Privacy And Security Rules
Privacy Rule
To protect the privacy of PHI that can identify a specific individual or person.
Security Rule
To set national standards for protecting electronic PHI.
Protected Health Information
PHI refers to individually identifiable health information which can be linked to a particular individual or person. It includes:
- The individual’s past, present, or future physical or mental health
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual
Common Identifiers And Examples Of Health Information
Common Identifiers
This includes:
- Names
- Social Security Numbers
- Birth Dates
- Addresses
Examples
This includes:
- Care Plans
- Wound Care Logs
- Admissions & Referral Forms
- Incident Reports
Who Is Covered?
Healthcare Providers
Any person or organization who furnishes, bills, or is paid for health care in the normal course of business, such as Nursing Homes, Hospitals, and ICF/MR’s.
Healthcare Plans
Any individual or group plan (or combination) that provides, or pays for the cost, of medical care, such as health insurance issuers (Blue Cross Blue Shield), HMOs, Group Health Plans, Medicare, Medicaid.
Healthcare Clearinghouse
Any company that translates data content or format for another entity from non-standard to standard or vice-versa.
Business Associates
A person or entity that performs a function for a covered entity which involves the use or disclosure of PHI. Some examples include:
- Consultant
- Attorney
- Collection Agency
- Medical Transcriptionist
Permitted Uses And Disclosures
The Privacy Rule allows you to use or disclose PHI as follows:
- To the individual
- For treatment, such as disclosing PHI to other healthcare professionals caring for the individual
- For payment, such as claims billing, review services for coverage, or medical necessity
- For healthcare operations which are the day-to-day operations necessary for quality care. Examples include verifying documentation and determining the quality of care provided by clinicians
Authorization Not Required
The following allows you to use or disclose PHI without the individual’s authorization:
- As required by law
- For public health activities
- For victims of abuse, neglect, or domestic violence
- For health oversight activities
- For judicial and administrative proceedings
- For law enforcement purposes
- To avert a serious threat to health or safety
- For specialized government functions
Authorized Uses And Disclosures Required
A signature from the individual or their personal representative is required to use PHI:
- For use and disclosure of psychotherapy notes
- For use and disclosures to third parties for marketing activities
Limiting Uses And Disclosures
When using or disclosing PHI, you should use only the minimum amount required to achieve the purpose of the particular use or disclosure. Please note that disclosures for treatment do not apply to this requirement.
State Law
If the state law is more protective of the individual, then it takes precedence over HIPAA.
Privacy Rights
An individual has the right to:
- Receive a written notice describing your facility’s privacy practices on the first date of service
- See or receive a copy of their medical record or other health information
- Request that any incorrect information in their file be changed
- Have PHI communicated to them by alternative means and at an alternative location to protect confidentiality
- Request restrictions to the use and disclosure of their PHI
- Request a history of disclosures of PHI for six years prior to the request
- File a complaint regarding any privacy concern or breach of privacy with your facility or Department of Health and Human Services (HHS)
Keep Passwords Safe
Your password is private and personal. It is the connection to everything you access and save on your computer. Here are some suggestions for protecting the privacy of your password:
- Never write your password on a post it note and place it on your computer.
- Passwords are for your individual use.
- Never email your password.
- Never ask someone for their password or give them yours.
Summary
Here are a few important points to remember regarding HIPAA:
- HIPAA law is evolving
- Influenced by emerging patient needs
- Affected by changing technology for collecting, storing, distributing and using PHI
- Impacts our jobs
- Impacts us as individuals who deserve to keep our own health information private, protected and secure
FAQs
Q: Are we required to supply patients access to their medical records with a fixed time period?
A: Yes. By law, patients requesting access must receive copies of their medical records within 30 days of a written request.
Q: Does the HIPAA Privacy Rule apply to our company’s professional associates?
A: Yes. Compliance requirements include business associates, such as vendors, lawyers, accountants and sub-contractors.