| |
SECTION
ONE: KEY COMPONENTS OF THE PRIVACY RULE
CONSUMER CONTROL OVER PROTECTED HEALTH INFORMATION (PHI)
The HIPAA Privacy Regulation gives patients and members significant
rights in both understanding and controlling how their health information
is used. All individually identifiable health information that is
maintained or communicated in any form (electronic, paper, or oral)
by a covered entity is considered to be PHI.
More
specifically:
- Covered
entities must provide to patients/members Notices of Privacy Practices
that provide clear, written explanations of how the covered entity
can use, maintain and disclose their PHI.
- Patients/members
must be allowed access to their health information upon request
and must be allowed to request and obtain copies of their records.
- Patients/members
may request amendments to the information in their health records
if they think it is incorrect.
- Patients/members
may request a documented accounting of certain disclosures of
their PHI by the covered entity.
- Providers
are not required to obtain consent from their patients before
disclosing medical information to third parties but they can if
they choose to do so. They are required to make their patients
aware of how they protect their patients' health information by
giving their patients a copy of their Notice of Privacy Practices
and making a good faith effort to obtain a written acknowledgement
form the patient that it was received.
- Specific
patient/member authorization must be obtained before releasing
PHI for purposes other than treatment, payment or health care
operations or for certain other purposes permitted by the privacy
regulation (oversight of the health care system, public health,
law enforcement, judicial and legal proceedings, etc.)
- Patients/members
have the right to request restrictions on the uses and disclosures
of their PHI and to request confidential communication of their
PHI.
LIMITATIONS
OF THE USE AND RELEASE OF PHI
With
few exceptions, covered entities can use an individual's PHI for
health care related purposes only (treatment, payment and health
care operations). More specifically:
- Employers
cannot use PHI to make employment or personnel decisions.
- Uses
and disclosures of PHI must be limited to the minimum amount of
information necessary to accomplish the purpose of the use or
disclosure.
- Authorizations
must provide for informed and voluntary permission in clear and
understandable language for disclosure other than for treatment,
payment and health care operations.
IMPLEMENTATION
REQUIREMENTS
The
privacy regulations leave the format and content of the detailed
policies and procedures for meeting the standards to the discretion
of each covered entity, thus allowing for flexibility and scalability.
In general, covered entities must:
- Adopt
written privacy policies and procedures that define access to
PHI, the use of PHI by the covered entity and the process for
disclosure of PHI.
- Take
steps to ensure that their business associates adequately provide
for the confidentiality and privacy of PHI.
- Train
their employees on the basic provisions of the privacy regulations
and the organization's privacy policies and procedures.
- Establish
sanctions for employees that violate the privacy policies and
procedures.
- Designate
a privacy official to be responsible for ensuring the organization's
privacy procedures are followed.
- Establish
procedures that provide a means for patients/members to make inquiries
or register complaints regarding the privacy of their records.
- Establish
procedures that provide a means for patients/members to access,
make copies of and request amendments to their records.
- Provide
a Notice of Privacy Practices to their patients/members.
ACCOUNTABILITY
AND ENFORCEMENT
Covered
entities that violate the privacy regulations are subject to penalties
under HIPAA as indicated below. Enforcement will be through the
Department of Health and Human Services Office of Civil Right.
- Civil
penalties are $100 per incident, up to $25,000 per violation per
year per standard.
- Federal
criminal penalties exist for covered entities that knowingly and
improperly disclose information or obtain information under false
pretenses. Criminal penalties include fines up to $50,000 and
one year in prison for improperly obtaining or disclosing PHI;
up to $100,000 and up to five years in prison for obtaining PHI
under "false pretenses;" and up to $250,000 and up to
10 years in prison for obtaining or disclosing PHI with the intent
to sell, transfer or use it for commercial advantage, personal
gain or malicious harm.
- There
is no statutory authority for a private right of action for individuals
to enforce their privacy rights.
OTHER
PERMITTED DISCLOSURES
The
privacy regulations permit certain disclosures of PHI without individual
authorization for certain national priority activities and for activities
that allow the health care system to operate more smoothly. These
activities include:
- Oversight
of the health care system, including quality assurance activities;
- Public
health, reporting of disease and vital statistics;
- Research,
generally limited to when a waiver of authorization is independently
approved by a privacy board or institutional review board;
- Judicial
and administrative proceedings;
- Limited
law enforcement activities;
- Emergency
circumstances;
- Identification
of a deceased person or to determine the cause of death;
- Inclusion
in facility patient directories;
- Activities
related to national defense and security.
Back
to HIPAA Table of Contents
|
