Hm300 week 6

© 2017 American Health Information Management Association© 2017 American Health Information Management Association
Chapter 10: HIPAA Privacy Rule:
Part I
Fundamentals of Law for Health
Informatics and Information
Management, Third Edition

© 2017 American Health Information Management Association
HIPAA: Definition
• Health Insurance Portability and
Accountability Act (HIPAA) of 1996
– Focus of Title II (1 of 5 titles)
• Healthcare fraud and abuse prevention
• Medical liability reform
• Administrative simplification
– Privacy standards
– Security standards
– Transactions and code sets
– National provider identifiers
– Enforcement

HIPAA: Comparison to Other
Laws
• Freedom of Information Act of 1967
• Privacy Act of 1974
• Federal drug and alcohol laws
• Medicare Conditions of Participation
• State laws
• Note: Professional ethical standards and
codes of conduct

HIPAA: Applicability
• Who
– Covered entities (CE) and their workforce
– Business associates (BAs), their workforce,
and their subcontractors
• What
– Protected Health Information (PHI)
• Excludes de-identified information
• Privacy Rule-defined identifiers
• Excludes personnel and educational records

HIPAA: Applicability (Who)
• Covered entities (CEs)
– Healthcare providers that conduct certain
transactions electronically
• Provider examples: Hospitals, pharmacies, physician
office practices, long-term care facilities, clinics
• Transaction examples: Health claims and encounter
information, health plan enrollment, health plan
premium payments, coordination of benefits, health
claim status
– Health plans: Insurance plans
– Healthcare clearinghouses: Intermediary billing
companies

• Business associates (BAs) and their
workforce
– What is a business associate?
• Person or organization (not a member of a CE
workforce) that performs functions on behalf of the CE
involving the use or disclosure of individually
identifiable health information
• A business associate agreement (BAA) should be
initiated to legally protect information handled by a BA
– Subcontractors of BAs are also BAs

• Business associates (BAs)
– HITECH: If it meets the definition of a BA, it is a
BA
• Organizations or individuals that meet the definition of a
BA must comply with HIPAA, even without a BAA
– HITECH: BAs must respond to CE non-
compliance through
• Required corrective action
• Severing relationship with CE

• Workforce members
– Include employees, volunteers, student
interns, trainees, and anyone else working
under the CE’s direct control
– Contractors working on a covered entity’s
premises may be considered workforce
members if they routinely work there

HIPAA: Applicability (What)
• PHI
– Three-part test (shown on a subsequent slide)
• De-identified information
– Does not identify the individual
– Not subject to the HIPAA privacy rule
– What 18 elements must be removed to de-identify an
individual?
– Re-identification: Unrelated code permitted to link de-
identified information back to the individual

HIPAA: Applicability—Identifiers
• Names
• Geographic subdivisions
of specified size
• Dates (except year)
relating to birth,
admission, discharge,
and death (age > 89)
• Telephone #
• Fax #
• E-mail address
• Social security #
• Medical record #
• Health plan beneficiary #
• Account #
• Certificate/license #
• Vehicle identifiers
• Device identifiers
• URLs
• IP addresses
• Biometric identifiers
• Photographic images
• Any other unique
identifier

HIPAA: Applicability
• Per HITECH, individually identifiable
information of persons deceased >50
years is not protected by the HIPAA
privacy rule.
– In other words, it loses its PHI status.

Three-Part Test for Determining
Whether Information is PHI
• Individually identifiable health information in any form
or medium (paper, imaged, electronic, oral) that
• Identifies the person or provides a reasonable basis to
believe the person could be identified from the
information given
and
• Relates to one’s health condition (physical or mental;
past, present, or future), or provision of healthcare, or
payment for provision of healthcare
and
• Is held or transmitted by a CE or its BA

HIPAA: Other Key Terms
• Individuals
• Personal representatives
• Designated record set (DRS)
• Disclosure, use, and request
• Treatment, payment, and operations
(TPO)

HIPAA: Organization Types
• Hybrid entity
• Affiliated covered entity
• Organized health care arrangement
• Covered entity with multiple functions

HIPAA: Privacy Rule
Documents
• Notice of Privacy Practices
– Explains how PHI will be used and disclosed
– Explains individuals’ rights
– Healthcare providers must make it available upon
first encounter
– Must be posted in a prominent place, including
website if one exists
– HIPAA and HITECH outline content requirements
– Receipt must be acknowledged by individual

HIPAA: Privacy Rule
Documents
• Consent
– To use or disclose PHI for TPO
– Optional document
– Revocation must be permitted

HIPAA: Privacy Rule
Documents
• Authorization
– Is written permission for a specific disclosure
– Must contain HIPAA-required elements
– Is required unless a disclosure meets a HIPAA
authorization exception

HIPAA: Uses and Disclosures
When Authorization Is Not
Required
• When uses and disclosures are required,
even without authorization
– Access or accounting of disclosures
requested by individual or personal
representative
– HHS investigation, review, or enforcement
action

Required (continued)
• When uses and disclosures are permitted
without authorization
– 18 situations
– Includes situations where individual has
opportunity to agree or object (2)
– Includes situations where individual does not
have opportunity to agree or object (16)
– These uses and disclosures are permissive only
(HIPAA permits, but does not require)
• Must not violate a stricter/more protective state law

• Uses and disclosures permitted without
authorization
– Individual has the opportunity to agree or
object (2 situations)
• Facility directory/directory of patients
– Patient name (fact of admission, if requested by name)
– Location in facility
– Condition, in general terms
– Religious affiliation (to clergy)
• Notification to family or friends

• Uses and disclosures permitted without
authorization
– Individual does not have the opportunity to agree
or object (16 situations)
• Treatment, payment, and operations
• To the individual
• Incidental disclosures
• Limited data set
• Twelve public interest and benefit purposes (outlined
on next slide)

Required
• Uses and disclosures permitted without authorization (12 public
interest and benefit)
– As required by law (for example, reporting specified wounds)
– Public health activities
– Victims of abuse, neglect, or domestic violence
– Healthcare oversight activities
– Judicial and administrative proceedings
– Law enforcement purposes
– Decedents
– Cadaveric organ, eye, or tissue donation
– Research
– Threat to health or safety
– Specialized government functions
– Workers’ Compensation

HIPAA: Redisclosure
• Involves PHI created by and received from
another entity
• Redisclosure allowed for HIPAA-permitted
purposes

HIPAA: Commercial Uses and
Disclosures of PHI
• Marketing: Communication about a product
or service that encourages its purchase or
use
• General rule: Use or disclosure of PHI for
marketing requires authorization
• Marketing activities that do not require an
authorization
– Occur face-to-face with the individual
– Concern promotional gifts of nominal value

Disclosures of PHI (continued)
• Activities not defined as marketing per HIPAA
(authorization not required)
– Communications by CE about health-related products and
services in a CE’s benefit plan
– Replacements or enhancements to a health plan, or
health-related products or services that are of value
(although not part of a benefit plan)
– For treatment of individual
– For case management/care coordination or alternative
treatments
• Remuneration to the covered entity must be disclosed
• Opt-out instructions must be provided

• HITECH: Clarifies and expands
communications considered to be
marketing
• HITECH: Limits covered entities’ ability to
categorize communications as operations
(and exempt themselves from marketing
requirements)

• Fundraising: Activities initiated by the covered entity to
generate money for the benefit of the covered entity
• Must inform individuals in Notice of Privacy Practices that PHI
may be used for fundraising
• Instructions on how to opt out in the future are required before
the first solicitation or as part of the fundraising materials
• Prior authorization required if fundraiser targets individuals
based on diagnosis
– For example, kidney patients targeted to raise funds for new
kidney dialysis center
• HITECH: Opt-out may apply to all future fundraising
campaigns or to the current campaign only

• Sale of PHI
– HITECH: CEs and BAs may not sell PHI without
patient authorization
– There are exceptions
• Public health and research data; treatment and
healthcare operations (such as PHI that is part of CE
sale or merger)
– Patient must declare in the authorization whether
the recipient of the PHI can exchange it further for
payment

HIPAA: Minimum Necessary
Requirement
• People should only have access to the
amount of information needed to do their jobs
– Standard applies to CEs and Without further
clarification, “limited data set” (PHI with certain
direct identifiers removed) is the guideline
– Revert to “amount needed to accomplish
intended purpose” when limited data set definition
is inadequate
– Clarification of concept is pending

Hm300 week 6

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Similar to Hm300 week 6

Similar to Hm300 week 6 (20)

More from BealCollegeOnline

More from BealCollegeOnline (20)

Recently uploaded

Recently uploaded (20)

Hm300 week 6