4599 The HIPAA Rule – Healthcare Privacy, Security ...guides.aurorapictures.com/4599.pdf ·...

4599

The HIPAA Rule –

Healthcare Privacy, Security & Enforcement

Study Guide

The HIPAA Rule: Healthcare Privacy, Security and Enforcement

© Envision, Inc. 2013 1

The HIPAA Rule: Healthcare Privacy, Security and

Enforcement

ACKNOWLEDGEMENTS We would like to express our sincere appreciation to the following individuals:

Sue Dill Calloway, MSN, JD, RN

Tara Walton, RHIA

Manager, Health Information Management HIPAA Privacy Coordinator

Melanie Lyons Watson, CPA, MBA, FHFMA

Chief Compliance Officer T. J. Samson Community Hospital

© 2013 Envision, Inc.



I. Objectives……………………………………………………………………3

II. Introduction………………………………………………………………….3

III. HIPAA Background…………………………………………………………3

IV. Privacy vs. Security Standards & Enforcement Rule.........................……….4

V. Creating A Culture Of Confidentiality……………………………………….5

VI. The Basics Regarding HIPAA……………………………………………….7

A. Who Is Included?.......................................................................................7

B. What Health Information Is Covered?.......................................................8

C. Disclosure………………………………………………………………...9

VII. Protecting Health Information………………………………………………..10

A. Minimum Necessary Information (MNI)………………………………...10

B. De-Identified Information………………………………………………..11

C. Limited Data Sets………………………………………………………...12

D. Making Information Inaccessible………………………………………...12

VIII. Patients Have Rights!........................................................................................13

IX. HIPAA In Everyday Use……………………………………………………...18

A. The Hospital Patient Directory……………………………………………18

B. Sign-in Sheets……………………………………………………………..19

C. Family Inquiries / Families Assisting With Care…………………………19

D. Parents and Minors………………………………………………………..20

E. Clergy / Other Religious Personnel……………………………………….21

F. 911 Calls…………………………………………………………………..21

G. Missing Persons…………………………………………………………...21

H. Patient Deaths……………………………………………………………..21

I. Cadaver Donation of Organs……………………………………………...22

J. Law Enforcement………………………………………………………….22

K. Patient Abuse………………………………………………………………23

L. Public Health / Health Oversight Activities……………………………….23

M. Quality of Care Issues……………………………………………………..24

N. Research…………………………………………………………………...24

O. Marketing and Fundraising………………………………………………..24

P. Psychotherapy Exception………………………………………………….25

X. Summary……………………………………………………………………….25

XI. References & Resources……………………………………………………….26



I. Objectives

The objectives of this program are to:

x Review the main points of the new and existing regulations x Identify who must comply x Discuss the legalities and their everyday applications in health care x Identify strategies for compliance x Discuss the many patient rights under HIPAA

II. Introduction A hospital in Michigan accidentally posts the medical records of thousands of patients on the internet. An employee of a Florida health department takes home a computer disk containing the names of 4,000 patients that had tested positive for HIV. A Nevada woman buys a computer at an auction and finds the prescription records of patients still on the hard drive. Two of the largest pharmacy chains in the US are found discarding patient records and other legally-protected information in unsecured dumpsters. And a congressional candidate says her campaign was derailed when newspapers published her psychiatric treatment after a suicide attempt. This unnecessary exposure of private information should be alarming. In fact, since the creation of the HIPAA act, the Department of Health and Human Services has investigated approximately 19,000 legitimate complaints of privacy violations. These statistics are simply unacceptable. As professionals who work in healthcare, how we protect personal health information is just as much a part of our jobs as the care we deliver. At stake is not only the privacy of an individual’s care, but the security of the person’s information, which could be used for medical and financial identity theft and other illegal purposes. And as healthcare adopts more and more technology, including web-based applications and portals, electronic health records (EHR) and computerized physician order entry (CPOE), the need to protect electronic health information will become that much more important.

III. HIPAA Background Leading up to 1996 there were rising concerns regarding health care. There were fears about the increasing costs of care; concerns from patients regarding what they saw as breaches in confidentiality; and with the increasing use of computers and the internet, there was also a need to simplify the exchange of medical information. Consequently, the Health Insurance Portability and Accountability Act, or HIPAA, was passed in 1996 as part of a broad congressional attempt to reduce health care’s costly administrative overhead. With the passage of HIPAA, Congress made a law that they would have to pass a federal law by August 1999 or the Department of Health and Human Services



(DHHS) would have the authority to promulgate the rules. When Congress failed to pass this law, the DHHS began an effort to adopt the standards required by the act.

The HIPAA Privacy rule was issued by the DHHS in December, 2000. Revisions to the privacy rule were published August 14, 2002. The regulation required compliance by most covered entities by April 14, 2003. Small health plans had until April 14, 2004. The 1996 HIPAA law also required the DHHS to establish national standards for the security of electronic health information, and in February 2003 the final HIPAA Security rule was published. This rule required covered entities to establish administrative, physical and technical procedures to safeguard the confidentiality of electronic protected health information which are either considered required or addressable. The American Recovery and Reinvestment Act of 2009 (ARRA) enacted in February 2009 created the Health Information Technology for Economic and Clinical Health (HITECH) law to improve enforcement of the Privacy and Security rules. This law requires that business associates practice the same security requirements as other covered entities. In July 2009, the Secretary of Health and Human Services delegated the authority to administer and enforce the Security Rule to the Office of Civil Rights. In August 2009, the interim final rule Breach Notification regulations required HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information, effective September 23, 2009. In 2013, the HITECH Breach Notification Final Rule modified the Privacy, Security and Enforcement rules to strengthen privacy and security protections as provided for in the American Recovery and Reinvestment Act (ARRA). The rule also includes final modifications to the Breach Notification Rule, which replaces the 2009 interim final rule, as well as increasing privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act of 2008 (GINA). The final rule is effective March 26, 2013. IV. Privacy vs. Security Standards & Enforcement Rules The HIPAA law is essentially a call to action regarding the sharing of protected health information or PHI, and creates safeguards to secure PHI so that only those people or entities that have a real need for protected health information have access to it. The HIPAA rule works alongside complimentary standards that protect patient rights issued by The Joint Commission (TJC), and the Centers for Medicare and Medicaid Services (CMS).



In essence, the standards in this law: x Protect patients rights by giving them access to their health information and

control over how it will be used x Improve the quality of care by restoring trust in the health care system x Improve the efficiency and effectiveness of the way health care is delivered by

standardizing systems x Protect the security and privacy of all medical records and other health

information that is used or shared in any form, whether on paper, electronically or orally by certain health care entities and their business associates

The Privacy and Security standards are incorporated throughout the regulations but are actually two different things. Both are designed to protect the integrity of health data while ensuring the information is available for care. The Privacy Standards apply to all forms of protected information, whether electronic, written or oral, and discuss what may be expected from covered entities in terms of the way health information is used; for example, limiting who has access to records. These standards require that technical, administrative and physical safeguards be put into place to protect this information from any intentional or unintentional use or disclosure, and to limit incidental uses or disclosures. These safeguards must be implemented in a reasonable way. On the other hand, the Security Standards only cover protected health information that is electronic in form (EPHI), and includes EPHI that is created, received, maintained or transmitted. These standards are measures that covered entities can take to keep their information safe, such as encrypting information before it is sent over the internet. The security standards were also created to promote an important goal of HIPAA which is the use of EPHI in the healthcare industry. The Security Standards are far more comprehensive in security requirements than the Privacy Standards, and provide detailed instruction on implementing specifications to safeguard PHI.

x Administrative safeguards include assigning or delegating the responsibility of security to an individual and having security training

x Physical safeguards may include antivirus and other software to protect electronic systems and equipment and the data they hold

x Technical safeguards may include passwords to verify identity before access, or encrypting information before it is sent

These specifications are either required or addressable. If they are required, the facility must implement policies and/or procedures that meet the implementation specifications. If they are addressable, the facility must assess whether the safeguard is reasonable and appropriate in that environment. Be sure you are familiar with, and trained on, the safeguards that relate to your position.



The final omnibus rule released in 2013 strengthens the privacy and security protections established under the HIPAA act for an individual’s health information maintained in electronic health records and other formats. It is comprised of four final rules:

x It modifies the Privacy, Security and Enforcement Rules to strengthen privacy and security protections for health information and to improve enforcement as provided for by the HITECH Act.

x Includes final modifications to the Breach Notification Rule, replacing the interim final rule published in 2009.

x It revised the HIPAA Privacy Rule to increase privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act of 2008 (GINA).

x Uses its general authority under HIPAA to make a number of changes to the Rules that are intended to increase workability and flexibility, decrease burden, and better harmonize with other regulations.

In this study guide, we will discuss elements of the standards that are essential for enforcing the HIPAA rules.

V. Creating a Culture of Confidentiality Every effort must be made to prevent protected health information (PHI) from falling into the wrong hands. This can first be accomplished with strong internal leadership that creates a vision of compliance and strong ethics, as well as the use of internal rules and modern technology.

Second, when there is evidence that there has been inappropriate use of protected information, there must be policies that clearly outline the consequences of sharing or improperly using this information, and procedures to enforce these policies, such as firing or suspending privileges. HIPAA is a federal law. Compliance is not voluntary, it’s mandatory. As an employee of a health care facility, you must become aware of your role in protecting the privacy of your patients or subject yourself and your facility to serious consequences. Anyone who obtains or discloses protected health information for personal or commercial gain or for malicious purposes is subject to sanctions and disciplinary action such as suspension, termination, criminal and civil penalties. In the changes to HIPAA effective February 18, 2009, the civil penalties were increased for covered entities, and the penalties are extended to business associates effective February 17, 2010. These were published on October 30, 2009 in the HIPAA Administrative Simplification: Enforcement Interim Final Rule. The HITECH penalty scheme adopts new limits on fines for violations occurring on or after February 19, 2009. These fines are based on the circumstances surrounding the violation, and the fines increase with each level of culpability:



Person did not know and by exercising reasonable diligence would not have known they made a violation: Each violation is now $100 - $50,000 each individual exposure, with a cap of $1,500,000 per calendar year. Reasonable cause and no willful neglect: $1,000 - $50,000, $1,500,000 cap. Willful neglect and violation corrected: $10,000 - $50,000, $1,500,000 cap. Willful neglect and violation not corrected: $50,000, $1,500,000 cap. The final rule also clarifies that business associates are separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contract. The ARRA mandates that DHHS conduct audits periodically to ensure that covered entities are in compliance. By 2012, DHHS established a process whereby individuals who are affected by a HIPAA violation may receive a percentage of the settlement or penalties collected by that violation. This gives a very clear incentive to individuals to sue if their rights have been violated! If you violate confidentiality, this may also result in a Type I recommendation from The Joint Commission and a citation from CMS. CMS has promulgated Patient Rights Standards in the Conditions of Participation (CoPs) for hospitals. Any hospital that receives Medicare reimbursement must agree to follow all the CoPs. These standards specifically mention compliance with HIPAA and the requirement for confidentiality. The Hospital CoPS, under the section on medical records (Health Information Management), also require confidentiality and security of health information.

Be sure you know and follow your facilities regulations and procedures in order to protect you, as well as your patient!

You can’t afford not to! VI. The Basics Regarding HIPAA Here are some things you need to know concerning the HIPAA regulations: A. Who is Included?

There are four entities covered by this rule: health care providers, health plans, health care clearinghouses, and their business associates. In other words, this law includes entities that provide, bill or pay for medical care or process health information, and that might request access to medical information in order to conduct financial and administrative transactions.



In addition, every health care provider who electronically transmits health information in connection with certain transactions is a covered entity, whether the provider transmits these transactions directly or uses a third party or billing service to do so on its behalf. These transactions include claims, referral authorization requests, and benefit eligibility inquiries. 1. A health care provider is defined as any person or business that furnishes bills, or is paid for health care services in the normal course of business. This includes: Physicians Licensed health care providers Hospitals Outpatient physical therapy Social worker services Certified nurse-midwife services X-rays done at home Home health agencies Pharmacists Home dialysis supplies and equipment Nursing homes Ambulatory Surgery Centers Dentists Skilled nursing facilities Essentially, in a health care facility, anyone who uses or may see confidential patient information is included. For example, medical staff in a hospital involved in the direct care of a patient will have access to all the medical records in order to provide the best possible care. 2. A health plan is defined to be an individual or group plan that provides for, or pays the cost of medical care. This includes: Health Maintenance Organizations (HMO’s) Medicare / Medicaid / Medicare+Choice and Medicare supplement insurers Long term care insurers Insurance companies (health, dental, vision, and prescription drug insurers) Employee-sponsored group plans Federal plans like Champus, Military, Indian Health For example, insurance companies may need to access information in order to pay claims and are therefore included under HIPAA. 3. A clearinghouse receives health information from providers and plans and helps standardize that information into the required format for claims processing. Examples include: Billing services Re-pricing agencies Third party administrators



4. Business Associates are defined as a person or entity that provides certain functions, activities or services for or to a covered entity, but is not a member of the health care provider, health plan or other covered entity’s workforce. Examples include but are not limited to: Auditors Lawyers Consultants Accountants Billing firms Data processing firms. It also includes Health Information Organization (HIOs), E-prescribing Gateways, and other persons that provide data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI; a person who offers a person health record to one or more individuals on behalf of a covered entity; Subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate; and Patient Safety Organizations (PSOs) must also be treated as business associates if they perform functions or activities on behalf of, or certain services for, a covered entity that involves the use or disclosure of PHI. Business associates must also comply with HIPAA, and plans and providers must have contracts with these associates that state the purposes for which they may use and disclose medical record information. In fact, a contract must be in place before the business associate can see and use protected health information. These contracts, referred to as Business Associate Agreements also impose specified written safeguards in individually identifiable health information used or disclosed by its business associates. In addition, a covered entity may not authorize the business associate to disclose or make use of protected health information that would violate HIPAA.

NOTE: This rule does not apply to other entities that collect and maintain health information such as life insurers, researchers, and public health officials. To change this, Congress would have to pass another federal law. B. What health information is covered? Health information is defined as any information, whether spoken, electronic or written, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care provided to an individual; or the past, present, or future payment for the provision of health care provided to an individual. This applies even after it is printed, discussed orally, or otherwise changed in any form. Protected Health Information or PHI is health information created or received by a covered entity, regardless of form, that could be used directly or indirectly to identify the individual. This can be in the form of paper records, electronic files, and video or audio tapes, and includes if it is read off a computer screen and discussed, transmitted over the internet, photographed or duplicated. For example, in a hospital, the medical records used are considered to be PHI. Note: PHI stored, whether intentionally



or not, in photocopiers fax machines or other devices are subject to the Privacy and Security Rules, and this information must be appropriately protected and secured from inappropriate access; and this proper safeguards should be followed to remove the electronic PHI from the device prior to removal. PHI includes Individually Identifiable Health Information (IIHI), or information that identifies the individual, or can be reasonably believed to provide information that can be used to identify the individual. It is information that is a subset of health information that is collected from a patient. It is also IIHI if it relates to the past, present, or future physical or mental health of the individual.

C. Disclosure

The bottom line is that any information that relates to a patient’s health cannot be used unless authorized by either the patient or someone acting on the patient’s behalf, or unless permitted by regulation. Additionally, the facility must limit access to only those individuals who need the information for a legitimate purpose.

Examples #1: Hospital policy might not grant a housekeeper access to a patient’s medical records, but it would grant access to the nurse in charge of that patient’s care, and grant her access to all other patients’ records on her floor when she is on duty. Policies should also take into consideration the ways PHI can be exposed to people who should not have access to this information, such as through computer screens that are angled toward the public, sign-in sheets, or unattended fax pages. #2: A nosy nurse should not be able to access the X-ray results of a famous patient in the facility just because she is curious, and then share the results with others. By simply accessing the patient’s records without a need to know, there is a HIPAA violation. By gossiping about them she is using private medical information for personal and malicious purposes. This is a clear violation of HIPAA regulations, and the nurse could be suspended or terminated by the hospital.

With a few exceptions, HIPAA strives to ensure that an individual’s health information may only be used for health purposes.

Example: Health information may not be used by employers to make personnel decisions, or used by financial institutions to make decisions regarding an individual, without explicit authorization by the patient. In some cases, however, there’s a fine line between a person’s right to privacy and a facility’s responsibility to share private information. In certain situations it may be in the best interest of the public to disclose certain information. Examples include reporting a person with a communicable disease to the department of health, the



coroner’s involvement in a suspicious death, emergency situations, some law enforcement and research activities, criminal and administrative proceedings, and activities related to national defense and security. Incidental Disclosures Many hospital employees are worried about a disclosure violation even though they have done everything possible to avoid one. This type of disclosure is known as an “incidental disclosure.” It is a disclosure that cannot be reasonably prevented, is limited in nature, and occurs as a by-product of otherwise permitted use or disclosure. Example: A patient walking down the hallway accidentally hears part of a telephone conversation that takes place while a physician is in his office on the phone with the hospital. The incidental exposure exception will not apply if there is a failure to follow reasonable safe guards or the minimum necessary standards. Example #1: A receptionist always leaves the window open to the waiting room while she converses with patients on the phone. These conversations are overheard by patients in the waiting room. This would not be an incidental disclosure as it was foreseeable that protected health information could be overheard by others. Example #2: A doctor uses a waiting room to share bad news with a family member. The doctor is not making a reasonable effort to discuss private medical information away from others who may overhear. Ideally, the doctor should invite the family member to a more secluded area where he can speak with her in a confidential setting.

VII. Protecting Health Information There are various ways to protect private health information or limit access to PHI, and this includes using the minimum amount of information necessary, de-indentifying information, using limited data sets, and making information inaccessible.

A. Minimum Necessary Information (MNI) Under this law, any information that is shared should be limited to the “minimum necessary” – in other words, the least amount of information necessary to accomplish the purpose of the request.

Example #1: You have a duty to report a suspected case of child abuse to Children’s services. Rather than provide them with a complete copy of the medical records you would abstract out what they need to know, such as the dates the child was admitted or treated at the hospital, and the relevant information as to why the abuse was suspected.



Example #2: A nurse could ask outside clergy to visit a patient, but can only mention that the patient is going in for heart surgery if the patient has been informed of this use and disclosure, and does not object.

However, the minimum necessary does not apply to: x The sharing of medical records for treatment purposes, as physicians and other

health care providers need full access to medical records in order to provide the best possible care

x Disclosures authorized by patients to federal or state agencies or third parties x Authorization forms signed by patients to release the medical records, and the

release is done pursuant to the conditions of the release form B. De-Identified Information Information is considered to be de-identified if it does not identify the individual, or if the hospital has no reasonable basis to believe it can be used to identify the individual. There are no restrictions on the use of de-identified health information. One way to demonstrate this is if a person with appropriate knowledge and experience applies statistical principles and makes a determination that the risk of identifying someone is very small. The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed to achieve de-identification: x Names x All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code x All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death x Phone number x Fax number x Electronic mail addresses x Social security numbers x Medical record numbers x Health plan beneficiary numbers x Account numbers x Certificate/license numbers x Vehicle ID and serial numbers, including license plate numbers x Device identifiers and serial numbers x Biometric identifiers, including finger and voice prints x Web Universal Resource Locators (URLs) x Internet Protocol (IP) address numbers x Full face photographic images and any comparable images



x Any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes, provided certain conditions are met.

There is some information that may remain, however. x Age is allowed, but if the patient is over 90, you must say 90+ x Some geographical information is allowed. For example, you may mention a zip code if there are at least 20,000 people in that zip code. x Gender, race, ethnicity, and marital status can remain x Dates related to the subject of the information must be limited to the year

C. Limited Data Sets Researchers have raised concerns that it is impractical to use de-identified data as it would increase the workload of individual review boards, even when no direct identifiers were needed for the study. The rule allows the use of what is known as “limited data sets” when protected health information is used for research, public health, or health care operations. In order to disclose a limited data set outside the hospital or covered entity, there must be a data set recipient agreement. This is similar to a business associate agreement. A limited data set removes the following direct identifiers of the individual or relatives, employers, or household members of the individual: x Names x Postal address information, other than town or city, State and zip code x Telephone numbers x Fax numbers x Electronic mail addresses x Social security numbers x Medical record numbers x Health plan beneficiary numbers x Account numbers x Certificate/license numbers x Vehicle ID and serial numbers, including license plate numbers x Device identifiers and serial numbers x Biometric identifiers, including finger and voice prints x Web Universal Resource Locators (URLs) x Internet Protocol (IP) address numbers x Full face photographic images and any comparable images



D. Making Information Inaccessible Another way to limit access to PHI is to make it inaccessible. For example, under the HIPAA rule, sign in sheets that require a patients name and medical complaint may be a violation of privacy. The sign in sheet provides individually identifiable health information that is accessible to anyone that signs in or looks at the log. Many facilities now ask patients to fill in single sheets; or at the least, limit sign in sheet information to name and time of arrival only. In addition, information must not be handled in a way that puts this information at risk. By leaving a patient’s medical record on a counter, it is easily obtained by anyone and is no longer protected. Medical records should be made accessible only to those that need access to them. When not in use, medical records should be maintained in a secure manner that restricts access with locks or that requires records to be signed in and out. Computer screens should be positioned away from general access areas, and have passwords or access codes that are changed frequently. Be sure not to post your access code or make it available to others, and log off your computer when not using the software. Be sure you are familiar with, and trained on, the safeguards that relate to your position. VIII. Patients Have Rights! Thanks to HIPAA regulations, patients have rights they have never had before. Prior to this law, patients had only varying degrees of access to their medical records, and limited control over who could view them. As discussed previously, the CMS Patient Rights Standards and The Joint Commission support the HIPAA rules. As a health care provider, you must become aware of your patient’s rights, as well as your role in the process. 1) Patients must be given clear written explanations of how your facility may use and disclose their health information. This document is referred to as the Notice of Privacy Practices, or NPP. The NPP discloses to the patient that protected health information can be used for payment, treatment, and health care operations. The NPP would also include a summary of Patient Rights, stating that information can be disclosed for other purposes. Examples include appointment reminders and special situations such as for law enforcement, court orders. The NPP also explains how records can be amended. Notices must also state that the entity is required by law to maintain the privacy of PHI. If the facility wants to contact the patient, the ways this will be done must be listed, such as for appointment



reminders, soliciting funds, etc. An interpreter, such as the ATT language line, must be provided for patients who don’t speak English well. The HIPAA rule does not mandate the use of a consent form for treatment, payment or health care operations. Since consent is voluntary, it was necessary to develop a mechanism to make sure the patient actually received a copy of their NPP. Hospitals and other covered health care providers must make a good faith effort to obtain written acknowledgement from patients that they have received a copy of the NPP. Example: If a patient comes to an appointment with a physician for treatment, then the receptionist would hand the patient a copy of the lengthy NPP and obtain their signature acknowledging that they have received the document. If the patient’s first encounter is by phone, a copy of the NPP could be mailed to the patient the following day. Even if the patient does not sign and return it, a good faith effort was attempted. An exception is made in emergency situations in which a patient arrives alone and the trauma is so severe the patient must be rushed into surgery or other treatment 2) Patients have the right to access their medical records in order to view and copy information that is used to make decisions about them, and it must be made available within 30 days of a written request. The CMS CoP’s in the section “Patient Rights Standards for Hospitals” also require that medical records must be released, pursuant to an authorization, within thirty days. If the information is maintained in an electronic health record or EHR, the patient may request an electronic copy of the information (effective February 17, 2010). There are a number of exceptions to the right of access, including but not limited to psychotherapy notes, laboratory results, and information that is being compiled for use in legal action under the attorney-client privilege. Facilities can deny access to the records if it would endanger the life or safety of the patient or another; could cause domestic violence or abuse; or the information was obtained under a promise of confidentiality. 3) Patients have the right to amend incorrect or incomplete information in their records. For example, a patient discovers that there are notes in her record regarding a physical assessment when the patient knows there wasn’t an assessment at that time. Or a patient is admitted as an assault victim, and the documentation says that her husband assaulted her when she never stated who attacked her. The patient can request that the medical record be altered to reflect true and accurate information. However, if the facility believes the information is correct, they can deny this request and they must provide the patient with a notice of a statement of disagreement. 4) Patients must give authorization before certain information is released. An authorization form allows for the release of medical information for non-routine disclosures and most non-health care purposes, such as employment determinations, marketing and fundraising activities not specified in the regulations as part of health care operations.



Example: A patient is involved in an auto accident. Her attorney wants to file a personal injury lawsuit. She has her client sign a written authorization so that the hospital can send a copy of her medical records to her attorney. The NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require authorization, and a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual. HIPAA does not require separate authorization to release records for uses and disclosures, and for research. This means that one authorization can be used instead of the three separate forms. However, an authorization form is needed for using or disclosing protected health information for marketing. (For more information on marketing, please see section IX, Part O, Marketing and Fundraising, page 26.) In an attempt to standardize authorization forms, the HIPAA regulations specify the core elements and requirements of authorization forms. The seven elements and requirements of authorization forms are:

x A description of the information to be used or disclosed x The identification of the persons or class of persons authorized to make the use or

disclosure of the protected heath information x The identification of the person(s) or class of persons to whom the covered entity

is authorized to make the use or disclosure x A description of each purpose of the use or disclosure x An expiration date or event x The individual’s signature and date x If signed by the personal representative, such as a guardian, parent or durable

power of attorney, a description of his or her authority to act for the individual Here are some other facts regarding authorization:

x Authorization must be written in plain language. x Authorizations allow patients to request reasonable restrictions on the uses

and disclosures of their information. For example, a patient may request that billing only go to their work address.

x The facility can choose whether or not to agree with the restrictions and all such restrictions must be carefully documented.

x HIPAA does not require authorization for treatment, payment or healthcare operations. Care or payment cannot be denied to a patient who refuses to sign an authorization form.

x Authorization is voluntary, and patients can revoke authorization at any time. x No authorization is needed for public policy purposes such as public health

care activities, law enforcement purposes, to report health care fraud, for research



purposes, laws requiring the production of information, or the donation of organs and tissue.

x A copy of the signed authorization form must be given to the patient if the covered entity seeks an authorization from an individual for the use or disclosure of protected health information.

Exception To Authorization It is also important to point out that there is an exception to authorization for patients who come to the facility seeking treatment for their drug or substance abuse problem. In this instance, another federal confidentiality law must be recognized: 42 CFR Part 2 requires a special authorization form to release information. This federal law has the extra requirement that if a court order is served, it must show good cause. A Word About Consent At first glance, it may appear that consent and authorization mean the same thing; however, in the eyes of HIPAA, they are distinctly different. A consent form may be offered before health information can be used or disclosed for treatment, payment, and health care operations. It is not a legal requirement to have a consent form signed before you can treat a patient. If a facility chooses to offer a consent form, it should be written in general terms and may refer the patient to the hospital’s NPP for further information about their practices. Because consent is voluntary or optional, protected health information can be disclosed for payment activities, not only to the hospital, but also for payment to a non-covered health facility. Example: A nurse in the emergency department needs to transport a patient via ambulance to another hospital. She faxes over insurance information to the ambulance company that requires this information in order to bill the patient for the transport. This is allowed under HIPAA. The rules also permit the hospital or other covered entity to disclose protected health information to another covered entity for certain health care operations. For example, a physician may request data on immunizations from the hospital so he can complete the quality improvement requirements of The National Committee for Quality Assurance. This information may be disclosed. However, the reasons for the request must be stated; for example, supplying information so that data can be measured. It is also important to note that the HIPAA law expanded the definition of healthcare operations. If there is the sale, transfer, merger, or consolidation of a facility with another facility, then the new facility will become a covered entity as part of the transaction. This includes the review period which is known as Due Diligence. 6) Patients have the right to request a free accounting, every 12 months, of how their health information has been used. This includes any disclosures made for reasons other than treatment, payment or health care operations such as for a court order. This



must include the date of disclosure, the name and address of each organization that received the information and a brief description of what was disclosed and the purpose. This must be done within 30 days of the request. Example: A hospital or other covered entity discloses medical records to the Department of Health for a sexually transmitted disease pursuant to the state’s mandatory reporting laws. Because it is mandatory, the hospital does not need the patient’s permission or an authorization to release the information. It does, however, have to keep track of reported patients should a patient request an accounting of disclosures. There were several changes made to patient’s rights regarding disclosure in the updated Security rule. For covered entities who acquire electronic health records (EHR) after January 1, 2009, this requirement will apply to disclosures made on or after January 1, 2011. For covered entities who acquire EHR on or before January 1, 2009, this requirement will apply to disclosures made on or after January 1, 2014. 7) Patients must be given notice of their right to be able to restrict who will get information. For example, a patient can request that no information be shared with certain family members. In addition, patients who pay in full for the cost of treatment out of pocket may request a facility not disclose to their health plan the PHI related to a particular treatment. If a provider is required by State or other law to submit a claim to a health plan for a covered service provided to the individual, and there is no exception or procedure for individuals wishing to pay out of pocket for the service, then the disclosure is required by law and is an exception to an individual’s right to request a restriction to the health plan pursuant to § 154.522(a)(1)(vi)(A) of the Rule.

8) The patient’s genetic information is protected. The Genetic Information Nondiscrimination Act (GINA) provides federal protection from genetic discrimination in health insurance and employment by prohibiting most health plans from using or disclosing genetic information for underwriting purposes. The law has two parts: Title I, which prohibits genetic discrimination in health insurance, and Title II, which prohibits genetic discrimination in employment. Title I makes it illegal for health insurance providers to use or require genetic information to make decisions about a person's insurance eligibility or coverage. This part of the law went into effect on May 21, 2009. Title II makes it illegal for employers to use a person's genetic information when making decisions about hiring, promotion, and several other terms of employment. This part of the law went into effect on November 21, 2009. 9) Patients have recourse if their rights are violated.

x If a patient feels his information was shared inappropriately, the individual has the right to file a formal complaint with either the facility or with the Department of Health and Human Services (Office of Civil Rights).



x Each facility must designate a contact person to receive complaints of violations and this name must be listed in the privacy notice.

x A complaint must be filed within 180 days of knowing of the act, and a record must be kept of the complaint and how it is resolved.

x If a complaint is not responded to in a timely basis, it is considered a grievance. Hospitals should coordinate all grievance procedures with those required by CMS under their Patient Rights standards.

Breaches of Privacy and Security The security requirements initiated as part of the American Recovery and Reinvestment Act signed into law February 2009 impose privacy and security requirements if there has been a breach of personal health information. A breach is defined as “the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Under this new requirement, covered entities must notify individuals whose “unsecured” PHI is breached, effective September 2009. Requirements for the breach notice:

x The notification must be made within 60 days of discovery of the breach, or within 60 days of the date the breach should have been discovered.

x The notification should provide notice via first class mail to the individuals last know address, or by electronic mail if specified as a preference by the individual

x The notice must include the following information: - Circumstances of the breach/ Description of what happened - Date of the breach - Date of discovery - Type of personal health information involved - Steps the individual should take to protect themselves - Steps the covered entity/business associate is taking to investigate the breach, mitigate harm, and protect against future braches - How the individual can obtain additional information regarding the breach

If the breach affects less than 500 people, the breaches should be maintained in a log and reported annually to HHS. If 500 or more people are affected by the breach, the HHS must be notified immediately, and the local media must be alerted If a breach occurs with a business associate, the business associate must notify the covered entity of any breach of confidentiality of PHI acquired by the covered entity. To prevent any potential breaches to unauthorized individuals, private health information must be rendered unusable, unreadable or indecipherable; either by encrypting electronic PHI as specified in the Security Rule, or destroying the media on which the PHI is recorded or stored. For example, paper, film or other hard copy media such as IV medication bags with ID stickers must be shredded or destroyed so that it cannot be read or reconstructed. And electronic media must be cleared, purged or destroyed.



Remember that all breaches to privacy and security are potentially damaging and should be considered unacceptable. If you suspect that there has been an actual or attempted security breach to any form of protected file, whether electronic, paper or recorded, report to the correct authorities according to your organizations policy. Report any violations of confidentiality immediately to the privacy officer. IX. HIPAA in Everyday Use HIPAA rules will affect information you deal with every day. Some of these issues are topics that are covered under state law as well. In these circumstances, be aware that weaker state laws are pre-empted or over-ridden by the HIPAA regulations. However, state laws that are more stringent should be followed over HIPAA. Let’s take a look at specific examples of where you’ll see HIPAA rules practiced. A. The Hospital Patient Directory Any time a patient enters a facility their identity is included in some form in a patient directory. Here are some rules you need to remember: x The patient must be given notice that information will be given out in a directory. This can be verbal or written. Be sure to document the patient’s approval and whether this notice was given to them in written or verbal form. Most facilities will list this in their Notice of Privacy Practices. x Patients must be given the opportunity to choose not to be included in the patient directory before the information is disclosed. If the patient does not want to be listed in the directory, this must be documented so that the person providing information is aware of the patient’s desires, and cannot confirm or deny the patient is in the facility. x Professional judgment may dictate that a person’s identity be kept confidential. For example, protecting the identity of a gang-related shooting victim who is unconscious and unable to read the information contained in the NPP. x However, identities can be disclosed to entities providing relief in disasters, such as the Red Cross during fires, floods, or terrorist attacks. Even though it is the patient’s responsibility to choose not be included in the patient directory, they should be made aware that by doing so the facility will not be giving information to callers and that flowers may not be able to be delivered.



If a person calls to inquire about a patient, keep in mind the following: 1) A person must inquire about the patient by name. 2) The provider may then give the condition of the patient as fair, critical or stable, etc. 3) The location of the patient may be given. B. Sign-In Sheets Although once disallowed, on July 6, 2001 a guidance communication from the DHHS allowed the use of common practices such as sign-in sheets, X-ray light boards and bedside medical charts, as long as reasonable precautions are taken to safeguard patient information. Therefore, when dealing with sign-in sheets, it is strongly recommended that only the patient’s name and time of arrival or appointment be asked for, and that private medical information such as the reason for the visit not be listed in a manner that is in plain view of others. However, facilities may choose to ask patients to fill in single sheets and eliminate this problem all together.

C. Family Inquiries / Families Assisting With Care A patient must be given written or verbal notice and opportunity to opt out before information can be disclosed to next of kin. This information is also added to the NPP. A reasonable effort must be made to allow the patient to authorize information to be given to family and friends. For example, patients can request that the facility deny information to family or friends - even if they are involved in the care of the patient. As with any privacy request, be sure to document this request in their records.

Example: A patient requests that her father not be informed of her whereabouts. The father asks about her location and when asked for his relationship to the patient, he lies and says he’s her uncle. The facility took the proper steps in trying to establish his identity, therefore it cannot be held liable for the breach in privacy.

The facility should use discretion in disclosing information to family members, relatives and close friends assisting with the care of the individual. For example, calls may need to be made to notify family members of a patient’s location, condition or death; or, the clinician may infer from the circumstances that the patient does not object to disclosure, such as when family members ask questions of caregivers while in the room with the patient.

Remember that as a health care worker, anytime you share information with those involved in the patient’s care, you still need to be sure that the disclosure of patient information is in the best interest of the patient, and that the information you disclose is relevant to the request.



However, it’s important to note that the new rules now allow entities to release the PHI of deceased individuals to family members and others, if they were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any previously expressed request by the patient.

D. Parents and Minors Parents and guardians are considered the “personal representative” of the minor child and have a right to see the minor’s PHI. Generally, a minor cannot consent to treatment unless the state has a law on minor exceptions, and HIPAA retains this right. Recent revisions clarified that state law will control the issue when it allows for disclosure of the minor’s protected health information to the parent. Let’s say, for example, that a state allows a minor to consent to treatment for a sexually transmitted disease. If state law specifically states that the parents cannot have access to the protected health information, than they will not have access. If the parent is not the personal representative of the minor, and state law does not grant them access to the medical records, then the parent will be denied access. In another example, a parent kicks her pregnant teenage daughter out of the house. The state has a law that recognizes her as an emancipated minor, which means that her mother loses all parental rights and can have no access to the daughter’s medical record information. HIPAA would allow this. The new enforcement rules also make it easier for parents to authorize the disclosure of child immunization proof to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor, and this must be documented. Exceptions to this Parents and Guardians rule: x When the parent/guardian agrees that the health care provider and minor have a

confidential relationship x When the provider reasonably believes that the minor may be the victim of abuse

or neglect by the parent/guardian x When treating the parent/guardian as the minor’s representative could endanger

the minor



E. Clergy / Other Religious Personnel Upon admission, the patient has the right to restrict religious information. For example, the patient may wish not to disclose a religious preference; they may ask that outside clergy not be given their name or location; or they may ask that no visitation by the facility’s religious personnel be granted. When sharing information with outside clergy, no specific medical information may be shared concerning the patient. If a patient wants visitation, clergy may only know a patient’s name and location, but cannot be told what the patient’s medical condition is, or specific medical information.

Example: A nurse could ask outside clergy to visit a patient, but can only mention that the patient is going in for heart surgery if the patient has been informed of this use and disclosure, and does not object.

F. 911 Calls Paramedics / EMT’s at the scene of an emergency can provide medical information that can alert police to the: x Commission and nature of a crime x Location of the crime or the victims of the crime x Identity, description, or perpetrator of the crime

The exception to this rule is if the crime was the result of abuse, neglect, or domestic violence, where special rules and state laws apply. (See Section IX, Part K, Patient Abuse, page 25.)

G. Missing Persons Information regarding missing persons can be shared by a facility if the request from police is received in writing or verbally; or the media makes an announcement asking for the public’s assistance in identifying a suspect. In that case, the following can be disclosed: x The blood type or Rh factor, along with the time and date of death x Physical characteristics such as scars, height, weight, gender, race, hair color,

eyes, and facial hair x No dental records or DNA data may be released



H. Patient Deaths If there is a suspicious death of a patient, personnel may report to police the suspicion that the death was the result of criminal conduct. This allows the police to begin an investigation in a timely manner.

I. Cadaver Donation of Organs Hospitals can disclose protected health information if they are engaged in the procurement, banking or transplantation of organs, eyes and tissues. CMS and The Joint Commission require that a call be made to an organ procurement agency whenever there is a patient death. This is known as the One Call rule, and HIPAA allows this disclosure to be made.

J. Law Enforcement Law enforcement requests must also follow HIPAA regulations. When dealing with law enforcement, there are certain rules to keep in mind: x State reporting laws that are not inconsistent with HIPAA laws are allowed.

Example: Certain injuries such as gunshot wounds, stab wounds, or situations where domestic violence, abuse or negligence are suspected should be reported as allowed by your state law, and police must follow these laws in requesting information. x Medical information can be disclosed if there is evidence of criminal conduct

on the premises.

Example: A patient is admitted into the Emergency Department and hospital personnel find drugs on the patient. A nurse can turn over to the police drugs found on the patient, but not be able to tell him the patient’s name if the state statute does not allow for this disclosure.

Law enforcement requests must consist of the following:

1) The information is relevant and material to a legitimate law enforcement inquiry.

2) The request is as specific and narrowly drawn as reasonably possible. The release of PHI to law enforcement is contingent on a warrant, summons, a court order, or grand jury subpoena. Facilities do not need authorization in order to release private medical information under these circumstances. De-identified information, or information that has been stripped of any identifiers, cannot be used to meet the purpose of the request. Note: Subpoenas require a waiting period in order to give the



other side an opportunity to object to the release. This time period is usually set by the State.

There have been instances when law enforcement officials have used their public office for private reasons. The HIPAA law specifies how and when law enforcement can gain access to medical records. The use of law enforcement authority to gain information for private use rather than police business is not included in HIPAA law and is considered an inappropriate disclosure. In fact, anyone turning over records under these circumstances is performing an illegal action and could be subject to jail. Law Enforcement Exceptions x A workforce member who is a victim of a crime may disclose medical

information to law enforcement about the perpetrator of the crime. Example: A doctor is mugged on the hospital premises but manages to bite his attacker before the attacker flees. Later, while the doctor is working at the hospital, a man is admitted with a bite mark and the doctor identifies him as the attacker. The doctor may call the police and identify the man while supplying medical information regarding the source of his wound.

x There is a serious threat to health or safety. Example: A suspect has escaped from jail, or confessed while in the hospital that he plans to set more fires. In the past, over seven people have died as a result of his arson activities. The nurse can disclose to the officer the patient’s statement, his name, address, and type of injury unless the information was disclosed during the course of therapy or counseling.

K. Patient Abuse If you suspect that a patient is the victim of abuse, you do not have to accept a family member or caregiver as the personal representative of the patient if there is reasonable belief that this individual inflicted the domestic violence, abuse or neglect, and that this person could endanger the patient. In other words, do not disclose any information regarding the patient to the suspected abuser, cite this rule as your reason, and document your suspicions and the conversation carefully.

L. Public Health / Health Oversight Activities There are certain situations that call for the release of PHI without the patient’s consent. These situations may be reported if allowed by state law, such as specified diseases, certain injuries, child abuse, elder abuse, or domestic violence. These can be reported if the disclosure is necessary to prevent serious harm or the patient lacks the capacity to agree to the disclosure, and the police are authorized to receive the report.



If a disclosure is made according to state law, the patient does not need to be informed of the report. For example, if a patient is diagnosed with tuberculosis, the patient does not need to be notified that it is being reported to the Department of Health. A patient does not have to be informed if suspected abuse or neglect is being reported to state agencies or the police pursuant to a state or federal law.

Other health oversight activities also call for the release of PHI, such as audits, investigations, inspections, civil or criminal investigations, and civil rights laws.

Whatever the activity, it is imperative that the identity and authority of the person receiving the information be verified.

M. Quality of Care Issues There are some Quality of Care issues that allow for the release of PHI. These include: x Providing information to the FDA for reporting adverse events, and tracking

medical devices x Reporting breeches of professional standards or problems with quality of care to

oversight or accreditation agencies

N. Research Research is defined in the HIPAA rule to mean “a systematic investigation, including research development, testing, and evaluation, designed to contribute to generalized knowledge”. The rules require only three findings by the Institutional Review Board (IRB) or privacy board to waive the authorization for non-clinical research. The three criteria are:

1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of the individual

2. The research could not practically be done without the waiver 3. The research could not practically be conducted without access to and use of

the protected health information O. Marketing and Fundraising Marketing materials cannot be sent out unless there is first a signed authorization. An authorization is also mandated before protected health information can be disclosed to a business associate for marketing purposes. Marketing is defined as “making a communication about a product or service that encourages the person to purchase or use the product or service”. It also includes an arrangement between a hospital or other covered entity, and any other entity, if one



facility discloses medical record information or protected health information to the other. Exceptions from the definition of marketing include if marketing is used: x For treatment of the patient x For case management or care coordination, or to recommend direct alternative

treatments, therapies, health care providers, or settings of care to the patient x To describe a health-related product or service, or payment of the service, that is

provided or included in a plan of benefits of the entity that is making the communication. It also includes communications about the entities that are participating in the health plan network, health plan, and health related products or services.

x Refill reminders x For communications promoting health in general that do not promote a product or

service from a particular provider x For communications about government and government-sponsored programs There were two specific exceptions to this rule: x If there was a face to face encounter with the individual. For instance, a healthcare

professional may recommend a specific product with a sample or pamphlet, even if they receive financial compensation for promoting the product.

x If a promotional gift of nominal value was provided by the hospital or other covered entity

Note: Communications made over the phone, by mail or email do not constitute face to face communications and require authorization!

This last was included because hospitals send patients mugs, magnets or pens with the hospital’s logo on it. However, if the marketing of a health-related product or service involves direct or indirect remuneration from a third party, then there must be authorization and it must state that payment is received. As of February 17, 2010, a covered entity may not send marketing materials to an individual and get paid for it unless the patient authorizes it, or is taking the medication being marketed. In addition, an individual cannot be sent marketing materials for free unless authorized by the individual, or it is sent for a specific purpose (such as recommending alternative health care options).

P. Psychotherapy Exception Patients do not have the automatic right to access psychotherapy notes. This is because psychotherapy notes are held to a higher standard of protection since they are not part of the medical record and are not meant to be shared with anyone else. Psychotherapy notes are defined as “detailed notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing



the contents of conversation during a private, group, or family counseling session”. Many psychiatrists or psychologists will videotape, audiotape, or record verbatim the conversations during counseling services. Psychotherapy notes cannot be accessed if: x They are used only by the recording therapist x Are maintained separately from the medical record x Include notes regarding medication prescription and monitoring, a summary of

the treatment plan, symptoms, prognosis, progress, and diagnosis X. Summary The fact is, in the health care environment, ensuring the security of private medical information is everyone’s responsibility. Failure to do so can have so many consequences – to you personally, to your facility, and to the patients who have entrusted you with their care. Be sure you take part in HIPAA training, and become knowledgeable about patient’s rights and your role in protecting them. Your facilities compliance with HIPAA regulations ultimately comes down to you. XI. References & Resources American Hospital Association. HIPAA resources site. www.aha.org/aha_app/issues/HIPAA/index.jsp Centers for Medicare & Medicaid Services (CMS). HIPAA general information site, and links to standards. http://www.cms.hhs.gov/HIPAAGenInfo/ CMS. Security Standard, Overview. Secretary Delegates HIPAA Security to OCR. www.cms.hhs.gov/SecurityStandard/ CMS. HIPAA Security Educational Paper Series. http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPage CMS. HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information. http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf Department of Health and Human Services Office of Civil Rights official website for HIPAA: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html To post questions regarding the regulations: www.hhs.gov/ocr/hipaa2.html.

http://www.aha.org/aha_app/issues/HIPAA/index.jsp

http://www.cms.hhs.gov/HIPAAGenInfo/

http://www.cms.hhs.gov/SecurityStandard/

http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPage

http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf

http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf



U.S. Department of Health and Human Services Administrative Simplification 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013). http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf U.S. DHHS. Instructions for Submitting Notice of a Breach to the Secretary. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html U.S. DHHS. Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html B. Broccolo, Consent not an option under final privacy regulations, May 2001, wwww.HIMinfo.com. Bricker & Eckler Bulletin. The Stimulus Bill Amends HIPAA. March 2009. http://www.bricker.com/publications/articles/1426.pdf Bricker & Eckler HIPAA Privacy & Security Resources Page. http://www.bricker.com/hipaa/ Changes to HIPAA Usher in New Era of Electronic Health Data. March 16, 2009. www.thompsonhine.com/publications/publication1737.html S. Dill Calloway, The new HCFA regulations on patients’ rights, what every hospital should know, self publication, 2000. S. Dill Calloway, Are you ready for HIPAA? Presentation, 2003. J.E. Carpenter, M.D. Brandt, Practice brief: information security (updated), January 2001, Journal of American Health Information Management Association, www.ahima.org. E. Friedman, Who should have access to our information? Privacy through the ethics lens, June 2001, J of Am Health Info Mngt Assoc, www.ahima.org. HIPAAdvisory, Standards for privacy of individually identifiable health information, Guidance issued July 6, 2001, www.hipaadvisory.com/regs/finalprivacy/guidance.htm. B. Hjort. Measuring Up- information security: it takes a community, January 2001, Journal of American Health Information Management Association, www.ahima.org. National Institute for Standards and Technology, U.S. Department of Commerce. An Introductory Resource Guide for Implementing the Health Insurance Portability and

http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

http://www.bricker.com/publications/articles/1426.pdf

http://www.bricker.com/hipaa/

http://www.thompsonhine.com/publications/publication1737.html

http://www.ahima.org/


http://www.hipaadvisory.com/regs/finalprivacy/guidance.htm




Accountability Act (HIPAA) Security Rule. http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf C. Stanton, P.Smith, R. Hirsch, K. Fritz, A holiday gift from health & human services: Final HIPAA privacy regulations contain significant changes, Rx2000 Institute, May 2001, Health Law Dept. of Davis Wright Tremaine LLP, www.rx2000.org.

http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

http://www.rx2000.org/

© Envision, Inc. 644 West Iris Drive * Nashville, TN 37204

www.EnvisionInc.net


Post Test 1. T / F. Compliance with HIPAA is voluntary, not mandatory. 2. There are four entities covered by the HIPAA rule:

a. Hospitals, Medicaid, outpatient services, and billing services b. Health care providers, health plans, health care clearinghouses, and their business

associates c. Physicians, nurses, admittance desk clerks and accounting d. None of the above.

3. Examples of Individually Identifiable Health Information that could be used to identify an individual include:

a. Name, License number, photograph b. Birth date, address, account number c. County, finger print, phone number d. All of the above

4. T or F. A receptionist always leaves the window open to the waiting room while she converses with patients on the phone. These conversations can be overheard by patients in the waiting room. This is an example of Incidental Disclosure. 5. T or F. Providing the “minimum necessary” information does not apply to the sharing of medical records amongst physicians and other health care providers for treatment purposes. 6. T / F. A consent form discloses to the patient that health information can be used or disclosed for treatment, payment, and health care operations. 7. The following can be said about authorization:

a. Patients must give authorization before certain information is released b. A health care facility can deny treatment to a patient that does not sign an

authorization form c. Authorization is needed to release information for public policy purposes such as

public health care activities or law enforcement purposes d. All of the above

8. T or F. State regulations override all inconsistencies with the HIPAA regulations.


www.EnvisionInc.net

9. Law enforcement can request PHI if:

a. The information is relevant and material to a legitimate enforcement inquiry b. They supply a warrant or subpoena c. The request is as specific and narrowly drawn as possible d. All of the above

10. T or F. Marketing materials cannot be sent out unless there is first a signed authorization.


www.EnvisionInc.net


Answer Key

1. False. HIPAA is a federal regulation and as such, compliance is mandatory. 2. B. Health care providers, health plans, health care clearinghouses, and their business associates are the four entities covered by the HIPAA rule. 3. D. All of the above answers count as individually identifiable health information since this information by itself could be reasonably believed to provide information that could identify an individual. 4. False. Incidental exposure is a disclosure that cannot be reasonably prevented, is limited in nature, and occurs as a by-product of otherwise permitted use or disclosure. This example would not be an incidental disclosure as it was foreseeable that protected health information could be overheard by others. 5. True. Under HIPAA, an individual’s health information that is shared should be limited to the “minimum necessary”. However, the minimum necessary does not apply to physicians and other health care providers who need full access to medical records in order to provide the best possible care. 6. False. The Notice of Privacy Practices rather than a Consent form discloses to the patient that protected health information can be used for payment, treatment, and health care operations. The NPP would also include a summary of Patient Rights, stating that information can be disclosed for other purposes as well, such as appointment reminders and special situations such as law enforcement, court orders, and that the facility is required by law to maintain the privacy of PHI. 7. A. Patients must give authorization before certain information is released. B is incorrect because a health care facility cannot deny treatment to a patient that does not sign an authorization form; and C is incorrect because no authorization is needed to release information for public policy purposes such as public health care activities or law enforcement. 8. False. Weaker state laws are pre-empted or over-ridden by the HIPAA regulations. If state laws are more stringent, then they should be followed.


www.EnvisionInc.net

9. D. All of the above. All of the above answers can be used to request PHI by law enforcement. However, de-identified information, or information that has been stripped of any identifiers, cannot be used to meet the purpose of the request. 10. True. An authorization is also mandated before protected health information can be disclosed to a business associate for marketing purposes.

4599 The HIPAA Rule – Healthcare Privacy, Security ...guides.aurorapictures.com/4599.pdf ·...

Documents

Transcript of 4599 The HIPAA Rule – Healthcare Privacy, Security ...guides.aurorapictures.com/4599.pdf ·...