More Related Content
Similar to Hi103 week 4 chpt 11
Similar to Hi103 week 4 chpt 11 (20)
More from BealCollegeOnline
More from BealCollegeOnline (20)
Hi103 week 4 chpt 11
- 1. © 2017 American Health Information Management Association© 2017 American Health Information Management Association
Chapter 11: HIPAA Privacy Rule,
Part II
Fundamentals of Law for Health
Informatics and Information
Management, Third Edition
- 2. © 2017 American Health Information Management Association
HIPAA: Individual Rights
• HIPAA privacy rule provides individuals with
rights to provide some control over their
health information
– Access
– Request amendment
– Accounting of disclosures
– Request confidential communications
– Request restrictions
– Complain of privacy rule violations
- 3. © 2017 American Health Information Management Association
HIPAA: Individual Right of
Access
• Can access one’s own PHI contained in a
designated record set
• There are exceptions to access
– Examples: Psychotherapy notes; information
compiled for civil or criminal actions
• Denial of access
– May be subject to review (appeal)
– May not be subject to review (appeal)
- 4. © 2017 American Health Information Management Association
HIPAA: Individual Right of
Access (continued)
• May require that request in writing
• Covered entity must respond within 30 days after
request received
– 30 days from receipt of request
• Permitted 30-day extension if written statement includes
reason for delay and date covered entity will complete its
action.
• Extended time permitted for records not maintained on site
– Per HITECH, covered entities with EHRs must make
PHI available electronically, or must send it to
designated person or entity electronically if individual
requests
- 5. © 2017 American Health Information Management Association
HIPAA: Individual Right of
Access (continued)
• Reasonable fee may be imposed on
individual’s request
– Labor and supplies
• Search and retrieval fees may not be charged to
individuals for their own records
– Postage, when individual has requested
information to be mailed
– Preparation of an explanation summary, if agreed
to by the individual in advance
• Stricter state laws may apply to fees
- 6. © 2017 American Health Information Management Association
HIPAA: Individual Right to
Request Amendment
• Individual has the right to request an
amendment to his or her health information
• May require the amendment request to be in
writing
• HIPAA provides reasons that an amendment
request may be denied
• Timely response to the request is required
• HIPAA provides process for denial of
amendment requests
- 7. © 2017 American Health Information Management Association
HIPAA: Individual Right of
Accounting of Disclosures
• Individuals have the right to know about instances
where his or her PHI has been disclosed
• Accounting includes:
– Date of disclosure
– Name and address of entity or person who received
the information
– Brief statement of the purpose of the disclosure
• Timely response to request for accounting
• First accounting within a 12-month period is free
• Must account for disclosures in past 3 years
- 8. © 2017 American Health Information Management Association
HIPAA: Individual Right of
Accounting of Disclosures
• Exceptions (disclosures not required to be
accounted for)
– For TPO purposes (unless disclosed from an EHR)
– Individual was given his/her own PHI
– Incident to an otherwise permitted or required use or disclosure
– Pursuant to an authorization
– Use in a facility directory, to persons involved in the individual’s
care, or for other notification purposes
– To meet national security or intelligence requirements
– To correctional institutions or law enforcement officials
– Limited data set
– That occurred before the HIPAA privacy compliance date
- 9. © 2017 American Health Information Management Association
HIPAA: Individual Right of
Accounting of Disclosures
• Per HITECH, pending “access report”
would require CEs to account for everyone
who used or disclosed electronic health
information in a DRS
- 10. © 2017 American Health Information Management Association
HIPAA: Individual Right of
Confidential Communications
• Individuals have the right to request
alternative routing/destination of PHI
• Requests may be refused if information is
not provided as to how payment will be
handled
- 11. © 2017 American Health Information Management Association
HIPAA: Individual Right to
Request Restrictions
• Individuals may request restrictions on uses and
disclosures of PHI to carry out TPO
– Covered entity does not have to agree to the
requested restriction
– Exception: Per HITECH, covered entity must agree if
disclosure would be made to health plan for payment
or operations, and PHI pertains solely to an item or
service that has been paid for in full by other than the
health plan
• Must document and abide by request if covered
entity agrees to it, unless and until terminated with
notice to the other party
- 12. © 2017 American Health Information Management Association
HIPAA: Individual Right to
Complain of Violations
• Notice of Privacy Practices must inform
individuals of right to complain at CE level
and to the US Department of Health and
Human Services, along with contact
information
- 13. © 2017 American Health Information Management Association
HIPAA: Breach
• Breach is an “unauthorized acquisition, access,
use or disclosure of PHI which compromises the
security or privacy of such information”
– Several exceptions
– Requirements apply only to unsecured PHI: that
which technology has not made unusable,
unreadable, or indecipherable to unauthorized
persons
– An impermissible use or disclosure of PHI is
presumed to be a breach unless the CE or BA
demonstrates a low probability the PHI has been
compromised
- 14. © 2017 American Health Information Management Association
HIPAA: Breach Notification
• HITECH requires breach notification
as mitigation
– Notification to individuals affected
– Notification to HHS via online portal
• HIPAA-covered entities and BAs
subject to HHS regulations
• Non HIPAA-covered entities and non-
BAs subject to FTC regulations
– Includes PHR vendors, third-party
service providers of PHR vendors
- 15. © 2017 American Health Information Management Association
HIPAA: Breach Notification
(continued)
• Must inform affected individuals of
– Description of what occurred (including date of
breach and date of discovery)
– Types of unsecured PHI involved
– Steps individual may take to protect him/herself
– Entity’s steps to investigate, mitigate, prevent in
the future
– Contact information for individuals to ask
questions and receive updates
- 16. © 2017 American Health Information Management Association
HIPAA: Breach Notification
(continued)
• If a breach affects 500+ individuals,
immediate notification is required to:
– Local media outlets
– Secretary of HHS for posting on breach portal
- 17. © 2017 American Health Information Management Association
HIPAA: Research
• HIPAA affects research in the following
ways:
– When authorization is required
• Research is a public interest and benefit
authorization exception, but IRB or privacy board
must approve variations to authorization
requirement
– In what form authorization may occur:
• Standalone
• Compound (informed consent + authorization)
• Conditioned + unconditioned
• Altered
• Waived
- 18. © 2017 American Health Information Management Association
HIPAA: Preemption
• HIPAA is a federal floor, or minimum, on
patient privacy requirements.
• State laws contrary to HIPAA apply if they
are “more stringent”
– Provide greater privacy protections
– Provide greater patient rights regarding their
PHI
or
– Fulfill specific purposes enumerated in the law
(i.e., are less stringent but serve purposes such
as controlling regulated substances or
preventing healthcare fraud and abuse)
- 19. © 2017 American Health Information Management Association
HIPAA: Administrative
Requirements
• Policies and procedures
• Designation of privacy officer
• Workforce training
– Non-disclosure agreements
• Mitigation
– Include process for handling privacy complaints
• Data safeguards
• Retaliation and waiver
• Document and record retention (HIPAA standard
is 6 years)
- 20. © 2017 American Health Information Management Association
HIPAA: Penalties and
Enforcement
• HIPAA Enforcement Rule (2006)
• Penalties for non-compliance apply to both CEs
and BAs
– Civil
– Criminal
• Penalty categories
– Unknowing
– Due to reasonable cause and not willful neglect
– Due to willful neglect/corrected within 30 days of discovery
– Due to willful neglect and not corrected as required
- 21. © 2017 American Health Information Management Association
HIPAA: Penalties and
Enforcement Per HITECH
• HHS contracts with a private entity to conduct
random audits (no longer complaint-driven
only)
• State attorneys general may bring civil
actions in federal court representing citizens
affected by HIPAA violations
• Individuals can now be individually
prosecuted
• Recommendations for compensating
individuals harmed by violations