HIPAA Information Center

Privacy

On April 14, 2003 Department of Health and Human Services Secretary Tommy Thompson issued a press release on the HIPAA Privacy regulations going into effect on April 14, 2003. Secretary Thompson focused on how the new federal health privacy protections "will reassure patients of the confidentiality of their medical records and give them greater access and more control over the personal information in their own medical records."

What is the Privacy Final Rule?

The 1996 Health Insurance Portability and Accountability Act of 1996 included regulatory requirements to establish a comprehensive federal law for the protection of individually identifiable health care information.  HIPAA established a deadline of August 21, 1999, for Congress to Act on this provision, otherwise it mandated that the Secretary of Health and Human Services (HHS) must issue the privacy regulations. HHS ultimately published the Privacy Notice of Proposed Rulemaking (NPRM) on November 3, 1999, when Congress failed to act by the legislated deadline, and received some 52,000 comments during the public comment period that followed. 

The privacy rule refers to the standards that protect “individually identifiable health information”.

Privacy General Rules

  • Use and disclosure for treatment, payment, and healthcare operations
  • Consent requirement for payment, treatment and healthcare operations
  • Minimum necessary use and disclosure
  • Creation of de-identified information
  • Application to business partners through contract
  • Application to information about deceased persons
  • Adherence to the notice of information practices
  • Application as covered entities components of organizations that are not covered entities

Privacy Establishes Rights of Individuals

  • Right to request restriction of use and disclosure
  • Right and procedure for a written notice of information practices
  • Right and procedure for access for inspection and copying
  • Right and procedure with respect to an accounting of disclosures
  • Right and procedure for amendment and correction
  • Right of accounting of uses and disclosures beyond payment, treatment and healthcare operations

Administrative Requirements

  • Designation of privacy official
  • Training
  • Safeguards
  • Internal complaint process
  • Sanctions
  • Duty to mitigate

Uses and Disclosures with Individual Authorization

  • Requirements when the individual has initiated the authorization
  • Requirements when the covered entity initiates the authorization
  • Plain language requirement
  • Prohibition on conditioning treatment or payment
  • Inclusion in the accounting and disclosures
  • Revocation of an authorization by the individual
  • Expired, deficient, or false authorization

Uses and Disclosures without Individual Authorization

  • Use and disclosure for public health activities
  • Use and disclosure for health oversight activities
  • Use and disclosure for judicial & administrative proceedings
  • Disclosure to coroners and medical examiners
  • Disclosure for law enforcement
  • Use and disclosure for governmental health data systems
  • Disclosure for directory information
  • Disclosure for banking & payment processes
  • Use and disclosure for research, emergency circumstances,  next-of-kin, and as required by other laws

The HIPAA Privacy Rule:Checklist - What Needs to Be Done?

1. Appoint a privacy officer
  • Reference: § 164.530(a)(1)
  • The privacy officer is responsible for the development and implementation of the policies and procedures required by the Privacy Rule.
  • The privacy officer may also serve as the person designated to receive complaints and who can provide further information about matters covered by the privacy notice.
2. Develop minimum necessary policies
  • Reference: §§ 164.502(b);164.514(d)
  • General principle: covered entities must make reasonable efforts to limit use and disclosure of PHI to minimum necessary.
  • General principle does not apply to:
    • Disclosures for treatment;
    • Uses or disclosures made to the individual;
    • Disclosures made to the Secretary;
    • Uses and disclosures required by law;and
    • Uses and disclosures required for compliance with the Privacy Rule
  • For uses, covered entities must identify :
    • Who in its workforce needs access to PHI;
    • What level of access is needed; and
    • What conditions, if any, are appropriate to such access.
  • For routine disclosures, covered entities must implement policies and procedures that limit the amount of PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
  • For non-routine disclosures, a covered entity must develop and apply criteria designed to limit the amount of PHI disclosed to the amount reasonable necessary to accomplish the purpose of the disclosure.
  • In certain designated circumstances, a covered entity may rely on a requested disclosure as the minimum necessary for the stated purpose, if such reliance is reasonable.   (See § 164.514(d)(3)(iii)).
  • A covered entity must limit its requests for disclosure of PHI to the amount necessary to accomplish the purpose for which the request is made.
3. Amend business associate contracts
  • Reference: §§ 160.103; 164.502(e); 164.504(e)
  • A business associate is a person or entity who is not a member of the covered entity’s workforce, and who performs a function for the covered entity which requires it to use, disclose, create or receive PHI.
  • A covered entity may disclose PHI to a covered entity if it receives satisfactory assurance that the business associate will appropriately safeguard the information.
  • The satisfactory assurance requirement does not apply to:
    • Disclosures made to a provider for treatment;
    • Disclosures made to a plan sponsor; and
    • Uses by and disclosures to a government agency that determines enrollment or eligibility for a Medicaid or other public benefit program if such activity is authorized by law (See § 164.502(e)(1)(C))
  • Satisfactory assurances must be obtained in a contract or other written arrangement.
  • The contract or other written arrangement must establish permitted and required uses and disclosures and must also require the business associate to:
    • Appropriately safeguard the PHI;
    • Report any misuse of PHI
    • Secure satisfactory assurances from any subcontractor
    • Grant individuals access and ability to amend their PHI;
    • Make available an accounting of disclosures
    • Release applicable records to the Secretary if requested; and
    • Upon termination, return or destroy all PHI.
  • The contract or other written arrangement must authorize termination if the business associate violates its terms.
  • If the covered entity and business associate are both governmental entities, a memorandum of agreement may provide satisfactory assurances.   In other cases, when the function is required by law, no written agreement need be executed. (See § 164.504(e)(3)).
4. Develop verification procedures
  • Reference:   §§ 164.514(h); 164.502(g)
  • Before disclosing PHI, the covered entity must verify the identity of the person requesting the PHI and the authority of that person to have access.
  • The covered entity may rely on written statements, if such reliance is reasonable.
  • For public officials, the covered entity may rely on an identification badge or a letter written on government letterhead.
  • A covered entity must treat a personal representative as the individual for purposes of the Privacy Rule.
  • A personal representative is someone who has, under applicable law, the authority to act on behalf of an individual in making decisions related to health care.
  • A covered entity must abide by special provisions for unemancipated minors, deceased individuals , and abuse, neglect and endangerment situations.
5. Develop accounting of disclosures capability
  • Reference:   § 164.528
  • Covered entity must give an individual a 6-year accounting of disclosures made of the individual’s PHI except for disclosures
    • To carry out treatment, payment or health care operations
    • To the individual
    • To providers or for facility directory
    • For national security or intelligence purposes
    • To corrections officials or law enforcement personnel
    • Which were made before the compliance date
  • In certain circumstances involving health oversight agencies or law enforcement agencies, a covered entity may temporarily suspend the individual’s right to receive an accounting of disclosures.
6. Develop procedure to request alternative means of communication
  • Reference:  §§ 164.502(h); 164.522(b)
  • A health plan must permit individuals to request and must accommodate reasonable requests to receive communication of PHI by alternative means or at an alternative location, if the individual clearly states that disclosure of all or part of that information could endanger the individual.
  • A health care provider must accommodate a reasonable request even if there is no danger involved
7. Develop procedure to request restricted use
  • Reference: §§ 164.522(a); 164.502(c)
  • A covered entity must allow an individual to request that it restrict its use and disclosure of PHI for treatment, payment or health care operations.
  • The covered entity is not required to agree to the restriction.
  • If the covered entity agrees to the restriction, it may not violate that agreement, except for emergency treatment.
  • Agreed-upon restrictions may not apply to disclosures to the individual; for facility directories; and for which authorization is not required.
8. Develop complaint procedure
  • Reference : §§ 164.530(d); 164.530(a)
  • A covered entity must provide a process for individuals to make complaints to the covered entity concerning its Privacy Rule policies and procedures, its compliance with those policies or procedures or its compliance with the Privacy Rule itself
  • A covered entity must document all complaints received and their disposition
9. Develop amendment request procedure
  • Reference : § 164.526
  • A covered entity must permit an individual to request that the covered entity amend his PHI.    The covered entity may require that the request be in writing and state a reason for the amendment as long as it informs individuals in advance of that requirement
  • A covered entity must document the titles or offices responsible for receiving and processing requests for amendments
  • The covered entity must act on the request within 60 days.   One 30-day extension is allowed
  • The covered entity must comply with 164.526(c) when accepting the amendment and with 164.526(d) when denying the amendment
10. Develop individual access procedure
  • Reference : § 164.524
  • A covered entity must permit an individual to request access to inspect or copy his PHI.    The covered entity may require that the request be in writing as long as it informs individuals in advance of that requirement
  • A covered entity must document the titles or offices responsible for receiving and processing requests for access by individuals
  • The covered entity must act on the request within 30 days.   One 30-day extension is allowed
  • The covered entity may charge a reasonable, cost-based fee if it includes only the cost of copying, postage, and preparation of an agreed-upon summary or explanation
  • The covered entity must comply with § 164.524(c) when providing access and with § 164.524(d) when denying access
11. Develop anti-retaliation policy
  • Reference : § 164.530(g)
  • A covered entity may not retaliate against any person for exercising a right under the Privacy Rule, or for filing a complaint, participating in an investigation, or opposing any unlawful act relating to the Privacy Rule
12. Train workforce
  • Reference : §§ 164.530(b); 164.530(e)
  • A covered entity must train all members of its workforce in the policies and procedures required by the Privacy Rule
  • A covered entity must train each member of the workforce by the compliance date, and thereafter, each new member of the workforce, and each member of the workforce whose functions are affected by a material change in the required policies or procedures
  • A covered entity must have and apply sanctions to members of its workforce who fail to comply with the covered entity’s privacy policies or procedures or who fail to comply with the Privacy Rule
13. Develop and disseminate privacy notice
  • Reference: § 164.520
  • A covered entity must disseminate a notice of its privacy practices upon the compliance date, and, thereafter, to new members upon enrollment and within 60 days of any material revision to the notice
  • At least every three years, a health plan must notify its members of the availability of the notice
  • A health plan may provide the notice only to the named insured
  • A covered entity with a web site must post its notice on its web site
  • A covered entity must document compliance with the notice requirements and must keep a copy of notices issued
  • The required elements for each notice include:
    • Header: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.”
    • A description, including at least one example, of the types of uses and disclosures the covered entity may make for treatment, payment or health care operations.
    • A description of each of the other purposes for which the covered entity is required or permitted to use or disclose PHI without consent or authorization
    • If applicable, a statement that the covered entity will contact the person for appointment reminders, to provide information about health-related benefits or services, or for fund raising
    • A statement of the individual’s rights under the Privacy Rule
    • A statement of the covered entity’s duties under the Privacy Rule
    • A statement informing individuals how they may complain about violations of the Privacy Rule
  • A covered entity that elects to limit its use and disclosures of PHI may also include, at its option, a statement describing that limitation
  • A covered entity must revise and redistribute its notice whenever there is a material change to the policies and procedures described within it