HIPAA Privacy Rule, Part II

Chapter 11: HIPAA Privacy Rule, Part II

Fundamentals of Law for Health Informatics and Information Management, Third Edition

HIPAA: Individual Rights

HIPAA privacy rule provides individuals with rights to provide some control over their health information

Access

Request amendment

Accounting of disclosures

Request confidential communications

Request restrictions

Complain of privacy rule violations

HIPAA: Individual Right of Access

Can access one’s own PHI contained in a designated record set

There are exceptions to access

Examples: Psychotherapy notes; information compiled for civil or criminal actions

Denial of access

May be subject to review (appeal)

May not be subject to review (appeal)

HIPAA: Individual Right of Access (continued)

May require that request in writing

Covered entity must respond within 30 days after request received

30 days from receipt of request

Permitted 30-day extension if written statement includes reason for delay and date covered entity will complete its action.

Extended time permitted for records not maintained on site

Per HITECH, covered entities with EHRs must make PHI available electronically, or must send it to designated person or entity electronically if individual requests

HIPAA: Individual Right of Access (continued)

Reasonable fee may be imposed on individual’s request

Labor and supplies

Search and retrieval fees may not be charged to individuals for their own records

Postage, when individual has requested information to be mailed

Preparation of an explanation summary, if agreed to by the individual in advance

Stricter state laws may apply to fees

HIPAA: Individual Right to Request Amendment

Individual has the right to request an amendment to his or her health information

May require the amendment request to be in writing

HIPAA provides reasons that an amendment request may be denied

Timely response to the request is required

HIPAA provides process for denial of amendment requests

HIPAA: Individual Right of Accounting of Disclosures

Individuals have the right to know about instances where his or her PHI has been disclosed

Accounting includes:

Date of disclosure

Name and address of entity or person who received the information

Brief statement of the purpose of the disclosure

Timely response to request for accounting

First accounting within a 12-month period is free

Must account for disclosures in past 3 years

HIPAA: Individual Right of Accounting of Disclosures

Exceptions (disclosures not required to be accounted for)

For TPO purposes (unless disclosed from an EHR)

Individual was given his/her own PHI

Incident to an otherwise permitted or required use or disclosure

Pursuant to an authorization

Use in a facility directory, to persons involved in the individual’s care, or for other notification purposes

To meet national security or intelligence requirements

To correctional institutions or law enforcement officials

Limited data set

That occurred before the HIPAA privacy compliance date

HIPAA: Individual Right of Accounting of Disclosures

Per HITECH, pending “access report” would require CEs to account for everyone who used or disclosed electronic health information in a DRS

HIPAA: Individual Right of Confidential Communications

Individuals have the right to request alternative routing/destination of PHI

Requests may be refused if information is not provided as to how payment will be handled

HIPAA: Individual Right to Request Restrictions

Individuals may request restrictions on uses and disclosures of PHI to carry out TPO

Covered entity does not have to agree to the requested restriction

Exception: Per HITECH, covered entity must agree if disclosure would be made to health plan for payment or operations, and PHI pertains solely to an item or service that has been paid for in full by other than the health plan

Must document and abide by request if covered entity agrees to it, unless and until terminated with notice to the other party

HIPAA: Individual Right to Complain of Violations

Notice of Privacy Practices must inform individuals of right to complain at CE level and to the US Department of Health and Human Services, along with contact information

HIPAA: Breach

Breach is an “unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information”

Several exceptions

Requirements apply only to unsecured PHI: that which technology has not made unusable, unreadable, or indecipherable to unauthorized persons

An impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates a low probability the PHI has been compromised

HIPAA: Breach Notification

HITECH requires breach notification as mitigation

Notification to individuals affected

Notification to HHS via online portal

HIPAA-covered entities and BAs subject to HHS regulations

Non HIPAA-covered entities and non-BAs subject to FTC regulations

Includes PHR vendors, third-party service providers of PHR vendors

HIPAA: Breach Notification (continued)

Must inform affected individuals of

Description of what occurred (including date of breach and date of discovery)

Types of unsecured PHI involved

Steps individual may take to protect him/herself

Entity’s steps to investigate, mitigate, prevent in the future

Contact information for individuals to ask questions and receive updates

HIPAA: Breach Notification (continued)

If a breach affects 500+ individuals, immediate notification is required to:

Local media outlets

Secretary of HHS for posting on breach portal

HIPAA: Research

HIPAA affects research in the following ways:

When authorization is required

Research is a public interest and benefit authorization exception, but IRB or privacy board must approve variations to authorization requirement

In what form authorization may occur:

Standalone

Compound (informed consent + authorization)

Conditioned + unconditioned

Altered

Waived

HIPAA: Preemption

HIPAA is a federal floor, or minimum, on patient privacy requirements.

State laws contrary to HIPAA apply if they are “more stringent”

Provide greater privacy protections

Provide greater patient rights regarding their PHI

Fulfill specific purposes enumerated in the law (i.e., are less stringent but serve purposes such as controlling regulated substances or preventing healthcare fraud and abuse)

HIPAA: Administrative Requirements

Policies and procedures

Designation of privacy officer

Workforce training

Non-disclosure agreements

Mitigation

Include process for handling privacy complaints

Data safeguards

Retaliation and waiver

Document and record retention (HIPAA standard is 6 years)

HIPAA: Penalties and Enforcement

HIPAA Enforcement Rule (2006)

Penalties for non-compliance apply to both CEs and BAs

Civil

Criminal

Penalty categories

Unknowing

Due to reasonable cause and not willful neglect

Due to willful neglect/corrected within 30 days of discovery

Due to willful neglect and not corrected as required

HIPAA: Penalties and Enforcement Per HITECH

HHS contracts with a private entity to conduct random audits (no longer complaint-driven only)

State attorneys general may bring civil actions in federal court representing citizens affected by HIPAA violations

Individuals can now be individually prosecuted

Recommendations for compensating individuals harmed by violations

U.S Elite Tutors

Writing Services

/

Contact Info