Privacy And Security Rules
To protect the privacy of PHI that can identify a specific individual or person.
To set national standards for protecting electronic PHI.
Protected Health Information
PHI refers to individually identifiable health information which can be linked to a particular individual or person. It includes:
- The individual’s past, present, or future physical or mental health
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual
Common Identifiers And Examples Of Health Information
- Social Security Numbers
- Birth Dates
- Care Plans
- Wound Care Logs
- Admissions & Referral Forms
- Incident Reports
Who Is Covered?
Any person or organization who furnishes, bills, or is paid for health care in the normal course of business, such as Nursing Homes, Hospitals, and ICF/MR’s.
Any individual or group plan (or combination) that provides, or pays for the cost, of medical care, such as health insurance issuers (Blue Cross Blue Shield), HMOs, Group Health Plans, Medicare, Medicaid.
Any company that translates data content or format for another entity from non-standard to standard or vice-versa.
A person or entity that performs a function for a covered entity which involves the use or disclosure of PHI. Some examples include:
- Collection Agency
- Medical Transcriptionist
Permitted Uses And Disclosures
The Privacy Rule allows you to use or disclose PHI as follows:
- To the individual
- For treatment, such as disclosing PHI to other healthcare professionals caring for the individual
- For payment, such as claims billing, review services for coverage, or medical necessity
- For healthcare operations which are the day-to-day operations necessary for quality care. Examples include verifying documentation and determining the quality of care provided by clinicians
Authorization Not Required
The following allows you to use or disclose PHI without the individual’s authorization:
- As required by law
- For public health activities
- For victims of abuse, neglect, or domestic violence
- For health oversight activities
- For judicial and administrative proceedings
- For law enforcement purposes
- To avert a serious threat to health or safety
- For specialized government functions
Authorized Uses And Disclosures Required
A signature from the individual or their personal representative is required to use PHI:
- For use and disclosure of psychotherapy notes
- For use and disclosures to third parties for marketing activities
Limiting Uses And Disclosures
When using or disclosing PHI, you should use only the minimum amount required to achieve the purpose of the particular use or disclosure. Please note that disclosures for treatment do not apply to this requirement.
If the state law is more protective of the individual, then it takes precedence over HIPAA.
An individual has the right to:
- Receive a written notice describing your facility’s privacy practices on the first date of service
- See or receive a copy of their medical record or other health information
- Request that any incorrect information in their file be changed
- Have PHI communicated to them by alternative means and at an alternative location to protect confidentiality
- Request restrictions to the use and disclosure of their PHI
- Request a history of disclosures of PHI for six years prior to the request
- File a complaint regarding any privacy concern or breach of privacy with your facility or Department of Health and Human Services (HHS)
Keep Passwords Safe
Your password is private and personal. It is the connection to everything you access and save on your computer. Here are some suggestions for protecting the privacy of your password:
- Never write your password on a post it note and place it on your computer.
- Passwords are for your individual use.
- Never email your password.
- Never ask someone for their password or give them yours.
Here are a few important points to remember regarding HIPAA:
- HIPAA law is evolving
- Influenced by emerging patient needs
- Affected by changing technology for collecting, storing, distributing and using PHI
- Impacts our jobs
- Impacts us as individuals who deserve to keep our own health information private, protected and secure
Q: Are we required to supply patients access to their medical records with a fixed time period?
A: Yes. By law, patients request access must receive copies of their medical records within 30 days of a written request.
Q: Does the HIPAA Privacy Rule apply to our company’s professional associates?
A: Yes. Compliance requirements include business associates, such as vendors, lawyers, accountants and sub-contractors.