HIPPA Privacy Rule
Purpose of Privacy Rule
- To protect individually identifiable health information from unauthorized uses and disclosures.
- To provide a baseline of privacy protections to all health care consumers regardless of what State one lives in.
- To give health care consumers more control over the uses & disclosure of their health information.
Permitted Use & Disclosures
- To the individual.
- For the covered entity’s own treatment, payment or health care operations.
- For the treatment activities of another provider.
- For the payment activities of the entity to which protected Health information (PHI) is disclosed.
- For the health care operations of another covered entity if the protected health information (PHI) is related to the relationship of both entities have with the individual.
- Incidental uses & disclosures (with certain conditions).
- Pursuant to an authorization.
State Law Influences
California State Law only preempts the HIPPA Privacy rule if it is more stringent or an exception from preemption has been requested & Granted
Notice of Privacy Practices
- The Notice of Privacy Practices (NPP) details how the covered entity uses and discloses PHI.
- Every patient must receive a copy of the NPP at the time of first service delivery.
- Covered entities must make a good faith effort to obtain written acknowledgement that the patient received a copy of the NPP, or document the reason why the written acknowledgement was not obtained.
- Covered entities with service delivery sites must have copies of the NPP available and have it posted in a prominent location.
- Covered entities with web sites must prominently post the NPP and make it available electronically.
Signed authorizations must be obtained (and a copy retained 6 years from its expiration date or event) for any use or disclosure of PHI not permitted or required by the Privacy Rule.
Business Associates Contracts
Provide satisfactory assurances to a covered entity that the business associate will safeguard the PHI used, created or maintained on behalf of the covered entity.
Minimum Necessary Standard
A covered entity may only use, disclose or request the minimum amount of PHI necessary to achieve the purpose of the use, disclose or request. The minimum necessary standard does not apply to disclosures or request for treatment purposes.
- To receive a paper copy of the facility’s Notice of Privacy Practices.
- The ability to lodge complaints about the covered entity’s Privacy practices.
- To request restrictions on the Use & Disclosure of PHI.
- To request to receive confidential communication.
- To request access to PHI for inspection and/or copying.
- To request amendment to health information.
- To request an accounting of disclosures of health information.
- A covered entity may not use or disclose PHI for marketing purposes without obtaining a signed authorization.
- An authorization is not required if the marketing communication takes place during a face to face encounter or of it involves products and services of normal value.
- An authorization is also not required if the communication is related to the patient’s treatment, if it involves case management or if coordination recommendations for alternative treatments or care settings, or if it is related service provided by entity.
The PHI of individuals who are deceased receives the same protection and to the same extent as before death.
Considered part of the health care operations. Only demographic information may be used and the individuals must be given the opportunity to opt out of receiving future communications.
- The covered entity must designate a Privacy Official who is the focal point of accountability for all privacy related matters.
- The covered entity must also designate a contact person or office to receive complaints and provide information related to the Notice of Privacy Practices.
Majority of documents must be maintained for a 6 year period from the date created or the last date effected whichever is later. Some documents are but not limited to:
- Documentation Requirements.
- NPP acknowledgement forms.
- Designed Record Set.
- Titles and/or names of individuals designated as responsible for complaints & questions.
Administrative, Technical & Physical Safeguards
- Administrative safeguards include all documented practice’s designed to protect PHI from unauthorized use or disclosure.
- Technical safeguards include all the things that covered entity does to protect PHI that is maintained electronically form loss or destruction of unauthorized access.
- Physical safeguards may include being careful when faxing securing medical records, shredding PHI that is no longer needed ensuring that PHI maintained in offsite storage is secure and not leaving PHI unattended where unauthorized persons may have access to it.
- All members of the HIPAA workforce must receive privacy training prior to April 14 2003.
- All new members of the HIPAA workforce must receive privacy training.
- There must be documentation of all training maintained for 6 years.
The covered entity must apply sanctions against members of its workforce who fail to comply with the covered entity’s privacy practice. The covered entity must document sanctions that are applied.