|
The Department of Health and Human Services published the final regulations for the HIPAA Privacy Standards on December 28, 2000. Health care providers and others subject to the rules were required to comply starting on April 14, 2003 (or 2004 for small health plans). The HIPAA Privacy Standards apply to health plans, health care clearinghouses and health care providers who transmit any health care information in electronic form. The Privacy Standards do not apply to student records or employment records.
To comply with the Privacy Standards, you will need to:
- Appoint a Privacy Officer
- Prepare a Notice of Privacy Practices
- Enter into Business Associate Agreements with companies, such as billing companies, with whom you share patient information
- Set up procedures to respond to patient requests to access their records, request modification of the record, request special privacy protections, or receive an accounting of disclosures
- Modify the form you use for patient authorization to release records to include elements required under the Privacy Standards
- Conduct staff training on protection of patient privacy
- Adopt appropriate policies on release of patient information.
The Privacy Standards protect information that (1) is created or received by a health care provider, health plan, or health care clearinghouse, (2) relates to the physical or mental health or condition of an individual, the provision of health care to the individual, or payment for the individual's health care, and (3) identifies the individual, or can be used to identify the individual. This information is "protected health information", or PHI. PHI includes not only the patient's diagnosis and details of treatment, but also demographic information.
The regulations define when PHI may be used or disclosed without the individual's authorization; when use or disclosure is permitted unless the individual objects; and when use or disclosure requires the individual's authorization. The rules are highly complex and detailed. To provide some general examples, PHI may be used or disclosed without authorization for purposes of treatment, payment, or health care operations. This means that one physician referring the patient to another physician for treatment may send the patient's record even without express authorization. Other examples include disclosures required by law, such as child abuse reporting.
An example of when disclosure is permitted unless the individual objects is, if a family member is involved in the patient's care or is paying for care, PHI relevant to the family member's involvement may be disclosed to him/her if the patient knows and does not object. However, PHI cannot be disclosed for marketing purposes (except for face-to-face marketing, and certain other exceptions. Therefore, patient lists cannot be sold to a third party for marketing purposes except with the patient's written authorization. The Privacy Standards contain detailed requirements for the content of a valid authorization.
When the Privacy Standards permit disclosure of PHI, the disclosure must be limited to the minimum necessary to accomplish the purpose.
Patients have several rights permitted under the Privacy Standards. First, a patient has a right to receive a "Notice of Privacy Practices" from his/her health plan and health care provider. A patient also has the right to access his/her record; to request an accounting of disclosures (with certain exceptions); to request amendment of the record; and to request greater privacy protections for his/her health information. There are circumstances in which the patient's request may be denied, but the Privacy Standards contain detailed provisions on how, and in what timeframe, the health care provider or health plan must respond. The Privacy Standards also specify when the patient's rights may be exercised by a personal representative, such as the parent of a minor or the guardian of an incompetent person.
While the Privacy Standards preempt state laws that are inconsistent with them, if a state law is more protective of the patient's privacy than the Privacy Standards (e.g., state mental health laws, laws protecting information about HIV status, etc.), then the more protective state law applies.
|
HIPAA 
