A comprehensive resource to align with HIPAA privacy and security regulations

FIRST EDITION

HIPAA Reference Guide

II HIPAA Reference Guide AAPC | 1-800-626-2633

DisclaimerDecisions should not be made based solely upon information within this reference guide. All judgments impacting career and/or an employer must be based upon individual circumstances including legal and ethical considerations, local condi-tions, payer policies within the geographic area, and new or pending government regulations, etc.

AAPC does not accept responsibility or liability for any adverse outcome from using this reference guide for any reason including undetected inaccuracy, opinion, and analysis that might prove erroneous or amended, or the individual’s misun-derstanding or misapplication of topics.

Application of the information in this text does not imply or guarantee claims payment. Inquiries of your local carrier(s)’ bulletins, policy announcements, etc., should be made to resolve local billing requirements. Payers’ interpretations may vary from those in this program. Finally, the law, applicable regulations, payers’ instructions, interpretations, enforcement, etc., may change at any time in any particular area.

AAPC has obtained permission from various individuals and companies to include their material in this manual. These agreements do not extend beyond this program. It may not be copied, reproduced, dismantled, quoted, or presented without the expressed written approval of AAPC and the sources contained within.

No part of this publication covered by the copyright herein may be reproduced, stored in a retrieval system or transmitted in any form or by any means (graphically, electronically, or mechanically, including photocopying, recording or taping) without the expressed written permission from AAPC and the sources contained within.

Medicare DisclaimerThis publication provides situational examples and explanations, of which many are taken from the Medicare perspective. The individual, however, should understand that while private payers typically take their lead regarding reimbursement rates from Medicare, it is not the only set of rules to follow.

While federal and private payers have different objectives (such as the age of the population covered) and use different contracting practices (such as fee schedules and coverage policies), the plans and providers set similar elements of the quality in common for all patients. Nevertheless, it is important to consult with individual private payers if you have ques-tions regarding coverage.

AMA DisclaimerCPT® copyright 2019 American Medical Association. All rights reserved.

Fee schedules, relative value units, conversion factors and/or related components are not assigned by the AMA, are not part of CPT®, and the AMA is not recommending their use. The AMA does not directly or indirectly practice medicine or dispense medical services. The AMA assumes no liability for data contained or not contained herein.

CPT® is a registered trademark of the American Medical Association.

The responsibility for the content of any “National Correct Coding Policy” included in this product is with the Centers for Medicare & Medicaid Services and no endorsement by the AMA is intended or should be implied. The AMA disclaims responsibility for any consequences or liability attributable to or related to any use, nonuse or interpretation of information contained in this product.

© 2020 AAPC2233 South Presidential Drive, Suites F–C, Salt Lake City, Utah 84120

800-626-2633, Fax 801-236-2258, www.aapc.com Published: 03202020. All rights reserved.

Print ISBN: 978-1-626889-842e-Book ISBN: 978-1-626889-934

AAPC | 1-800-626-2633 www.aapc.com V

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IX

Chapter 1HIPAA Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

HIPAA Administrative Simplification Statute and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

HIPAA Omnibus Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

In the News: HIPAA Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 2The Privacy Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Protected Health Information (PHI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Minimum Necessary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Sample Policy: Minimum Necessary Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Use and Disclosure of PHI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Rules for Disclosure of PHI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Patient Accounting of Disclosures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

In the News: Use and Disclosure of PHI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

PHI Sale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

The De-identification Standard for Privacy and Standard Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Re-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Notice of Privacy Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Some Common Questions Regarding Notice of Privacy Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

In the News: Notice of Privacy Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Business Associate Agreements (BAA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

In the News: Business Associate Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Provider Policies and Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Privacy Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Communication, Retaliation, and Waiver of Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Disciplinary Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Mitigation and Safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Documentation and Record Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

In the News: Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

VI HIPAA Reference Guide AAPC | 1-800-626-2633

Chapter 3The Security Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Administrative Safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Documentation and Record Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Additional Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

In the News: The Security Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

In the News: Cybersecurity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Chapter 4Breach of Protected Health Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Breach Notification Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Individual Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Media Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Notice to the Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Notification by a Business Associate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Workforce Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Business Associate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Agreement for Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Disciplinary Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Job Description for a Compliance Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

HIPAA Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105HIPAA Resources Mentioned in This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

1. Centers for Medicare & Medicaid Services. 2019. CMS Process for HIPAA Administrative Simplification Compliance. Retrieved from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

2. Centers for Medicare & Medicaid Services. April 10, 2019. HIPAA Administrative Simplification Bulletin; Provider Pilot Program. Retrieved from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

3. Department of Health & Human Services. November 26, 2012. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Retrieved from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

4. Department of Health & Human Services. Office for Civil Rights. HIPAA Privacy Rule and Sharing Information Related to Mental Health. Retrieved from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

5. Department of Health & Human Services. Office for Civil Rights. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. Jan. 25, 2013, Federal Register, Vol. 78, No. 17. . . . . . . . . . . . . . 151

6. Department of Health & Human Services. Office for Civil Rights. Summary of the HIPAA Privacy Rule. Retrieved from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

7. Department of Health & Human Services. Office of Inspector General. December 7, 2016. OIG Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries. Retrieved from . . . . . 177

AAPC | 1-800-626-2633 www.aapc.com VII

Additional Helpful Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

8. The Office of the National Coordinator for Health Information Technology. April 2015. Guide to Privacy and Security of Electronic Health Information, Vol. 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

9. The Office of the National Coordinator for Health Information Technology. August 2009. Privacy and Security Solutions for Interoperable Health Information Exchange; Report on State Medical Record Access Laws. RTI Project Number 0209825.000.015.100.. . . . . . . . . . . . . . . . . . . . . . . . . . . 240

10. The Office of the National Coordinator for Health Information Technology. August 2009. Security Risk Assessment Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

11. The Office of the National Coordinator for Health Information Technology. August 2009. State Law Requirements for Patient Permission to Disclose Health Information Report. RTI Project Number 0209825.000.015.100. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Templates and Sample Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

Business Associate Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

Disciplinary Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

HIPAA Disclosure Tracking Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

Job Description for a Compliance Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Medical Record Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

NOTES

AAPC | 1-800-626-2633 www.aapc.com IX

Introduction

A joint study from the American Medical Association (AMA) and Accenture found that four out of five physicians had been the victims of a cyberattack, which accounted for about 83 percent of doctors.

With statistics like these, you can see why it’s imperative that your HIPAA compliance program and breach reporting remains up to date, impermeable, and above reproach. In response, the HIPAA Medical Reference Guide was created to safeguard the compliance of your medical practice by equipping you to secure the frontlines and back doors to your patients’ protected health information.

Referring to case studies of breach analysis, our nationally-recognized HIPAA compliance experts lay out best practices and guide you step-by-step through the dos and don’ts of compliance. Among our comprehensive coverage, we show you how to recognize and lock down your risk areas, including how to:

l Evaluate your vulnerabilities and guard against cyber threats l Assess, analyze, and manage your EHR l Plan for emergency management l Properly dispose of PHI l Ensure your BAAs are HIPAA compliant l Prepare for community-wide disasters

We also introduce you to official guidance on cybersecurity, highlight new technologies to boost your practice IT, and discuss CMS interoperability. Plus, we provide numerous toolkits to facilitate breach reporting, analyze your practice’s risk assessment, beef up your cybersecurity, and boost your ehealth vernacular.

With the HIPAA Medical Reference Guide you can implement an ironclad HIPAA compliance program and head off corrective action plans that often take years to complete and cost several times the expense of the monetary settlements.

NOTES

AAPC | 1-800-626-2633 www.aapc.com 7

The Privacy RuleCHAPTER 2

The HIPAA Privacy Rule establishes national standards to protect a patient’s medical record and other personal health information held by covered entities. It does permit the disclosure of personal health information needed for the patient’s care.

The Privacy Rule has two parts: 1. The responsibilities of the “covered entities” to use, disclose, and protect all

patients’ protected health information (PHI), and

2. The rights of patients regarding their PHI and the information contained within their medical record.

The Privacy Rule defines and limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities.

Depending on the situation and the type of information that is to be disclosed, there are different requirements for permissions obtained from the patient or their legal representative:

1. The first level involves the disclosure of PHI without the need for a patient’s written authorization and without the need to obtain a patient’s agreement or disagreement.

2. The second level includes the circumstances when there is no need for a patient’s written authorization, but the patient has the right to agree or disagree to the disclosure.

3. The third level is when specific written authorization must be obtained from the patient or their legal representative to disclose the PHI. This authorization level covers all other disclosures not in the first two categories.

Simply put, PHI may be used or disclosed either: 1. As permitted by the patient or patient representative in writing; or

2. As the Privacy Rule allows.

Protected Health Information (PHI)PHI is all individually identifiable health information in any form, electronic or non-electronic, that can be linked to a patient, that is held or transmitted by a HIPAA-covered entity. This includes individually identifiable health information in paper records that has never been electronically stored or transmitted.

The following are components of PHI: 1. Patient’s name

2. Streets, city, county, precinct (used in some practice management software, indicating a certain district for government reporting), ZIP code

3. Dates directly related to a patient, including birth date, admission date, discharge date, and date of death

NOTES

10 HIPAA Reference Guide AAPC | 1-800-626-2633

The Privacy Rule CHAPTER 2

Medical Record Authorization

Authorization to Release or Obtain Protected Health InformationPLEASE PRINT

Patient Name: (Last) (First)

Phone: Maiden/Other Name:

Date of Birth: Social Security No.

Address:

City: State: ZIP:

I authorize (Organization Name) to release information contained in my medical records to the following healthcare person or institution indicated below:

INFORMATION TO BE RELEASEDINDICATE DATES IF KNOWN:

Institution or Requestor: Pertinent Medical Data:

Attention to: History & Physical Report:

Address: Consultation Report:

City State ZIP Operative Report:

Phone X-ray Report:

I authorize the following institution to release protected health information contained in my medical record to (Organization Name)

Lab Report:

Pathology Report:

Discharge Summary:

Institution or Requestor: Emergency Room:

Phone: Other:

REASON FOR DISCLOSURE: Check or Circle Check or circle one if you want this information released:

Continuation of Care: Alcohol/Drug Abuse:

Medical Consultation: Mental Health:

Attorney Inquire:Social Security:

HIV/AIDS:

Workers’ Comp:Insurance Claim:

Anticipated completion date:30 Days

Employer Request: 60 Days

Other: 90 Days

This authorization to disclose information may be revoked by the patient at any time except to the extent that any action has been taken (this means if any copies has already been sent that they cannot be revoked). A written revocation can be sent to the compliance officer of (Organization Name & Address). This authorization expires one year from the date of signature.

Signature of Patient: Date:

Signature of Parent or Guardian: Date:

Witness to Signature: Date:

Approved: Denied: Reason: Date:

Identification verified by: Photo ID: SS Card: Driver’s License: Other:

NOTES

20 HIPAA Reference Guide AAPC | 1-800-626-2633

The Privacy Rule CHAPTER 2

Questions and Answers: Use and Disclosure of PHI

Question: How long do I need to maintain a patient’s private health infor-mation after that patient dies, according to the HIPAA regulations?

Answer: If a patient passes away, that doesn’t make their HIPAA agreement null and void. In fact, the HIPAA Privacy Rule protects a patient’s individually identifiable health information for 50 years after the date of death, according to the HHS Office for Civil Rights (OCR).

“During the 50-year period of protection, the personal representative of the decedent (ie, the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information,” notes the OCR in 45 CFR 160.103 of the HIPAA Privacy Rule.

Keep in mind that if a family member needs information about the decedent’s healthcare specifically for the family member’s own healthcare treatment, the practice “may disclose a decedent’s protected health information, without authorization, to the healthcare provider who is treating the surviving relative,” the OCR says on its website in a separate question and answer.

MarketingDisclosure of personal information including PHI has been a worry of patients for a long time. HIPAA created several limitations on using PHI for marketing purposes. Marketing is defined as any communication about a product or service that encourages patients to purchase or use the product or service. Exceptions to this definition are disclosures for treatment purposes or for describing healthcare products or services related to health and benefit plans, or in case management or care coordination.

Note: One should be careful when using patient testimonials: You will need a privacy waiver (authorization), and some state medical boards restrict what information can be disclosed regarding what patients may say. A compliance officer should perform due diligence by verifying whether their state law is more stringent than the federal law.

It is important to understand that the Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s authorization. This definition of marketing has certain exceptions, as discussed below. Examples of marketing communications requiring prior authorization are:

l A communication from a hospital informing former patients about a cardiac facility, which is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for providing treatment advice.

l A communication from a health insurer promoting a home and casualty insurance product offered by the same company.

NOTES

24 HIPAA Reference Guide AAPC | 1-800-626-2633

The Privacy Rule CHAPTER 2

§§ 164.514(b) and(c) of the Privacy Rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. The Privacy Rule provides two methods by which health information can be designated as de-identified.

HIPAA Rrivacy Rule De-identification Methods

Apply statistical or scientific principles

Very small risk that anticipated recipient

could identify individual

Expert Determination § 164.514(b)(1)

Removal of 18 types of identifiers

No actual knowledge residual information can

identify individual

Safe Harbor § 164.514(b)(2)

Two methods to achieve de-identification in accordance with the HIPAA Privacy Rule:

1. The first is the “Expert Determination” method:

Privacy Rule Excerpt

(b) Implementation specifications: requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and

(ii) Documents the methods and results of the analysis that justify such determination;

2. The second is the “Safe Harbor” method:

(2)(i) The following 18 identifiers would be removed to de-identify the patient. This includes removal of the individual or of relatives, employers, or household members of the individual:

(A) Names

AAPC | 1-800-626-2633 www.aapc.com 105

HIPAA Resources

HIPAA Resources Mentioned in This Book1. Centers for Medicare & Medicaid Services. 2019. CMS Process for HIPAA Administrative

Simplification Compliance. Retrieved from

https://www .cms .gov/Regulations-and-Guidance/Administrative-Simplification/Enforcements/Downloads/ASComplianceReviewInfographic20190626 .pdf

2. Centers for Medicare & Medicaid Services. April 10, 2019. HIPAA Administrative Simplification Bulletin; Provider Pilot Program. Retrieved from

https://www .cms .gov/Regulations-and-Guidance/Administrative-Simplification/Enforcements/Downloads/ProviderPilotInformationBulletin .pdf

DEPARTMENT OF HEALTH & HUMAN SERVICES Centers for Medicare & Medicaid Services 7500 Security Boulevard, Mail Stop N1-19-21 Baltimore, Maryland 21244-1850

HIPAA Administrative SimplificationInformation Bulletin April 10, 2019

Provider Pilot ProgramThe Centers for Medicare & Medicaid Services (CMS) Division of National Standards, on behalf of the Department of Health and Human Services (HHS), is launching a volunteer Provider Pilot Program totest the process for reviewing compliance with HIPAA Administrative Simplification rules among providers. This follows asuccessful pilot program for health plans and clearinghouses completed in 2018.

Any providers who conduct electronic health care transactions can volunteer for the pilot program on behalf of themselves, not their group practice or hospital, unless authorized by their group practice or hospital to do so. In April 2019, HHS willselect 3 health care providers from the pool of volunteers to participate. Participants will be able to test their electronic transactions for compliance with standards for:

• Transaction formats• Code sets• Unique identifiers

Participants will also be able to test whether they comply with operating rules. During the pilot program, participants will work one-on-one with HHS to identify and resolve compliance issues. Upon completion of the pilot program, participants will receive a certificate and will be exempt from compliance reviews for 1 year.

To volunteer, please email us at AdministrativeSimplification@cms.hhs.gov by April 24.

Questions? For more information about HIPAA Administrative Simplification requirements, visit Go.CMS.gov/AdminSimp. HHS will release more information about the Pilot Program in the coming weeks.

For the latest news about Administrative Simplification and the Provider Pilot Program, sign up for Email Updates.

106 HIPAA Reference Guide AAPC | 1-800-626-2633

HIPAA Resources

3. Department of Health & Human Services. November 26, 2012. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Retrieved from

https://www .hhs .gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance .pdf

Guidance on De-identification of Protected Health Information November 26, 2012.

1

Guidance Regarding Methods for De-identification of Protected Health

Information in Accordance with the Health Insurance Portability and Accountability Act

(HIPAA) Privacy Rule

November 26, 2012

OCR gratefully acknowledges the significant contributions made to the development of this guidance by Bradley Malin, PhD,

through both organizing the 2010 workshop and synthesizing the concepts and perspectives in the document itself. OCR also

thanks the 2010 workshop panelists for generously providing their expertise and recommendations to the Department.

HIPAA Reference Guide

ISBN: 978-1-626889-842E-Book ISBN: 978-1-626889-934

9 781626 889842