HIPAA: PRIVACY COMPLIANCE
The HIPAA (Health Insurance Portability & Accountability Act) Privacy Rule ensures that personal medical information shared with doctors, hospitals and others who provide and pay for healthcare is protected.
Basically, the Privacy Rule does the following:
- Imposes new restrictions on the use and disclosure of personal health information
- Gives clients greater access to their medical records, and
- Gives clients greater protection of their medical records
Who is covered by the HIPAA Privacy Rule?
- Healthcare providers
- Health Plans
- Healthcare Clearinghouses
- Business Associates who have access to patient records
What is protected health information ( PHI)?
Any health information or patient information used or disclosed by a covered entity in any form – oral, recorded, on paper, or sent electronically or any personal health information that contains information that connects the patient to the information.
Examples of information that might connect personal health information to the individual include:
- The individual’s name or address
- Social Security or other identification numbers
- Physician’s personal notes
- Billing information
What are the rules for the use and disclosure of protected health information?
HIPAA’s Privacy Rule is all about the use and disclosure of Protected Health Information. With few exceptions, PHI can’t be used or disclosed by anyone unless it is permitted or required by the Privacy Rule.
PHI is used when
- Shared
- Examined
- Applied
- Analyzed
PHI is disclosed when:
- Released
- Transferred
- In any way accessed by anyone outside the covered entity
Permitted use or disclosure of PHI
- For treatment, payment & healthcare operations
- With authorization or agreement from the individual
- Disclosure to the individual
- Incidental uses such as physicians’ talking to individuals in a semi-private room
Required use & disclosure
- When requested or authorized by the individual
- When required by the Department of Health and Human Services for compliance or investigation.
When is authorization required?
When used for purposes other than
- Treatment
- Payment
- Healthcare operations
Generally, authorization is required
- For use or disclosure of psychotherapy notes
- For use and disclosure to third parties for marketing activities such as selling lists of patients and enrollees
When is authorization not required?
- To maintain a client directory
- To inform family members or other identified persons involved in the individual’s care, or notify them on location, condition or death
- To inform appropriate agencies during disaster relief
- Public health activities related to disease prevention or control
- To report victims of abuse, neglect, or domestic violence
- Health oversight activities such as audits, legal investigations, licensure or for certain law enforcement purposes or government functions
- For coroners, medical examiners, funeral directors, tissue/organ donations, or certain research purposes
- To avert a serious threat to health and safety
What is minimum necessary?
In general, use/disclosure of PHI is limited to the minimum amount of health information necessary to get the job done. That means:
- Covered entities must develop policies and practices to make sure the least amount of health information is shared.
- Employees must be identified who regularly access PHI
- The types of PHI needed and the conditions for access.
What is the Privacy Notice?
Notice containing the client’s rights and the agency’s legal duties. This notice must be available to clients in print and be displayed in the facility and posted on a web site if possible.
What are Client Privacy Rights?
- Receive Privacy Notice at time of first delivery of service.
- Restrict use and disclosure, although the covered entity is not required to agree
- Have PHI communicated to them by alternate means and at alternate locations to protect confidentiality
- Inspect, correct and amend PHI and obtain copies, with some exceptions
- Request a history of non-routine disclosures for six years prior to the request, and
- Contact designated persons regarding any privacy concerns or breach of privacy within the facility or at Health & Human Services
What must Mon Ami do to comply?
- Allow client to see and copy their PHI
- Designate a full or part-time privacy official responsible for implementing the programs
- Designate a contact person or office responsible for receiving complains
- Develop a Notice of Privacy Practices document
- Develop policies and safeguards to protect PHI and limit incidental use or disclosure
- Institute training programs for employees, agents and volunteers
- Institute a complaints process, and file and resolve formal complaints.
- Make sure that contracts with business associates comply with the Privacy Rule.
What happens to those who don’t comply?
- A $100 civil penalty up to a maximum of $25,000 per year for each standard violated
- A criminal penalty for knowingly disclosing PHI
What can you do to protect client’s privacy and confidentiality?
Make sure you fully understand Mon Ami’s privacy practices.
Protect the client’s personal health information
Never discuss a client’s personal health information other than in a business setting.
Encourage others to do the same. |
