PASSED BY CONGRESS 1996
HIPAA TRAINING FOR HEALTHCARE WORKERS
|
After completion of this activity, the participant should be able to:
· Identify the components of the HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT.
· Define professional conduct as it relates to confidentiality of protected health information.
· Describe a health care giver’s role in the protection of health information in the clinical setting.
· Recognize reasonable safeguards for protecting medical information.
· Discriminate between the Privacy Rule and the Security Rule as defined by HIPAA.
· Identify the component parts of the Privacy Rule and the Security Rule.
· Describe sanctions for violation HIPAA.
· Understand the difference between civil and criminal penalties.
· Describe the Federal Register.
· Explain the rules for the dissemination of health information.
· Identify ways to file a complaint regarding breach of confidentiality.
· Define the Notice of Privacy Practices (NOPP).
· Understand Accounting of Disclosures of Protected Health Information.
· Describe the training of personnel on Policy and Procedures.
· Illustrate behaviors that maintain the Privacy and Security of Health Data.
WEBSITES FOR HIPAA INFORMATION
PASSED BY CONGRESS 1996 THE FEDERAL REGISTER The Federal Register is the official daily publication for rules, proposed rules, and notices of Federal agencies and organizations, as well as executive orders and other presidential documents. Citations (i.e. 45 CFR § 160.103) used throughout this presentation reference data from the Code of Federal Regulations. (CFR)
Numbers indicated throughout the presentation are the reference numbers for use to locate the standard as published in the Code of Federal Regulations. (CFR) To search by CFR citation, enter (in quotes) the title, the words CFR and part, then the part number. For example: “45 CFR part 160” To access the website to further research the standard visit: http://www.gpoaccess.gov/fr/index.html
THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES The United States Department of Health and Human Services (HHS) Office for Civil Rights is the main reference site for information presented. Access this web site at http://www.hhs.gov/ocr/hipaa/
Business Associate A person or company who provides a function for or service to a covered entity that involves the use of PHI.
Clearinghouse A company that translates data received from another entity and converts it from a non-standard format to a standard format or vice versa.
De-Identified Protected Health Information from which all means of personal identification has been removed.
EDI Electronic Data Interchange
Covered Entity Health care providers who transmit any health information electronically in connection with certain transactions.
Health Plans Individual or group plans that provide or pay the cost of medical care.
Health care The prevention, treatment, and management of illness and the preservation of mental and physical well-being through the services offered by the medical and allied health professions.
HIPAA Health Insurance Portability and Accountability Act
Limited Data Set Information from which direct identifiers of individuals and their relatives, household members, and employers have been removed.
Protected Health Information (PHI) Information that can identify a patient such as name, Social Security #, etc.
Minimum necessary When using or disclosing PHI, reasonable efforts must be made to limit the information released to the minimum amount necessary to accomplish the purpose of the use, disclosure or request.
Notice of Privacy Practices (NOPP) A statement, required by law that the health care facility provide to each patient. The statement must outline the patient’s rights, how the facility may use PHI, and how the individual may get in contact with the facility to request changes or limitations to their PHI.
TPO Treatment, payment or health care operations
SECTION II HIPAA HISTORY AND BACKGROUND
HIPAA established the basis for the Privacy and Security Rules.
THE PRIVACY RULE: The Privacy Rule encompasses national standards for the protection of medical records and others healthcare information called “protected health information” (PHI). Standards were developed by the Department of Health and Human Services (HHS). http://www.hhs.gov/ The Privacy Rule puts into action the requirements for the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Office for Civil Rights (“OCR”) implements and enforces the Privacy Rule with respect to compliance and penalties. http://www.hhs.gov/ocr/hipaa/
Although the Privacy Rule
assures individuals that their health information is protected, it allows specific
information to be used in ways necessary to provide good health care. The Rule
covers areas that define the appropriate use and disclosure of personal health
information. The HIPAA Privacy Rule went into effect
THE
SECURITY RULE: The Security Rule sets standards for the
security of electronic health information. This rule details a series of administrative,
technical, and physical security procedures for health care providers that guarantee an individual privacy
of protected health information that is disseminated electronically. These regulations
became effective on
WHY IS KNOWLEDGE OF HIPAA IMPORTANT? A “covered entity” or healthcare provider must be knowledgeable of HIPAA because if breaches occur, their license could be in jeopardy and they may incur federal penalties. In addition, patients may decide to change health care providers if medical information is misused.
THE PRIVACY RULE AND TRANSACTION STANDARDS OVERVIEW
THE HIPAA PRIVACY RULE - 45 CFR Parts 160 and 164 The Standards for privacy of individually identifiable health information give patients the right to control their health information and protect health care information.
The HIPAA Privacy Rule resulted in alterations to many routine business practices such as:
Access to Medical Records Patients are able to see and request copies of their medical records from health plans, doctors, hospitals, clinics, nursing homes and other covered entities. If they identify errors or mistakes, patients may request corrections.
Notice of Privacy Practices (NOPP) Health care providers must provide a notice to their patients regarding the use of personal medical information and what rights a patient has under the Privacy Rule. The notice is to be given on the patient's first visit following the compliance date and upon request. Patients will be asked to sign, initial or otherwise acknowledge that they received this notice. Information about filing complaints should be included in the notice of privacy practices.
Limits on the use of Personal Medical Information The Privacy Rule restricts health plans and health care providers’ use of individually identifiable health information. Personal health information may not be used for purposes unrelated to health care. For each purpose, only the minimum amount of protected information may be disclosed.
Prohibition on Marketing The Privacy Rule sets restrictions and limits on the use of patient information for marketing purposes. Health providers including pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing.
Confidential Communication 
Patients may request that steps be taken to ensure that communications with
the physician are confidential. A patient may request that contact be made
at the office rather than at home. The doctor should accommodate the request.
Complaints Consumers may file a formal complaint if there is a breach in the privacy practices of a provider. Complaints can be made directly to the provider or insurance plan or to HHS' Office for Civil Rights (OCR). Consumers can find out more information about filing a complaint at http://www.hhs.gov/ocr/hipaa or by calling (866) 627-7748
WHO IS AFFECTED BY HIPAA? The final regulation covers health plans, health care clearinghouses, and health care providers who conduct financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically. Most health insurers, pharmacies, doctors and other health care providers are required to comply with these federal standards. Business Associates of health care providers, anyone involved in direct patient care, volunteers and students are also covered by the regulations.
WHAT DOES HIPAA PROTECT? Patient information such as medical office patient charts, hospital records, radiographs, lab work and testing procedures are considered Protected Health Information (PHI) are protected by HIPAA. It also protects information what is maintained by a health care provider or insurance plan. HIPAA protects a patient’s right to access and make changes to their Protected Health Information PHI.
WHAT INFORMATION IS PROTECTED? Protected information includes identification of a patient by name, social security number, birth date or address. It includes all data in a patient’s medical record such as health status, diagnosis, treatment information and test results. Information relative to provisions for or payment of health care is also protected.
WHAT IS A HEALTH CARE PROVIDER? A Health care provider is an institution, private practitioner, or any other person or organization that provides medical or health services or furnishes bills or receives payment for providing health care. 45 CFR § 160.103
ARE ALL HEALTHCARE PROVIDERS COVERED by HIPAA REGULATIONS? They are only covered if they transmit health information electronically, either directly or through a business associate, in connection with a transaction covered by the HIPAA Transaction Rule. 45 CFR § 160.102, 45 CFR § 164.500
TRANSACTION RULE STANDARDS These standards apply to the transmission of Protected Health Information including the electronic transmissions using all media, including the physical movement of data via magnetic tape, disk, or CD, transmissions via the internet, extranet, leased lines, dial-up lines, and private networks. CFR § 162.1101, 45 CFR §§ 162.1802
These Standards are aimed at reducing the handling and processing time of data and the loss of paper documents, eliminating the inefficiency of handling paper documents, improving the overall data quality and decreasing administrative costs. 45 CFR § 162.1101 – 45 CFR § 162.1802
HIPAA defines Electronic Data Interchange (EDI) healthcare transactions as health claims, health care payment & remittance advice, coordination of benefits, health claim status, enrollment & dis-enrollment in a health plan, eligibility for a health plan, health plan premium, payments and referral certification & authorization. 45 CFR § 162.1101, 45 CFR § 162.1802
WHO IS A BUSINESS ASSOCIATE? A business associate is a person or company who provides a function for or a service to a covered entity..
The function or service involves individually identifiable health information. A covered entity can be the business associate of another covered entity. An employee or workforce member is not considered a business associate. 45 CFR § 160.103
REQUIREMENTS REGARDING A BUSINESS ASSOCIATE CONTRACT A covered entity must obtain a written contract or other written agreement stating that the business associate will safeguard protected health information. The facility must fix or terminate the business associate contract if a known violation of HIPAA exists. 45 CFR § 164.502(e), 45 CFR § 164.504(e)
A business associate contract is a contract between a covered entity and a business associate that must include provisions for the uses and disclosures of protected heath information, appropriate safeguards and requirements that insure that inappropriate disclosures of PHI be reported to the covered entity and a requirement to extend the same terms to subcontractors and agents of the business associate. 45 CFR § 164.504(e)
A business associate under contract to a covered entity may use and disclose
protected health information:for uses or disclosures by a government health plan to another agency for eligibility or enrollment determination authorized by law. 45 CFR § 164.502(e)
WHAT IS A HEALTH PLAN? A health plan is an individual or group that provides or pays the cost of medical care. Examples of health plans include health maintenance organizations (HMO), Medicare, parts A & B, Medicaid, Medicare Choice and Medicare supplements, health insurance issuers and long-term care insurers. 45 CFR § 160.103
WHICH HEALTH PLANS ARE COVERED? All health plans are covered by HIPAA except self-administered employer plans with fewer than 50 participants and two government funded programs: Food stamp programs and Community health centers.45 CFR § 150.103
GROUP HEALTH PLAN DISCLOSURES TO PLAN SPONSOR Group health plans are permitted to disclose the following data to the sponsor of the plan: enrollment or dis-enrollment information; a summary of health information to obtain bids for providing health insurance coverage; to modify, amend or terminate a group health plan; or PHI necessity to perform plan administration functions. 45 CFR § 164.504 (f) (a), 45 CFR § 164.508
WHAT IS A HEALTH CARE CLEARINGHOUSE? A clearinghouse is a company hired to translate data received from another entity (like a physician’s office) and convert the data from a non-standard format to a standard format or vice versa. A commercial clearinghouse serves as a transaction processor between the provider (physician office) and the payer (insurance companies). Clearinghouses often catch errors in coding prior to submitting the claim to insurance companies or Medicare. The physician establishes a relationship with a clearinghouse instead of each individual insurance company. 45 CFR § 160.103, 164.500(b)
PERMITTED DISCLOSURES A covered entity is permitted to disclose PHI without an individual’s authorization:
1. To the individual (unless required for access or accounting of disclosures) for treatment, payment or health care operations (TPO)
2. If the individual has been given the opportunity to agree or object to the release
3. Incident to an otherwise permitted use and disclosure
4. Disclosures for public interest and Benefit activities
5. For the purposes of research, public health or health care operations (Limited data) 45 CFR § 164.502
1. TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS DISCLOSURES A covered entity may disclose PHI for treatment activities of a health care provider, to another covered entity or health care provider for payment activities, to another covered entity or health care provider for health care operations activities (if each entity has or had a relationship with the individual who is the subject of the PHI) or to another covered entity that participates in the organized health care arrangement, A covered entity must obtain the individual’s written permission for any use or disclosure of PHI that is not for Treatment, Payment or health care Operations (TPO) otherwise permitted or required by the Privacy Rule. An authorization must be written in specific terms and plain language. 45 CFR § 164.506
Examples of authorized disclosures: to a life insurer for coverage purposes, results of a pre-employment physical or lab test to an employer or to a pharmaceutical firm for their own marketing purposes.
2. DISCLOSURES THAT ALLOW AGREEMENT OR OBJECTION A covered entity may disclose PHI, provided the individual is informed in advance of the disclosure and has the opportunity to agree or object to that disclosure. This agreement or disagreement may be oral.
The following disclosures are allowed for facility/hospital directories unless an objection is made: the individual’s name, the individual’s location in facility, the individual’s condition described in general terms and the individual’s religious affiliation (released to clergy) 45 CFR § 164.510
3. INCIDENTAL USE AND DISCLOSURE The Privacy Rule does not require that every risk of an incidental use or disclosure of Protected Health Information (PHI) be eliminated. It requires that the covered entity has adopted reasonable safeguards to avoid inappropriate disclosures and that shared information is kept to the “minimum necessary”. 45 CFR § 164,308, 45 CFR § 164.310
4. DISCLOSURES FOR PUBLIC INTEREST AND BENEFIT ACTIVITIES There are 12 national priority purposes for which PHI may be disclosed without authorization: 45 CFR § 164.512
As required by law
Public Health activities Health oversight activities Cadaver organ, eye, or tissue donation Law enforcement purposes and Judicial and administrative proceedings Decedents Covered entities may disclose PHI to funeral directors, coroners, medical examiners or law enforcement as needed Workers’ compensation Research Serious threat to health or safety Victims of abuse, neglect or domestic violence
5. DISCLOSURE OF LIMITED DATA SETS A limited data set is Protected Health Information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed.
A Limited Data Set may be disclosed for research, health care operations and public health purposes. The individual must enter into a data use agreement in which specific safeguards of their PHI are outlined. 45 CFR § 164.514
REQUEST OF PRIVACY PROTECTION FOR PROTECTED HEALTH INFORMATION: A covered entity must permit an individual to request that the facility restrict disclosures of PHI for treatment, payment or operations, and disclosures of PHI (permitted in -45 CFR § 164.510) which allows a covered entity to maintain a directory and release certain information about the individual. A covered entity is not required to comply with the restriction; however, if the covered entity agrees to the restriction, they are bound by that restriction unless there is an emergency requiring that PHI be disclosed. 45 CFR § 164.522
PRIVACY OF PSYCHOTHERAPY NOTES Psychotherapy notes are
those taken by a healthcare provider who is a mental health professional which
document or analyze conversation during private, group, joint or family counseling
sessions. These notes may be related to a patient's emotional, social or mental
health. The notes must be kept in a separate file or in a separate section
of the medical record. 45 CFR § 164.501
AUTHORIZATION FOR PSYCHOTHERAPY NOTES Psychotherapy notes CANNOT be disclosed without a separate authorization, signed by the patient, parent or legal guardian. 45 CFR § 164.508
Psychotherapy notes within a patient’s medical record do not include
- Medication prescription and monitoring
- Counseling session start and stop times
- Results of clinical tests
- A summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date
45 CFR § 164.501
For lawful activities of a coroner or medical examiner As required by law. 45 CFR § 164.508
USE AND DISCLOSURE OF DI-IDENTIFIED PERSONAL HEALTH INFORMATION Covered entities may use Protected Health Information to create information that does not identify an individual. When identifiers have been removed from PHI it is considered DE-IDENTIFIED information. 45 CFR § 164.502,
IDENTITY REMOVAL INCLUDES:
Name, Address, Telephone and fax numbers Date of death Social Security Number, Medical record number Email address and IP address Dates of birth, admission and discharge Vehicle identifiers Fingerprints and voiceprints Photographic images 45 CFR § 164.502, 45 CFR § 164.514
FAXING GUIDELINES Measures that are reasonable and appropriate in faxing health information include:
Verify that the patient, clinician or employee has submitted a written request for faxing the information
Verify that the information is needed for immediate treatment of an emergency condition
Confirm that the fax number is the correct one
Both sender and recipient should have a secure fax machine to prevent unauthorized access to the information 45 CFR § 164.530(c), 45 CFR § 164.306
LIMIT THE RELEASE OF HEALTH INFORMATION When using or disclosing protected health information or when requesting information from another source, reasonable effort must be made to limit the amount of information to the MINIMUM necessary to accomplish the purpose of the use, disclosure or request. 45 CFR § 164.502b
MINIMUM NECESSARY REQUIREMENTS Policies and procedures must be in place to restrict access to PHI based on the specific roles of the employees. Ask yourself these questions: What employees or departments need access to the PHI in order to carry out their duties? What type of information (minimum necessary) needs to be accessed? Employers must identify persons in the workforce who need access to PHI to carry out their duties.45 CFR § 164.502b
MINIMUM NECESSARY EXCEPTIONS The minimum necessary requirement is NOT imposed in the following circumstances:
The information is needed by a health care provider for treatment
The information is needed by a health care provider for treatment
The disclosure is requested by the individual
The disclosure is to the US Department of Health and Human Services for complaint investigation, compliance review or enforcement
The disclosure is required by law
The protected health information has been de-identified
WHISTLEBLOWER
A whistleblower is an employee or business associate of
a covered entity who believes that unlawful conduct has occurred, believes that
a violation of professional or clinical standards has occurred or believes that
the care, services or conditions provided by the covered entity potentially
endangers an individual, employee or the public. 45
CFR § 164.502d5
DISCLOSURE OF PHI BY A WHISTLEBLOWER The disclosure of protected health information to the following agency or individual is NOT in violation of HIPAA standards:
a. A health oversight agency or public health authority authorized by law to oversee conduct
b. A health care accreditation organization (JCAHO)
c. An attorney retained for the purpose of determining legal options
d. A law enforcement agency if you are a victim of a criminal act and the disclosure is about the suspected perpetrator of the criminal act 45 CFR § 164.502d5 45 CFR § 164.512(f)(2)(i)
RETALIATION TOWARD A WHISTLEBLOWER A covered entity may not intimidate, threaten, coerce, discriminate against or take other retaliatory action against a whistleblower. 45 CFR § 164.530(f)
SAFEGUARDING PROTECTED HEALTH INFORMATION (PHI) A covered entity must have administrative, technical and physical safeguards in place to protect the privacy of Protected Health Information from the intentional or unintentional use or disclosure.
REASONABLE
SAFEGUARDS Reasonable safeguards will vary among covered
entities depending on factors such as the size of the covered entity and the
nature of its business. Covered entities should analyze their own needs and
circumstances, such as the nature of the protected health information it holds,
and assess the potential risks to patients’ privacy. Covered entities should
also take into account the potential effects on patient care such as the financial
and administrative burden of implementing particular safeguards.
45
CFR § 164.530(c)
Speak quietly when discussing patient conditions with family members in a waiting room or other public area.
Avoid using patient names in public hallways and elevators.
Post signs to remind employees to protect patient confidentiality.
Isolate or lock file cabinets or record rooms.
Provide passwords on computers that maintain personal information.
Shred documents prior to disposal.
Pharmacies should have waiting customers stand away from areas used for patient counseling.
Use cubicles, dividers, shields or curtains in areas of multiple patient-staff communication.
Limit the amount of information disclosed on answering machines. Record only the facility name and number and request a call back.
Sign-in-sheets in a physician's office cannot display any medical information such as the medical problem for which the patient is seeing the physician.
Limit information given to another person answering the phone.
Health care personnel should always be aware of their surroundings and the ability to be overheard by others.
PATIENT COMPLAINTS
A policy must be in place
to receive patient complaints relative to a facilities current policies and
procedures and their compliance with the policies and procedures. All complaints
must be documented along with their disposition. A covered entity may not
require individuals to waive their rights to file a complaint. 45 CFR
§ 164.530(d) (h)
SANCTIONS A facility must have appropriate sanctions against employees who are not in compliance with privacy policies and procedures or who violate the requirements of the Privacy Rule. A facility must apply and enforce sanctions. 45 CFR § 164.530(e)
MITIGATION In the event of a breach of confidentiality, mitigation is utilized to lessen its seriousness. If an inappropriate use or disclosure of Protected Health Information occurs, the covered entity must mitigate any harmful effect of the breach. 45 CFR § 164.530(f)
RETALIATION A covered entity may not intimidate, threaten, coerce, discriminate against or take any retaliatory action against an individual. 45 CFR § 164.530(g)
CHANGES TO POLICY OR PROCEDURES Changes in policies or procedures dealing with Protected Health Information may be made as necessary to comply with changes in law, standards or requirements. The Notice of Privacy Practices (NOPP) must be changed, revised and implemented as soon as possible. 45 CFR § 164.530(i), 45 CFR § 164.530(i)(3)
DOCUMENTATION REQUIREMENTS A covered entity MUST maintain documents in written or electronic means for a period of SIX YEARS including:
The facilities Policy and Procedure Manuals and any changes or revisions
Records of HIPAA training provided to employees
Documentation of Privacy Official and a Contact Person in the facility to handle patient complaints
All complaints received from patients and their disposition
The facilities Notice of Privacy Practices (NOPP)
Patient acknowledgement forms for receipt of the Notice of Privacy Practices (NOPP)
Documentation of good faith efforts to acquire the (NOPP) acknowledgements
Authorizations for treatment and specialists
Business Associate contacts
The designated record sets that are subject to access by the individual
Requests, denials, disagreements, rebuttal and responses for requests for PHI.
Information required to be in accounting, an accounting contact person, requests for accounting reports from patients and accountings provided to individuals
Restriction Request Agreements
Affiliated Covered Entity Designations.
Certification of Group Health Plan document amendment.
Verification documents of public officials, personal representatives.
Any other communication required by the Privacy Rule to be in writing. 45 CFR § 164.530(j)
SECTION VII NOTICE OF PRIVACY PRACTICES
WHAT IS A NOTICE OF PRIVACY PRACTICES (NOPP)? A covered entity must provide individuals with a notice of its privacy practices (NOPP) which must include the uses of the protected health information, the disclosures of the protected health information, the rights of the individual in relation to protected heath information and the legal duties of the facility with respect to protected health information.
The facility must have a written confirmation that the patient has been given the Notice of Privacy Practices. If written confirmation is not obtained, it is necessary to document the attempt and reason it was not completed.
The Privacy Act requires that the notice (NOPP) provided by a covered entity contain the following elements:
- a description of the types of uses and disclosures of an individuals protected health information for the purposes of treatment, payment and health care operations.
- a description of any purpose for disclosure of protected health information without the individual’s written authorization.
- a statement that the individual may revoke authorization. 45 CFR § 164.520
SEPARATE statements must be contained in the notice of privacy practices to inform patients:
45 CFR § 164.520b
- If the facility intends to contact the individual for appointment reminders, fundraising, treatment alternatives or for benefits and services that may be of interest to the patient.
- That the facility is required by law to protect health information and abide by the terms of the no ice of privacy practices.
- Instructions on how to make complaints if an individual believes their rights have been violated.
- That the individual will not be retaliated against if they file a complaint.
- The name and telephone number of privacy compliance office.
- The date the Notice of Privacy Practices is effective.
- The facility may change its privacy practices and must describe how an individual is provided with a revised notice. The notification may be sent to individuals by e-mail provided the individual has agreed to electronic notice or posted on a covered entities web site.
PATIENT RIGHTS RELATIVE TO NOTICE OF PRIVACY PRACTICES The Notice of Privacy Practices must contain statements with respect to patient rights regarding their protected health information and how to exercise these rights. These rights include: 45 CFR § 164.520b, 45 CFR § 164.520(b)(1)(iv)
- The right to ask for restrictions on uses and disclosures of PHI
- The right to receive confidential communications
- The right to choose how facility communicates with the patient (certain phone numbers, etc)
- The right to inspect and copy protected health information
- The right to correct or change protected health information
- The right to receive an accounting of any disclosures made of their protected health information
- The right to receive upon request, a copy of the Notice of Privacy Practices
SPECIFIC NOTICE OF PRIVACY POLICIES:
A. HEALTH PLANS Health plans must have a Notice of Privacy Practices (NOPP) available upon request. Health plans must send a NOPP to members prior to the compliance date upon enrollment of new members and within 60 days of any revision to the NOPP. Once every 3 years, health plans must notify covered individuals of the availability of the notice and how to obtain it. 45 CFR § 164.520(c) (1)
B. HEALTH CARE PROVIDERS A Notice of Privacy Practices (NOPP) must be provided on the day of service. In an emergency situation the NOPP must be provided after emergency treatment is rendered. The NOPP must be posted in a prominent location in the health care facility. 45 CFR § 164.520(c) (2)
C. ELECTRONIC NOTICE If a covered entity maintains a web site that provides information about customer services or benefits, the NOPP should be available electronically. An individual may request email transmission of the NOPP. If the transmission fails, the covered entity must provide a paper copy to the individual. 45 CFR § 164.520(c) (3)
REQUEST TO RESTRICT USES AND DISCLOSURES An individual may request that a covered entity restrict the use and disclosure of their Protected Health Information for treatment, payment, and person’s involved in their care and who to notify about the individuals condition, location or death. The healthcare provider in not required to agree to the restriction, but if they agree: they may not disclose restricted information unless the PHI is needed to provide emergency treatment. 45 CFR § 164.522(a)
CONFIDENTIAL COMMUNICATION REQUIREMENTS An individual who feels that disclosure of their Personal Health Information may endanger them can request that communication with the health care provider be through alternative means or locations than is typical. A health care provider must accommodate reasonable requests but may condition their compliance upon the request being in writing, the address or method of contact be specific and an explanation of how payment will be handled. 45 CFR § 164.522(b)
DENIAL OF ACCESS TO PROTECTED HEALTH INFORMATION WITHOUT REVIEW Except in certain circumstances, patients have the right to access, inspect and obtain a copy of their protected health information. Some exceptions to access of Protected Health Information are:
a. Psychotherapy notes
b. Information compiled in anticipation of or for use in a civil, criminal or administrative action
c. Lab results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
d. If the health care provider is a correctional institution and the patient is an inmate
e. If the individual has consented to participate in research and agreed to denial of access until the research is concluded 45 CFR § 164.522(a)(1),(2)
REQUESTING A REVIEW OF DENIAL An individual may be denied access to PHI even if they have the right of access. They must be given the right to have the denial reviewed in the following cases:
a. A health care professional has determined that access may endanger the life or safety of the individual or another person.
b. The PHI makes reference to another person an would cause harm to that person.
c. The request is from an individual’s personal representative and the health care professional determines that access may cause substantial harm to the individual or another person.
d. The denial is reviewed by a licensed health care provider designated as a reviewing official by the facility who did not participate in the original decision to deny access. 45 CFR § 164.524 (a)(3)
AMENDING PROTECTED HEALTH INFORMATION Individuals have the right to request an amendment to their PHI if the records are inaccurate or incomplete. Requests should be made in writing. 45 CFR § 164.526a
TIMELY ACTION ON AMENDMENT OF PROTECTED HEALTH INFORMATION A covered entity has 60 days to act on the request for amendment of Protected Health Information. The responsibility of the covered entity in making the amendment is to:
a. Notify the patient of the intension to make the requested changes
b. Identify the records that are affected by the amendment and append the record or provide a link to the location of the amendment
c. Add the amendments to the patient’s record
d. Make reasonable efforts to inform business associates and persons identified by the individual as having received incorrect information of an amendment 45 CFR § 164.526(b)(2), 45 CFR § 164.526(c)(1
DENIAL OF A REQUEST TO AMEND PHI A covered entity may deny the request for amendment if the Protected Health Information was not created by the covered entity, is not part of the designated record set or if it is determined that the current records are correct and accurate. If the request is denied, the covered entity must provide the individual a written denial containing the basis for the denial, the right of an individual to disagree with the denial, a description of the process for an individual to submit a statement of disagreement with the denial and the patients right to have the amendment request included in their medial record. 45 CFR § 164.526d
The covered entity may prepare a written rebuttal to an individuals’ statement of disagreement and provide a copy to the individual.
DENIAL OF A REQUEST TO AMEND PHI The covered entity must maintain records within the medical record of the request for amendment, the denial, the statement of disagreement from the individual and the rebuttal statement from the entity. All future disclosures of the disputed information must be accompanied by a copy of the original request for amendment, the original denial and the patient’s statement of disagreement with the denial for amendment if submitted.45 CFR § 164.526d
PATIENTS RIGHT TO ACCOUNTING OF DISCLOSURES Patients may
request a detailed written accounting if their personal health information was
disclosed to others. Patients may ask for disclosures of their PHI up to six
years prior to the date of the request. Disclosures include those made to business
associates.
The covered entity must respond to the request within 60 days. Response may be extended 30 days (one time) provided the individual is notified in writing of the reasons for the delay and the date by which the accounting will be provided.45 CFR § 164.528(a), 45 CFR § 164.528(b)(1), 45 CFR § 164.58(c)
ACCOUNTING DISCLOSURE CONTENT Requests for accounting must include the date of the disclosure, the name and address of the person who received the PHI, a description of the information disclosed, the basis for the disclosure or a copy of the request for the information and the date of the last disclosure. 45 CFR § 164.528(b), 45 CFR § 164.528(b)(1)
The following types of disclosures are not reported on the accounting statement:
a) Information for the treatment, payment of services and health care operations
b) Information disclosed to the patient
c) Signed authorizations
d) Information used for national security, intelligence purposes, law enforcement or correctional institutions
e) Information that is part of a limited data set 45 CFR§164.506, 45 CFR§164.502, 45 CFR§164.508 45 CFR§164.512(k) (2)(5)
The first accounting during a 12 month period is provided by the covered entity without charge. Reasonable, cost based fees may be charged for subsequent requests by the same individual. The individual must be notified in advance of the charge and be given the opportunity to withdraw or modify the request in order to avoid or reduce the fee. 45 CFR § 164.528(c)
ACCOUNTING
DISCLOSURE CONTENT FOR RESEARCH 
If a disclosure of PHI was made for 50 or more individuals for a particular
research purpose in which an individual’s PHI was included, the content of the
accounting must include the name of the research activity, a description of
the research activity and the type of PHI disclosed, the date or period of time
of disclosure and the name, address and phone of the research sponsor. 45 CFR § 164.528(b) (4)
At the request of the individual, the covered entity must assist the individual in contacting the research sponsor and researcher.
SECTION IX TRAINING OF PERSONNEL
PRIVACY OFFICIAL A privacy official or office must be appointed by the covered entity to develop and implement policies and procedures relative to the privacy and security of Protected Health Information. A designated contact person or office is responsible for receiving complaints. 45 CFR § 164.530(a) (1)
TRAINING OF PERSONNEL Members of the workforce that must be trained on the policies and procedures relative to PHI include employees, volunteers, trainees and students. Each new member of the workforce must be trained within a reasonable period of time. The workforce must be retrained after each change in the policies and procedures. All training must be documented. 45 CFR § 164.530(b)
ENFORCEMENT
This subpart applies to investigations, penalties and hearings related to the
imposition of Civil Monetary Penalties.
BASIS AND AMOUNT OF PENALTY Congress has provided both civil and criminal penalties for covered entities who misuse protected health information (PHI). Penalties are imposed on person who is a covered entity by the Secretary of the Department of Health and Human Services (HHS). The Secretary has the authority to settle any issue or case or to compromise any penalty. Enforcement is through the Department of Justice. 45 CFR § 160.506, 45 CFR § 160.508, 45 CFR § 160.510
NOTICE OF PROPOSED PENALTY If a penalty is imposed, the Secretary of HHS must send a written notice, by certified mail, to the respondent (covered entity) of the intent to impose a penalty.
The notice of intent must include:
a) Reference to the statute used as the basis for the penalty
b) A description of the finding of fact regarding act/s or omissions of the statute
c) The reason for the proposed finding
d) The amount of penalty
e) Instructions for responding to the notice
f) The right to request (in writing) a hearing
g) The address to send the hearing request 45 CFR § 160.514
REQUEST FOR A HEARING The respondent may request a hearing before an administrative law judge. The judge must issue a decision which may affirm, increase or decrease the penalties imposed by the Secretary of the Department of Health and Human Services. The judges’ decision is final. 45 CFR § 160.514(b), 45 CFR § 160.564
FAILURE TO REQUEST A HEARING Failure to request a hearing within the 60 days permits the imposition of the penalty without a hearing. There is no right of appeal if a hearing has not been requested
COLLECTION OF PENALTY The penalty may be recovered through a civil action in the district where the respondent resides is found or is located. The amount of penalty may be deducted from money owed to the respondent from the government or state agency. 45 CFR § 160.516, 45 CFR § 160.518
CIVIL MONITORY PENALTIES: The monitory penalty may be up to $100.00 per violation. A penalty is capped at $25, 000 per year for EACH requirement or prohibition that is violated. The covered entity has a right to notice and a hearing before a civil monetary penalty becomes final.
CIVIL PENALTIES NO civil penalties are given if an individual or covered entity:
1. Did not know they were violating HIPAA standards
2. Exercised reasonable care and could not have known of the violation
3. If the failure is due to a reasonable cause and not willful neglect
4. The covered entity corrects non-compliance within 30 days
CRIMINAL PENALTIES A criminal penalty applies to knowingly obtaining or disclosing protected health information (PHI) in violation of the Privacy Rule. Penalties include: $50,000.00 and one year in prison $1000, 000.00 and up to 5 years in prison for offences committed under “false pretenses” and up to $250,000.00 and 10 years in prison for offences committed with the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm.
- http://www.hhs.gov/
- http://www.regulations.gov/
- http://www.hrsa.gov/website.htm
- http://www.gpoaccess.gov/cfr/index.html
- http://www.hipaadvisory.com/regs/index.htm
- Office for Civil Rights (OCR) PowerPoint Presentation: http://www.hhs.gov/ocr/hipaa/assist.html
