This post is a summary of key elements of the HIPAA Privacy Rule including who is covered, what information is protected, and how protected health information can be used and disclosed.
For more info please refer to hhs.gov
Anyway, our article is presenting in three posts.
HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment. Anyway, these requirements are:
- Privacy Policies and Procedures: A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.
- Privacy Personnel: A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
- Workforce Training and Management: Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity. A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
- Mitigation: A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
- Data Safeguards: A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
- Complaints: A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule.71 The covered entity must explain those procedures in its privacy practices notice. This entity can advise that complaints also can be submitted to the Secretary of HHS.
- Retaliation and Waiver: A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. Also, a covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
- Documentation and Record Retention: A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities.
- Fully-Insured Group Health Plan Exception: The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.
The Rule contains provisions that address a variety of organizational issues that may affect the operation of the privacy protections. These issues are:
- Hybrid Entity: The Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a “hybrid entity.” To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “health care components.” After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components.
- Affiliated Covered Entity: Legally separate covered entities that are affiliated by common ownership or control may designate themselves as a single covered entity for Privacy Rule compliance.
- Organized Health Care Arrangement: The Privacy Rule identifies relationships in which participating covered entities share protected health information to manage and benefit their common enterprise as “organized health care arrangements.”
- Covered Entities With Multiple Covered Functions: A covered entity must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions. The covered entity may not use or disclose the protected health information of an individual who receives services from one covered function (e.g., health care provider) for another covered function (e.g., health plan) if the individual is not involved with the other function.
- Group Health Plan disclosures to Plan Sponsors: A group health plan and the health insurer or HMO offered by the plan may disclose the some protected health information to the “plan sponsor”—the employer, union, or other employee organization that sponsors and maintains.
For more info please refer to hhs.gov
Other Provisions: Personal Representatives and Minors
- Personal Representatives: A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate.
- Special Case: Minors. In most cases, parents are the personal representatives for their minor children. Therefore, in most cases, parents can exercise individual rights, such as access to the medical record, on behalf of their minor children. In certain exceptional cases, the parent is not considered the personal representative. In these situations, the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children.
State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply.85 “Contrary” means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
The Privacy Rule provides exceptions to the general rule of federal preemption for contrary State laws that:
- Relate to the privacy of individually identifiable health information and provide greater privacy protections or privacy rights with respect to such information
- Provide for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
- Require certain health plan reporting, such as for management or financial audits.
In addition, preemption of a contrary State law will not occur if HHS determines, in response to a request from a State or other entity or person, that the State law:
- Is necessary to prevent fraud and abuse related to the provision of or payment for health care,
- Is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
- Is necessary for State reporting on health care delivery or costs,
- Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served
- Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances or that is deemed a controlled substance by State law.
Enforcement and Penalties for Noncompliance
The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing privacy rule standards and may conduct complaint investigations and compliance reviews.
So, covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution. These penalty provisions are:
- Civil Money Penalties
- Criminal Penalties
Civil Money Penalties
OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
A penalty will not be imposed for violations in certain circumstances, such as if:
- The failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred
- The Department of Justice has imposed a criminal penalty for the failure to comply
In addition, OCR may choose to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance.
Before OCR imposes a penalty, it will notify the covered entity and provide the covered entity with an opportunity to provide written evidence of those circumstances that would reduce or bar a penalty. This evidence must be submitted to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty.
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $250,000 and up to 10 year imprisonment.
For more info please refer to hhs.gov