency assurance activities 
or fraud and abuse detection and compliance activities, if both covered 
entities have or had a relationship with the individual and the protected 
health information pertains to the relationship. See additional guidance 
on Treatment, Payment, & Health Care Operations.


Treatment is the provision, coordination, or management of health care and 
related services for an individual by one or more health care providers, 
including consultation between providers regarding a patient and referral 
of a patient by one provider to another.20


Payment encompasses activities of a health plan to obtain premiums, 
determine or fulfill responsibilities for coverage and provision of 
benefits, and furnish or obtain reimbursement for health care delivered to 
an individual21 and activities of a health care provider to obtain payment 
or be reimbursed for the provision of health care to an individual.

Health care operations are any of the following activities: (a) quality 
assessment and improvement activities, including case management and care 
coordination; (b) competency assurance activities, including provider or 
health plan performance evaluation, credentialing, and accreditation; (c) 
conducting or arranging for medical reviews, audits, or legal services, 
including fraud and abuse detection and compliance programs; (d) specified 
insurance functions, such as underwriting, risk rating, and reinsuring 
risk; (e) business planning, development, management, and administration; 
and (f) business management and general administrative activities of the 
entity, including but not limited to: de-identifying protected health 
information, creating a limited data set, and certain fundraising for the 
benefit of the covered entity.22

Most uses and disclosures of psychotherapy notes for treatment, payment, 
and health care operations purposes require an authorization as described 
below.23 Obtaining consent (written permission from individuals to use and 
disclose their protected health information for treatment, payment, and 
health care operations) is optional under the Privacy Rule for all covered 
entities.24 The content of a consent form, and the process for obtaining 
consent, are at the discretion of the covered entity electing to seek 
consent.

(3) Uses and Disclosures with Opportunity to Agree or Object. Informal 
permission may be obtained by asking the individual outright, or by 
circumstances that clearly give the individual the opportunity to agree, 
acquiesce, or object. Where the individual is incapacitated, in an 
emergency situation, or not available, covered entities generally may make 
such uses and disclosures, if in the exercise of their professional 
judgment, the use or disclosure is determined to be in the best interests 
of the individual.

Facility Directories. It is a common practice in many health care 
facilities, such as hospitals, to maintain a directory of patient contact 
information. A covered health care provider may rely on an individuals 
informal permission to list in its facility directory the individuals 
name, general condition, religious affiliation, and location in the 
providers facility.25 The provider may then disclose the individuals 
condition and location in the facility to anyone asking for the individual 
by name, and also may disclose religious affiliation to clergy. Members of 
the clergy are not required to ask for the individual by name when 
inquiring about patient religious affiliation.

For Notification and Other Purposes. A covered entity also may rely on an 
individuals informal permission to disclose to the individuals family, 
relatives, or friends, or to other persons whom the individual identifies, 
protected health information directly relevant to that persons involvement 
in the individuals care or payment for care. 26 This provision, for 
example, allows a pharmacist to dispense filled prescriptions to a person 
acting on behalf of the patient. Similarly, a covered entity may rely on 
an individuals informal permission to use or disclose protected health 
information for the purpose of notifying (including identifying or 
locating) family members, personal representatives, or others responsible 
for the individuals care of the individuals location, general condition, 
or death. In addition, protected health information may be disclosed for 
notification purposes to public or private entities authorized by law or 
charter to assist in disaster relief efforts.

(4) Incidental Use and Disclosure. The Privacy Rule does not require that 
every risk of an incidental use or disclosure of protected health 
information be eliminated. A use or disclosure of this information that 
occurs as a result of, or as incident to, an otherwise permitted use or 
disclosure is permitted as long as the covered entity has adopted 
reasonable safeguards as required by the Privacy Rule, and the information 
being shared was limited to the minimum necessary, as required by the 
Privacy Rule.27 See additional guidance on Incidental Uses and 
Disclosures.

(5) Public Interest and Benefit Activities. The Privacy Rule permits use 
and disclosure of protected health information, without an individuals 
authorization or permission, for 12 national priority purposes.28 These 
disclosures are permitted, although not required, by the Rule in 
recognition of the important uses made of health information outside of 
the health care context. Specific conditions or limitations apply to each 
public interest purpose, striking the balance between the individual 
privacy interest and the public interest need for this information.

Required by Law. Covered entities may use and disclose protected health 
information without individual authorization as required by law (including 
by statute, regulation, or court orders).29

Public Health Activities. Covered entities may disclose protected health 
information to: (1) public health authorities authorized by law to collect 
or receive such information for preventing or controlling disease, injury, 
or disability and to public health or other government authorities 
authorized to receive reports of child abuse and neglect; (2) entities 
subject to FDA regulation regarding FDA regulated products or activities 
for purposes such as adverse event reporting, tracking of products, 
product recalls, and post-marketing surveillance; (3) individuals who may 
have contracted or been exposed to a communicable disease when 
notification is authorized by law; and (4) employers, regarding employees, 
when requested by employers, for information concerning a work-related 
illness or injury or workplace related medical surveillance, because such 
information is needed by the employer to comply with the Occupational 
Safety and Health Administration (OHSA), the Mine Safety and Health 
Administration (MHSA), or similar state law.30 See additional guidance on 
Public Health Activities and CDC's web pages on Public Health and HIPAA 
Guidance.

Victims of Abuse, Neglect or Domestic Violence. In certain circumstances, 
covered entities may disclose protected health information to appropriate 
government authorities regarding victims of abuse, neglect, or domestic 
violence.31

Health Oversight Activities. Covered entities may disclose protected 
health information to health oversight agencies (as defined in the Rule) 
for purposes of legally authorized health oversight activities, such as 
audits and investigations necessary for oversight of the health care 
system and government benefit programs.32

Judicial and Administrative Proceedings. Covered entities may disclose 
protected health information in a judicial or administrative proceeding if 
the request for the information is through an order from a court or 
administrative tribunal. Such information may also be disclosed in 
response to a subpoena or other lawful process if certain assurances 
regarding notice to the individual or a protective order are provided.33

Law Enforcement Purposes. Covered entities may disclose protected health 
information to law enforcement officials for law enforcement purposes 
under the following six circumstances, and subject to specified 
conditions: (1) as required by law (including court orders, court-ordered 
warrants, subpoenas) and administrative requests; (2) to identify or 
locate a suspect, fugitive, material witness, or missing person; (3) in 
response to a law enforcement officials request for information about a 
victim or suspected victim of a crime; (4) to alert law enforcement of a 
persons death, if the covered entity suspects that criminal activity 
caused the death; (5) when a covered entity believes that protected health 
information is evidence of a crime that occurred on its premises; and (6) 
by a covered health care provider in a medical emergency not occurring on 
its premises, when necessary to inform law enforcement about the 
commission and nature of a crime, the location of the crime or crime 
victims, and the perpetrator of the crime.34

Decedents. Covered entities may disclose protected health information to 
funeral directors as needed, and to coroners or medical examiners to 
identify a deceased person, determine the cause of death, and perform 
other functions authorized by law.35

Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or 
disclose protected health information to facilitate the donation and 
transplantation of cadaveric organs, eyes, and tissue.36

Research. Research is any systematic investigation designed to develop or 
contribute to generalizable knowledge.37 The Privacy Rule permits a 
covered entity to use and disclose protected health information for 
research purposes, without an individuals authorization, provided the 
covered entity obtains either: (1) documentation that an alteration or 
waiver of individuals authorization for the use or disclosure of protected 
health information about them for research purposes has been approved by 
an Institutional Review Board or Privacy Board; (2) representations from 
the researcher that the use or disclosure of the protected health 
information is solely to prepare a research protocol or for similar 
purpose preparatory to research, that the researcher will not remove any 
protected health information from the covered entity, and that protected 
health information for which access is sought is necessary for the 
research; or (3) representations from the researcher that the use or 
disclosure sought is solely for research on the protected health 
information of decedents, that the protected health information sought is 
necessary for the research, and, at the request of the covered entity, 
documentation of the death of the individuals about whom information is 
sought.38 A covered entity also may use or disclose, without an 
individuals authorization, a limited data set of protected health 
information for research purposes (see discussion below).39 See additional 
guidance on Research and NIH's publication of "Protecting Personal Health 
Information in Research: Understanding the HIPAA Privacy Rule."

Serious Threat to Health or Safety. Covered entities may disclose 
protected health information that they believe is necessary to prevent or 
lessen a serious and imminent threat to a person or the public, when such 
disclosure is made to someone they believe can prevent or lessen the 
threat (including the target of the threat). Covered entities may also 
disclose to law enforcement if the information is needed to identify or 
apprehend an escapee or violent criminal.40

Essential Government Functions. An authorization is not required to use or 
disclose protected health information for certain essential government 
functions. Such functions include: assuring proper execution of a military 
mission, conducting intelligence and national security activities that are 
authorized by law, providing protective services to the President, making 
medical suitability determinations for U.S. State Department employees, 
protecting the health and safety of inmates or employees in a correctional 
institution, and determining eligibility for or conducting enrollment in 
certain government benefit programs.41

Workers Compensation. Covered entities may disclose protected health 
information as authorized by, and to comply with, workers compensation 
laws and other similar programs providing benefits for work-related 
injuries or illnesses.42 See additional guidance on Workers Compensation.

(6) Limited Data Set. A limited data set is protected health information 
from which certain specified direct identifiers of individuals and their 
relatives, household members, and employers have been removed.43 A limited 
data set may be used and disclosed for research, health care operations, 
and public health purposes, provided the recipient enters into a data use 
agreement promising specified safeguards for the protected health 
information within the limited data set.

.

.


Authorized Uses and Disclosures

Authorization. A covered entity must obtain the individuals written 
authorization for any use or disclosure of protected health information 
that is not for treatment, payment or health care operations or otherwise 
permitted or required by the Privacy Rule.44 A covered entity may not 
condition treatment, payment, enrollment, or benefits eligibility on an 
individual granting an authorization, except in limited circumstances.45

An authorization must be written in specific terms. It may allow use and 
disclosure of protected health information by the covered entity seeking 
the authorization, or by a third party. Examples of disclosures that would 
require an individuals authorization include disclosures to a life insurer 
for coverage purposes, disclosures to an employer of the results of a 
pre-employment physical or lab test, or disclosures to a pharmaceutical 
firm for their own marketing purposes.

All authorizations must be in plain language, and contain specific 
information regarding the information to be disclosed or used, the 
person(s) disclosing and receiving the information, expiration, right to 
revoke in writing, and other data. The Privacy Rule contains transition 
provisions applicable to authorizations and other express legal 
permissions obtained prior to April 14, 2003.46

Psychotherapy Notes47. A covered entity must obtain an individuals 
authorization to use or disclose psychotherapy notes with the following 
exceptions48:
The covered entity who originated the notes may use them for treatment.
A covered entity may use or disclose, without an individuals 
authorization, the psychotherapy notes, for its own training, and to 
defend itself in legal proceedings brought by the individual, for HHS to 
investigate or determine the covered entitys compliance with the Privacy 
Rules, to avert a serious and imminent threat to public health or safety, 
to a health oversight agency for lawful oversight of the originator of the 
psychotherapy notes, for the lawful activities of a coroner or medical 
examiner or as required by law.

Marketing. Marketing is any communication about a product or service that 
encourages recipients to purchase or use the product or service.49 The 
Privacy Rule carves out the following health-related activities from this 
definition of marketing:
Communications to describe health-related products or services, or payment 
for them, provided by or included in a benefit plan of the covered entity 
making the communication;
Communications about participating providers in a provider or health plan 
network, replacement of or enhancements to a health plan, and 
health-related products or services available only to a health plans 
enrollees that add value to, but are not part of, the benefits plan;
Communications for treatment of the individual; and
Communications for case management or care coordination for the 
individual, or to direct or recommend alternative treatments, therapies, 
health care providers, or care settings to the individual.


Marketing also is an arrangement between a covered entity and any other 
entity whereby the covered entity discloses protected health information, 
in exchange for direct or indirect remuneration, for the other entity to 
communicate about its own products or services encouraging the use or 
purchase of those products or services. A covered entity must obtain an 
authorization to use or disclose protected health information for 
marketing, except for face-to-face marketing communications between a 
covered entity and an individual, and for a covered entitys provision of 
promotional gifts of nominal value. No authorization is needed, however, 
to make a communication that falls within one of the exceptions to the 
marketing definition. An authorization for marketing that involves the 
covered entitys receipt of direct or indirect remuneration from a third 
party must reveal that fact. See additional guidance on Marketing.

.

.


State Law

Preemption. In general, State laws that are contrary to the Privacy Rule 
are preempted by the federal requirements, which means that the federal 
requirements will apply.85 Contrary means that it would be impossible for 
a covered entity to comply with both the State and federal requirements, 
or that the provision of State law is an obstacle to accomplishing the 
full purposes and objectives of the Administrative Simplification 
provisions of HIPAA.86 The Privacy  Rule provides exceptions to the 
general rule of federal preemption for contrary State laws that (1) relate 
to the privacy of individually identifiable health information and provide 
greater privacy protections or privacy rights with respect to such 
information, (2) provide for the reporting of disease or injury, child 
abuse, birth, or death, or for public health surveillance, investigation, 
or intervention, or (3) require certain health plan reporting, such as for 
management or financial audits.

Exception Determination. In addition, preemption of a contrary State law 
will not occur if HHS determines, in response to a request from a State or 
other entity or person, that the State law:

Is necessary to prevent fraud and abuse related to the provision of or 
payment for health care,

Is necessary to ensure appropriate State regulation of insurance and 
health plans to the extent expressly authorized by statute or regulation,

Is necessary for State reporting on health care delivery or costs,

Is necessary for purposes of serving a compelling public health, safety, 
or welfare need, and, if a Privacy Rule provision is at issue, if the 
Secretary determines that the intrusion into privacy is warranted when 
balanced against the need to be served; or

Has as its principal purpose the regulation of the manufacture, 
registration, distribution, dispensing, or other control of any controlled 
substances (as defined in 21 U.S.C. 802), or that is deemed a controlled 
substance by State law.



.

.


Combined Regulation Text of All Rules

Copies of the Rule and Related Materials

See our Combined Regulation Text of All Rules section of our site for the 
full suite of HIPAA Administrative Simplification Regulations and 
Understanding HIPAA for additional guidance material.



.

.

The complete document may be read at the URL above.

.

.



Sincerely,
David Dillard
Temple University
(215) 204 - 4584
[log in to unmask]
http://workface.com/e/daviddillard

Net-Gold
http://groups.yahoo.com/group/net-gold
http://listserv.temple.edu/archives/net-gold.html
Index: http://tinyurl.com/myxb4w
http://groups.google.com/group/net-gold?hl=en
Handouts
http://tinyurl.com/6pvglb4

General Internet & Print Resources
http://guides.temple.edu/general-internet
COUNTRIES
http://guides.temple.edu/general-country-info
EMPLOYMENT
http://guides.temple.edu/EMPLOYMENT
TOURISM
http://guides.temple.edu/tourism
DISABILITIES
http://guides.temple.edu/DISABILITIES
INDOOR GARDENING
http://tech.groups.yahoo.com/group/IndoorGardeningUrban/
Educator-Gold
http://groups.yahoo.com/group/Educator-Gold/
K12ADMINLIFE
http://groups.yahoo.com/group/K12AdminLIFE/
The Russell Conwell Learning Center Research Guide:
THE COLLEGE LEARNING CENTER
http://tinyurl.com/yae7w79
Information Literacy
http://guides.temple.edu/infolit

Nina Dillard's Photographs on Net-Gold
http://tinyurl.com/36qd2o
and also
http://www.flickr.com/photos/neemers/

Twitter: davidpdillard

Bushell, R. & Sheldon, P. (eds),
Wellness and Tourism: Mind, Body, Spirit,
Place, New York: Cognizant Communication Books.
Wellness Tourism: Bibliographic and Webliographic Essay
David P. Dillard
http://tinyurl.com/p63whl
http://tinyurl.com/ou53aw

INDOOR GARDENING
Improve Your Chances for Indoor Gardening Success
http://tech.groups.yahoo.com/group/IndoorGardeningUrban/
http://groups.google.com/group/indoor-gardening-and-urban-gardening

SPORT-MED
https://www.jiscmail.ac.uk/lists/sport-med.html
http://groups.google.com/group/sport-med
http://groups.yahoo.com/group/sports-med/
http://listserv.temple.edu/archives/sport-med.html

HEALTH DIET FITNESS RECREATION SPORTS TOURISM
http://health.groups.yahoo.com/group/healthrecsport/
http://groups.google.com/group/healthrecsport
http://healthrecsport.jiglu.com/
http://listserv.temple.edu/archives/health-recreation-sports-tourism.html




.

.

Please Ignore All Links to JIGLU
in search results for Net-Gold and related lists.
The Net-Gold relationship with JIGLU has
been terminated by JIGLU and these are dead links.
http://groups.yahoo.com/group/Net-Gold/message/30664
http://health.groups.yahoo.com/group/healthrecsport/message/145
Temple University Listserv Alert :
Years 2009 and 2010 Eliminated from Archives
https://sites.google.com/site/templeuniversitylistservalert/

.

.