Hm300 week 7 part 1 of 2

© 2017 American Health Information Management Association© 2017 American Health Information Management Association
Chapter 11: HIPAA Privacy Rule,
Part II
Fundamentals of Law for Health
Informatics and Information
Management, Third Edition

© 2017 American Health Information Management Association
HIPAA: Individual Rights
• HIPAA privacy rule provides individuals with
rights to provide some control over their
health information
– Access
– Request amendment
– Accounting of disclosures
– Request confidential communications
– Request restrictions
– Complain of privacy rule violations

HIPAA: Individual Right of
Access
• Can access one’s own PHI contained in a
designated record set
• There are exceptions to access
– Examples: Psychotherapy notes; information
compiled for civil or criminal actions
• Denial of access
– May be subject to review (appeal)
– May not be subject to review (appeal)

Access (continued)
• May require that request in writing
• Covered entity must respond within 30 days after
request received
– 30 days from receipt of request
• Permitted 30-day extension if written statement includes
reason for delay and date covered entity will complete its
action.
• Extended time permitted for records not maintained on site
– Per HITECH, covered entities with EHRs must make
PHI available electronically, or must send it to
designated person or entity electronically if individual
requests

Access (continued)
• Reasonable fee may be imposed on
individual’s request
– Labor and supplies
• Search and retrieval fees may not be charged to
individuals for their own records
– Postage, when individual has requested
information to be mailed
– Preparation of an explanation summary, if agreed
to by the individual in advance
• Stricter state laws may apply to fees

HIPAA: Individual Right to
Request Amendment
• Individual has the right to request an
amendment to his or her health information
• May require the amendment request to be in
writing
• HIPAA provides reasons that an amendment
request may be denied
• Timely response to the request is required
• HIPAA provides process for denial of
amendment requests

Accounting of Disclosures
• Individuals have the right to know about instances
where his or her PHI has been disclosed
• Accounting includes:
– Date of disclosure
– Name and address of entity or person who received
the information
– Brief statement of the purpose of the disclosure
• Timely response to request for accounting
• First accounting within a 12-month period is free
• Must account for disclosures in past 3 years

• Exceptions (disclosures not required to be
accounted for)
– For TPO purposes (unless disclosed from an EHR)
– Individual was given his/her own PHI
– Incident to an otherwise permitted or required use or disclosure
– Pursuant to an authorization
– Use in a facility directory, to persons involved in the individual’s
care, or for other notification purposes
– To meet national security or intelligence requirements
– To correctional institutions or law enforcement officials
– Limited data set
– That occurred before the HIPAA privacy compliance date

• Per HITECH, pending “access report”
would require CEs to account for everyone
who used or disclosed electronic health
information in a DRS

Confidential Communications
• Individuals have the right to request
alternative routing/destination of PHI
• Requests may be refused if information is
not provided as to how payment will be
handled

Request Restrictions
• Individuals may request restrictions on uses and
disclosures of PHI to carry out TPO
– Covered entity does not have to agree to the
requested restriction
– Exception: Per HITECH, covered entity must agree if
disclosure would be made to health plan for payment
or operations, and PHI pertains solely to an item or
service that has been paid for in full by other than the
health plan
• Must document and abide by request if covered
entity agrees to it, unless and until terminated with
notice to the other party

Complain of Violations
• Notice of Privacy Practices must inform
individuals of right to complain at CE level
and to the US Department of Health and
Human Services, along with contact
information

HIPAA: Breach
• Breach is an “unauthorized acquisition, access,
use or disclosure of PHI which compromises the
security or privacy of such information”
– Several exceptions
– Requirements apply only to unsecured PHI: that
which technology has not made unusable,
unreadable, or indecipherable to unauthorized
persons
– An impermissible use or disclosure of PHI is
presumed to be a breach unless the CE or BA
demonstrates a low probability the PHI has been
compromised

HIPAA: Breach Notification
• HITECH requires breach notification
as mitigation
– Notification to individuals affected
– Notification to HHS via online portal
• HIPAA-covered entities and BAs
subject to HHS regulations
• Non HIPAA-covered entities and non-
BAs subject to FTC regulations
– Includes PHR vendors, third-party
service providers of PHR vendors

(continued)
• Must inform affected individuals of
– Description of what occurred (including date of
breach and date of discovery)
– Types of unsecured PHI involved
– Steps individual may take to protect him/herself
– Entity’s steps to investigate, mitigate, prevent in
the future
– Contact information for individuals to ask
questions and receive updates

(continued)
• If a breach affects 500+ individuals,
immediate notification is required to:
– Local media outlets
– Secretary of HHS for posting on breach portal

HIPAA: Research
• HIPAA affects research in the following
ways:
– When authorization is required
• Research is a public interest and benefit
authorization exception, but IRB or privacy board
must approve variations to authorization
requirement
– In what form authorization may occur:
• Standalone
• Compound (informed consent + authorization)
• Conditioned + unconditioned
• Altered
• Waived

HIPAA: Preemption
• HIPAA is a federal floor, or minimum, on
patient privacy requirements.
• State laws contrary to HIPAA apply if they
are “more stringent”
– Provide greater privacy protections
– Provide greater patient rights regarding their
PHI
or
– Fulfill specific purposes enumerated in the law
(i.e., are less stringent but serve purposes such
as controlling regulated substances or
preventing healthcare fraud and abuse)

HIPAA: Administrative
Requirements
• Policies and procedures
• Designation of privacy officer
• Workforce training
– Non-disclosure agreements
• Mitigation
– Include process for handling privacy complaints
• Data safeguards
• Retaliation and waiver
• Document and record retention (HIPAA standard
is 6 years)

HIPAA: Penalties and
Enforcement
• HIPAA Enforcement Rule (2006)
• Penalties for non-compliance apply to both CEs
and BAs
– Civil
– Criminal
• Penalty categories
– Unknowing
– Due to reasonable cause and not willful neglect
– Due to willful neglect/corrected within 30 days of discovery
– Due to willful neglect and not corrected as required

HIPAA: Penalties and
Enforcement Per HITECH
• HHS contracts with a private entity to conduct
random audits (no longer complaint-driven
only)
• State attorneys general may bring civil
actions in federal court representing citizens
affected by HIPAA violations
• Individuals can now be individually
prosecuted
• Recommendations for compensating
individuals harmed by violations

Hm300 week 7 part 1 of 2

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Hm300 week 7 part 1 of 2

Similar to Hm300 week 7 part 1 of 2 (20)

More from BHUOnlineDepartment

More from BHUOnlineDepartment (20)

Recently uploaded

Recently uploaded (20)

Hm300 week 7 part 1 of 2