This post is a summary of key elements of the HIPAA Privacy Rule including who is covered, what information is protected, and how protected health information can be used and disclosed.
For more info please refer to hhs.gov
Anyway, our article is presenting in three posts.
Authorized Uses and Disclosures
A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party.
All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003.
A covered entity must obtain an individual’s authorization to use or disclose psychotherapy notes with the following exceptions:
- The covered entity who originated the notes may use them for treatment.
- A covered entity may use or disclose, without an individual’s authorization, the psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual.
Marketing is another issue that needs to be considered. The Privacy Rule carves out the following health-related activities from this definition of marketing:
- Communications to describe health-related products or services, or payment for them.
- Communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan’s enrollees that add value to, but are not part of, the benefits plan.
- Communications for treatment of the individual.
- Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.
Limiting Uses and Disclosures to the Minimum Necessary
This limitation has four aspects. These aspects are:
A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. So, a covered entity must try to reasonably limit uses and disclosures to the minimum necessary.
The minimum necessary requirement is not imposed in any of the following circumstances:
- Disclosure to or a request by a health care provider for treatment
- Disclosure to an individual who is the subject of the information, or the individual’s personal representative
- Use or disclosure made pursuant to an authorization
- Disclosure to HHS for complaint investigation, compliance review or enforcement
- Use or disclosure that is required by law
- Use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.
Access and Uses
For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties.
Disclosures and Requests for Disclosures
For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure.
If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. Similarly, a covered entity may rely upon requests as being the minimum necessary protected health information from:
- A public official
- A professional (such as an attorney or accountant) who is the covered entity’s business associate, seeking the information to provide services to or for the covered entity
- A researcher who provides the documentation or representation required by the Privacy Rule for research
For more info please refer to hhs.gov
Notice and Other Individual Rights
These notices and rights are:
Privacy Practices Notice
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. This notice contain certain element and describes some cases:
- The ways in which the covered entity may use and disclose protected health information
- Covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice
- Individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated
- A point of contact for further information and for making complaints to the covered entity
- Specific distribution requirements for direct treatment providers
- All other health care providers
- Health plans
Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information in a covered entity’s designated record set.
The Rule excepts from the right of access the following protected health information:
- Psychotherapy notes
- Information compiled for legal proceedings
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
- Information held by certain research laboratories
Of course, for information included within the right of access, covered entities may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another.
The Rule gives individuals the right to have covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete.
Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity’s business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.
The Privacy Rule does not require accounting for disclosures:
- For treatment, payment, or health care operations
- To the individual or the individual’s personal representative
- For notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories
- Pursuant to an authorization;
- Of a limited data set
- For national security or intelligence purposes
- To correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody
- Incident to otherwise permitted or required uses or disclosures
Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death. A covered entity is under no obligation to agree to requests for restrictions.
Confidential Communications Requirements
Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs.63 For example, an individual may request that the provider communicate with the individual through a designated address or phone number.
Health plans must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the protected health information could endanger the individual.
For more info please refer to hhs.gov