|
HIPAA
SECURITY RULE
What
is the Security Rule?
Security standards that were developed to protect
electronic health care information. The Security
Rule adopts a set of national standards for safeguards
to protect the confidentiality, integrity, and
availability of protected health information.
What
is the Security Rule compliance deadline?
With
the exception of small health plans, all covered
entities must comply by April 20, 2005. Small
health plans have until April 20, 2006.
Are
all covered entities required to comply with the
Security Rule?
Yes.
All covered entities that must comply with the
HIPAA Privacy Rule must comply with the HIPAA
Security Rule.
In
what ways do the Security Rule and Privacy Rule
differ?
Although
the Security Rule is closely linked with the Privacy
Rule, the Security Rule entails the privacy of
electronic protected health information.
Does
the Security Rule require specific technology?
No.
Security Rule standards are technology-neutral
and thus do not require the use of specific technology.
A covered entity is free to choose technologies
appropriate for its particular practice.
Does
Privacy Rule compliance establish Security Rule
compliance?
No.
However, many of the requirements set forth by
the Privacy Rule satisfy those required by the
Security Rule in terms of a covered entity having
in place appropriate administrative, physical,
and technical safeguards for the protection of
protected health information. However, the Security
Rule contains 18 security standards that must
be implemented. Moreover, there are 42 implementation
specifications that are either required or addressable.
If implementing a specification is not reasonable
and appropriate, the covered entity must document
why, and must implement an equivalent alternative
measure that is reasonable and appropriate.
What
is the reference site for information, guidelines,
and instructions pertaining to Security Rule compliance?
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
What
does HIPAA stand for?
The Health Insurance Portability and Accountability
Act
What
is the effective date for new HIPAA privacy rules?
April 14, 2003. Although the HIPAA Privacy Rule
became effective in 2001 and final revisions continue
to be made, healthcare providers and health plans
that are covered by the new rule must comply with
the requirements of the rule by April 14, 2003.
What
does the HIPAA privacy regulation do?
It creates national standards to protect individuals’
medical records and other personal health information.
In
what ways does HIPAA protect a person’s privacy?
| • |
It
gives patients more control over their health
information. |
| • |
It
sets boundaries on the use and release of
health records. |
| • |
It
establishes safeguards that healthcare providers
and others must achieve to protect the privacy
of health information. |
| • |
It
holds violators accountable, with civil and
criminal penalties that can be imposed if
they violate patients’ privacy rights. |
| • |
It
enables patients to find out how their information
may be used and what disclosures have been
made. |
| • |
It
limits release of information to the minimum
reasonably needed for the purpose of disclosure |
| • |
It
gives patients the right to examine and obtain
a copy of their health records and request
corrections. |
What
do HIPAA privacy regulations require a healthcare provider to do?
Provide information to patients about their privacy
rights and how their information can be used.
Adopt clear privacy procedures for the practice.
Train employees so that they understand the privacy
procedures.
Designate an individual (Privacy Officer) to be
responsible for seeing that the privacy procedures
are adopted and followed.
Secure patient records containing individually
identifiable health information so that they are
not readily available to those who do not need
them.
Who
must comply with HIPAA privacy rules?
Health plans, healthcare clearing houses, and
those healthcare providers who conduct certain
financial and administrative transactions electronically,
such as billing and fund transfers. These entities,
collectively called “covered entities” are bound
by the new privacy standards even if they contract
with others to perform some of their essential
functions.
Who
is a “Covered Entity” under HIPAA?
A health plan or payor (including government payors),
a healthcare clearing house, such as a billing
service, or a healthcare provider such as a physician,
dentist, hospital or pharmacy or any healthcare
provider who transmits any healthcare information
in electronic form, which includes telephones,
fax machines and computers.
What
does “PHI” stand for?
Protected Health Information. PHI is all medical
records and other individually identifiable health
information (IIHI) used or disclosed by a covered
entity in any form, whether electronically, on
paper or orally.
What
does “IIHI” stand for?
Individually Identifiable Health Information.
IIHI is any health information that is collected
from the patient or created or received by a healthcare
provider or other covered entity or employer that
relates to the past, present or future physical
or mental health condition of an individual or
the provision of healthcare or the past, present
or future payment for the provision of healthcare
by your practice and that could potentially identify
an individual.
What
constitutes Individually Identifiable Information?
Name, address, date of birth, telephone number,
fax number, e-mail address, social security number,
medical record number, health plan beneficiary
number, account number, drivers license, vehicle
identification number and vehicle tag, medical
device serial number, facial photograph, biometric
identifiers including finger and voice prints,
and any other unique identifying number, characteristic
or code.
Can
a pharmacist use personal health information to
fill a prescription that was telephoned in by
the patient’s physician if the patient is a new
patient to the pharmacy and has not yet provided
written consent/authorization to the pharmacy?
No. The HIPAA Privacy Rule does not permit this
activity without prior patient consent/authorization.
Will
the consent requirements restrict the ability
of providers to consult with other providers about
a patient’s condition?
No. A provider with a direct treatment relationship
with a patient would have to have initially obtained
consent to use that patient’s health information
for treatment purposes. Consulting with another
healthcare provider about the patient’s case
falls within the definition of “treatment” and,
therefore, is permissible. If the provider being
consulted does not otherwise have a direct treatment
relationship with the patient, that provider does
not need to obtain the patient’s consent to engage
in the consultation.
What
does “use” mean?
The sharing, employment, application, utilization,
examination or analysis of PHI within the practice.
What
does “disclosure” mean?
The release, transfer, giving access to or divulging
in any other manner of PHI to anyone outside of
the practice.
Can
a patient have a friend or family member pick
up a prescription?
Yes. Moreover, the patient does not need to provide
the pharmacist with the names of such friend or
family member in advance.
What
is the difference between “consent” and “authorization”
under the Privacy Rule?
A consent is a general document that gives healthcare providers, which have a direct treatment
relationship with a patient, permission to use
and disclose personal health information. An authorization
is a more customized document that gives covered
entities permission to use personal health information
for specified purposes or to disclose personal
health information to a third party specified
by the patient.
When
must a Patient Authorization Form be obtained?
HIPAA privacy regulations require healthcare providers
to obtain the Authorization of the individual
for any uses or disclosures of protected health
infromation not otherwise permitted or required
by the regulation. A written Patient Authorization
Form must be signed by the patient.
May
consent for use or disclosure of personal health
information be provided electronically?
Yes, provided that the consent meets all of the
requirements under the Privacy Rule.
Must
a covered entity verify a signature on a consent
form if the patient is not present when it was
signed?
No.
Must
the revocation of a Consent be in writing?
Yes.
How
are covered entities expected to determine what
is the minimum necessary information that can
be used, disclosed, or requested for a particular
purpose?
The Privacy Rules requires a covered entity to
make reasonable efforts to limit use, disclosure
of, and requests for PHI to the minimum necessary
to accomplish the intended purpose. There is no
strict standard, but rather a reasonableness standard
and thus determination of what constitutes the
minimum necessary will vary for each case. Determination
should be governed by professional judgment and
prevailing standards.
Do
the minimum necessary requirements prohibit medical
residents, medical students, nursing students,
and other medical trainees from accessing patients’
medical information in the course of their training?
No. The definition of “healthcare operations”
in the Privacy Rule provides for training programs
of healthcare providers. However, covered entities
should shape policies and procedures for minimum
necessary uses and disclosures to permit medical
trainees access to patients’ medical information,
including entire medical records.
May
providers make a “minimum necessary determination”
to disclose to federal or state agencies, such
as the Social Security Administration or affiliated
state agencies, in connection with a patient’s
determination for benefits?
No. Under the Privacy Rule, such disclosures must
be authorized by the patient and, therefore, are
exempt from the minimum necessary requirements.
Does
the rule strictly prohibit the use, disclosure,
or requests of an entire medical record?
No. The Privacy Rule does not prohibit use, disclosure,
or requests of an entire medical record. However,
privacy practices should be developed to comply
with the minimum necessary determination rule,
such as in the case of routine requests for disclosure
or when disclosure of the entire records is not
necessary for a particular purpose.
In
limiting access, are covered entities required
to restructure existing workflow systems, including
office space and upgrades to computer systems
in order to comply with the minimum necessary
requirements?
No. Under the Privacy Rule, the basic standard
for minimum necessary uses requires that covered
entities make reasonable efforts to limit access
the PHI to those in the workforce that need access
based on their roles in the covered entity.
Are
sign-in sheets in waiting rooms prohibited by
the Privacy Rule?
No. However, do not utilize a sign-in sheet or
registration log that solicits the reason for
the visit or other personal health information.
What
action should be taken when a covered entity believes
that a request is seeking more than minimum necessary
PHI?
Limit the disclosure to the minimum necessary.
However, should a situation not permit obtaining
additional authorization from the patient for
the information felt to be beyond the minimum
necessary and the welfare of the patient is at
stake, document the medical rationale for any
disclosures beyond the minimum necessary.
If
healthcare providers engage in confidential conversations
with other providers or with patients, have they
violated the Privacy Rule if there is a possibility
that they could be overheard?
No, not if reasonable safeguards to protect confidentiality
or inadvertent disclosure to others were taken.
Do
covered entities need to provide patients access
oral information?
No. The Privacy Rule requires access to PHI that
is contained in “designated record sets”. The
term “record” does not include oral information.
What
is a “business associate”?
A person or entity that is not a member of your
practice’s workforce who uses or discloses PHI
to carry out certain activities on behalf of the
medical practice or covered entity.
Are
covered entities liable for the privacy violations
of a business associate?
No. A healthcare provider, health plan, or other
covered entity is not liable for privacy violations
of a business associate.
Does
the Privacy Rule allow parents the right to see
their children’s medical records?
Yes, however under state law, minors are entitled
to confidentiality under certain circumstances.
For example, because the Privacy Rule does not
preempt state law regarding the confidentiality
of a minor who seeks treatment for a sexually
transmissible disease, the minor’s parent may
not access that particular information.
Must
permission of the patient be obtained prior to
notifying public health authorities of a reportable
disease?
No. HIPAA privacy rules do not preempt state statutes
pertaining to such mandatory reporting requirements.
Does
the Privacy Rule prevent reporting to consumer
credit reporting agencies or otherwise create
any conflict with the Fair Credit Reporting Act?
No. However, disclosures are limited to the patient’s
name and address; date of birth; social security
number; payment history; account number. The name
and address of the provider making the report
is allowed. The covered entity may perform this
payment activity directly or may carry out this
function through a third party, such as a collection
agency, under a business associate agreement.
Where a use or disclosure of PHI is necessary
for a covered entity to fulfill a legal duty,
the Privacy Rule would permit such use or disclosure
as required by law.
Are
violations of HIPAA privacy rules subject to penalties?
Yes. Violations are subject to both civil and
Federal criminal penalties. Depending on the circumstances,
improper disclosure of medical information can
result in fines – up to $250,000 if circumstances
are egregious enough. Enforcement of HIPAA regulations
will be through the Office of Civil Rights. Violations
are also subject to sanctions under state law.
Does
HIPAA permit patients the right to view and amend
their medical records?
While state law gives the patient a right to access
their personal health information and be furnished
a copy of the medical record – HIPAA privacy provisions
allow the patient to request that corrections
be made to their medical records. However, HIPAA
regulations and state law provide exceptions to
the right to access medical records under certain
circumstances and the request to correct or amend
the medical record may be denied if the information
was not created by provider; is not part of the
health information in the medical record; is not
part of information that the patient would otherwise
be entitled to view or copy (such as psychiatric
records) or if the information is correct and
complete. If the patient’s request to amend the
record is denied, written denial must be sent
to the patient specifying one or more of the permissible
reasons for the denial. In response to a denial
to amend the record, the patient may submit a
statement of disagreement that must be maintained
in their chart.
What
is the time frame for accommodating a patient’s
access to their PHI?
Under the Privacy Rule, requests to access PHI
must be acted on within 30 days unless the PHI
is not maintained or accessible on site, in which
case the entity must act within 60 days. If the
entity is unable to act within these time limits,
the patient was be informed in writing of the
reasons for the delay and when, no later than
30 additional days, the PHI will be made available.
However, because certain state laws are not preempted
by HIPAA, access to and production of medical
records would have to be made in accordance with
state law.
May
a patient be denied access to their PHI?
Yes. Under the Privacy Rule, there are a number
of exceptions, most notably psychotherapy notes
and information a provider has complied in anticipation
of a civil, criminal or administrative action.
Access may also be denied to the patient if a
provider determines that access is likely to endanger
the life or physical safety of the patient or
another person or if the PHI was obtained from
someone other than the provider under a promise
of confidentiality, and the access would reveal
the source of the information.
When
access to PHI is denied, must written notice be
provided?
Yes. Under the Privacy Rule, a written denial
must be sent containing the reason for the denial,
a description of the patient’s right to a review
of the denial, if any, and a description of how
to complain to the provider or to the U.S. Secretary
of HHS.
Must
notice of HIPAA privacy practices for Protected
Health Information be provided?
Yes. Upon request of the patient, a provider must
furnish a paper copy of the current Notice of
Privacy Practices for protected health information
in effect by the medical or dental practice. The
notice must be written in plain language and contain
the header statement “This Notice Describes How
Medical Information About You May Be Used And
Disclosed And How You Can Get Access To This Information.
Please Review It Carefully” The Notice must be
revised and distributed whenever there is a material
change and must be made available to any person.
In addition, a good faith effort must be made
to have the patient sign an acknowledgement of
receipt of the Notice.
Do
HIPAA privacy regulations set forth Notice requirements
for electronic communications?
Yes. If the provider maintains a website that
provides information about the provider’s services,
it must prominently post the Notice on the website
and make it available electronically through the
website. The Notice may be made by e-mail if the
patient agrees to electronic notice, however the
patient retains the right to obtain a paper copy,
upon request.
Must
the Business Associate Agreement be in writing?
Yes. The Privacy Rule sets forth very specific
requirements and language that must be contained
in a Business Associate Agreement.
Must
an accounting of the disclosures made of a patient’s
protected health information be provided?
Yes. HIPAA privacy regulations give patients the
right to obtain an accounting of the disclosures
made of disclosures of their protected health
information. Accountings must include disclosures
made in the six years prior to the date on which
the accounting is requested, unless the patient
requests an accounting for a lesser time frame.
However, accountings do not have to include disclosures
made prior to April 14, 2003 or disclosures made
to carry out treatment, payment or healthcare
operations; disclosures made to the patient or
their legal representative; pursuant to an authorization;
to correctional institutions or law enforcement
officials or for facility directory purposes.
Additional exceptions may also apply.
Must
the Accounting of Disclosures of PHI contain specific
information?
Yes. Under the Privacy Rule, the Accounting of
Disclosures of PHI must include disclosures to
or by business associates of the provider, the
date of the disclosure, the name of the entity
or person who received the PHI, and if known,
their address; a brief description of the PHI
disclosed and a statement of the purposes of the
disclosure informing the patient of the basis
of the disclosure.
How
must the Accounting of Disclosures be made when
multiple disclosures of PHI was made to the same
person or entity?
The provider must provide the information required
for the first disclosure; the frequency, periodicity,
or number of disclosure made during the accounting
period, and the date of the last disclosure.
Do
privacy regulations set forth a required timeframe
for complying with the Accounting of Disclosures
of PHI?
Yes. A provider must act on the request for an
accounting no later than 60 days after receipt
of a request by providing the accounting requested;
or if unable to provide the accounting within
60 days, providing the patient with a written
statement of the reasons for the delay and the
date by which the accounting will be provided,
but no longer than 90 days from the date of the
request.
May
a provider charge the patient for furnishing the
Accounting of Disclosures?
Not for the first accounting requested by the
patient in any 12-month period. However, privacy
rules permit that a reasonable cost-based fee
may then be charged for subsequent accountings
within the 12-month period. The patient must be
informed in advance of the fee and an opportunity
must be given for the patient to withdraw or modify
the request for the subsequent accounting(s).
How
long must an Accounting of Disclosures be retained?
Under the Privacy Rule, the accountings provided
to patients, the titles of the persons or offices
responsible for receiving and processing requests
for accountings and the information required to
be included in an accounting must be documented
and retained for a six-year period.
Disclaimer
NOTE: FPIC provides HIPAA guidance as a benefit
to its policyholders for educational and informational
purposes only. Any representations or written
reports rendered in conjunction with this benefit
should not be considered a certification of HIPAA
compliance nor should it be interpreted as offering
legal, financial, or other professional services.
Policyholders that are developing policies and
procedures to comply with HIPAA’s Privacy
Rule should seek legal and/or professional assistance
to be sure that an appropriate compliance plan
is implemented for their particular practice.
BACK
TO HIPAA
|
