|
HIPAA SECURITY RULE
What
is the Security Rule?
Security standards that were developed to protect electronic
health care information. The Security Rule adopts a
set of national standards for safeguards to protect
the confidentiality, integrity, and availability of
protected health information.
What
is the Security Rule compliance deadline?
With
the exception of small health plans, all covered entities
must comply by April 20, 2005. Small health plans have
until April 20, 2006.
Are
all covered entities required to comply with the Security
Rule?
Yes.
All covered entities that must comply with the HIPAA
Privacy Rule must comply with the HIPAA Security Rule.
In
what ways do the Security Rule and Privacy Rule differ?
Although
the Security Rule is closely linked with the Privacy
Rule, the Security Rule entails the privacy of electronic
protected health information.
Does
the Security Rule require specific technology?
No.
Security Rule standards are technology-neutral and thus
do not require the use of specific technology. A covered
entity is free to choose technologies appropriate for
its particular practice.
Does
Privacy Rule compliance establish Security Rule compliance?
No.
However, many of the requirements set forth by the Privacy
Rule satisfy those required by the Security Rule in
terms of a covered entity having in place appropriate
administrative, physical, and technical safeguards for
the protection of protected health information. However,
the Security Rule contains 18 security standards that
must be implemented. Moreover, there are 42 implementation
specifications that are either required or addressable.
If implementing a specification is not reasonable and
appropriate, the covered entity must document why, and
must implement an equivalent alternative measure that
is reasonable and appropriate.
What
is the reference site for information, guidelines, and
instructions pertaining to Security Rule compliance?
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
What
does HIPAA stand for?
The Health Insurance Portability and Accountability
Act
What
is the effective date for new HIPAA privacy rules?
April 14, 2003. Although the HIPAA Privacy Rule became
effective in 2001 and final revisions continue to be
made, healthcare providers and health plans that are
covered by the new rule must comply with the requirements
of the rule by April 14, 2003.
What
does the HIPAA privacy regulation do?
It creates national standards to protect individuals’
medical records and other personal health information.
In
what ways does HIPAA protect a person’s privacy?
| • |
It
gives patients more control over their health information. |
| • |
It
sets boundaries on the use and release of health
records. |
| • |
It
establishes safeguards that healthcare providers
and others must achieve to protect the privacy of
health information. |
| • |
It
holds violators accountable, with civil and criminal
penalties that can be imposed if they violate patients’
privacy rights. |
| • |
It
enables patients to find out how their information
may be used and what disclosures have been made. |
| • |
It
limits release of information to the minimum reasonably
needed for the purpose of disclosure |
| • |
It
gives patients the right to examine and obtain a
copy of their health records and request corrections. |
What
do HIPAA privacy regulations require a healthcare provider
to do?
Provide information to patients about their privacy
rights and how their information can be used.
Adopt clear privacy procedures for the practice.
Train employees so that they understand the privacy
procedures.
Designate an individual (Privacy Officer) to be responsible
for seeing that the privacy procedures are adopted and
followed.
Secure patient records containing individually identifiable
health information so that they are not readily available
to those who do not need them.
Who
must comply with HIPAA privacy rules?
Health plans, healthcare clearing houses, and those
healthcare providers who conduct certain financial and
administrative transactions electronically, such as
billing and fund transfers. These entities, collectively
called “covered entities” are bound by the new privacy
standards even if they contract with others to perform
some of their essential functions.
Who
is a “Covered Entity” under HIPAA?
A health plan or payor (including government payors),
a healthcare clearing house, such as a billing service,
or a healthcare provider such as a physician, dentist,
hospital or pharmacy or any healthcare provider who
transmits any healthcare information in electronic form,
which includes telephones, fax machines and computers.
What
does “PHI” stand for?
Protected Health Information. PHI is all medical records
and other individually identifiable health information
(IIHI) used or disclosed by a covered entity in any
form, whether electronically, on paper or orally.
What
does “IIHI” stand for?
Individually Identifiable Health Information. IIHI is
any health information that is collected from the patient
or created or received by a healthcare provider or other
covered entity or employer that relates to the past,
present or future physical or mental health condition
of an individual or the provision of healthcare or the
past, present or future payment for the provision of
healthcare by your practice and that could potentially
identify an individual.
What
constitutes Individually Identifiable Information?
Name, address, date of birth, telephone number, fax
number, e-mail address, social security number, medical
record number, health plan beneficiary number, account
number, drivers license, vehicle identification number
and vehicle tag, medical device serial number, facial
photograph, biometric identifiers including finger and
voice prints, and any other unique identifying number,
characteristic or code.
Can
a pharmacist use personal health information to fill
a prescription that was telephoned in by the patient’s
physician if the patient is a new patient to the pharmacy
and has not yet provided written consent/authorization
to the pharmacy?
No. The HIPAA Privacy Rule does not permit this activity
without prior patient consent/authorization.
Will
the consent requirements restrict the ability of providers
to consult with other providers about a patient’s condition?
No. A provider with a direct treatment relationship
with a patient would have to have initially obtained
consent to use that patient’s health information for
treatment purposes. Consulting with another healthcare
provider about the patient’s case falls within the definition
of “treatment” and, therefore, is permissible. If the
provider being consulted does not otherwise have a direct
treatment relationship with the patient, that provider
does not need to obtain the patient’s consent to engage
in the consultation.
What
does “use” mean?
The sharing, employment, application, utilization, examination
or analysis of PHI within the practice.
What
does “disclosure” mean?
The release, transfer, giving access to or divulging
in any other manner of PHI to anyone outside of the
practice.
Can
a patient have a friend or family member pick up a prescription?
Yes. Moreover, the patient does not need to provide
the pharmacist with the names of such friend or family
member in advance.
What
is the difference between “consent” and “authorization”
under the Privacy Rule?
A consent is a general document that gives healthcare
providers, which have a direct treatment relationship
with a patient, permission to use and disclose personal
health information. An authorization is a more customized
document that gives covered entities permission to use
personal health information for specified purposes or
to disclose personal health information to a third party
specified by the patient.
When
must a Patient Authorization Form be obtained?
HIPAA privacy regulations require healthcare providers
to obtain the Authorization of the individual for any
uses or disclosures of protected health infromation
not otherwise permitted or required by the regulation.
A written Patient Authorization Form must be signed
by the patient.
May
consent for use or disclosure of personal health information
be provided electronically?
Yes, provided that the consent meets all of the requirements
under the Privacy Rule.
Must
a covered entity verify a signature on a consent form
if the patient is not present when it was signed?
No.
Must
the revocation of a Consent be in writing?
Yes.
How
are covered entities expected to determine what is the
minimum necessary information that can be used, disclosed,
or requested for a particular purpose?
The Privacy Rules requires a covered entity to make
reasonable efforts to limit use, disclosure of, and
requests for PHI to the minimum necessary to accomplish
the intended purpose. There is no strict standard, but
rather a reasonableness standard and thus determination
of what constitutes the minimum necessary will vary
for each case. Determination should be governed by professional
judgment and prevailing standards.
Do
the minimum necessary requirements prohibit medical
residents, medical students, nursing students, and other
medical trainees from accessing patients’ medical information
in the course of their training?
No. The definition of “healthcare operations” in the
Privacy Rule provides for training programs of healthcare
providers. However, covered entities should shape policies
and procedures for minimum necessary uses and disclosures
to permit medical trainees access to patients’ medical
information, including entire medical records.
May
providers make a “minimum necessary determination” to
disclose to federal or state agencies, such as the Social
Security Administration or affiliated state agencies,
in connection with a patient’s determination for benefits?
No. Under the Privacy Rule, such disclosures must be
authorized by the patient and, therefore, are exempt
from the minimum necessary requirements.
Does
the rule strictly prohibit the use, disclosure, or requests
of an entire medical record?
No. The Privacy Rule does not prohibit use, disclosure,
or requests of an entire medical record. However, privacy
practices should be developed to comply with the minimum
necessary determination rule, such as in the case of
routine requests for disclosure or when disclosure of
the entire records is not necessary for a particular
purpose.
In
limiting access, are covered entities required to restructure
existing workflow systems, including office space and
upgrades to computer systems in order to comply with
the minimum necessary requirements?
No. Under the Privacy Rule, the basic standard for minimum
necessary uses requires that covered entities make reasonable
efforts to limit access the PHI to those in the workforce
that need access based on their roles in the covered
entity.
Are
sign-in sheets in waiting rooms prohibited by the Privacy
Rule?
No. However, do not utilize a sign-in sheet or registration
log that solicits the reason for the visit or other
personal health information.
What
action should be taken when a covered entity believes
that a request is seeking more than minimum necessary
PHI?
Limit the disclosure to the minimum necessary. However,
should a situation not permit obtaining additional authorization
from the patient for the information felt to be beyond
the minimum necessary and the welfare of the patient
is at stake, document the medical rationale for any
disclosures beyond the minimum necessary.
If
healthcare providers engage in confidential conversations
with other providers or with patients, have they violated
the Privacy Rule if there is a possibility that they
could be overheard?
No, not if reasonable safeguards to protect confidentiality
or inadvertent disclosure to others were taken.
Do
covered entities need to provide patients access oral
information?
No. The Privacy Rule requires access to PHI that is
contained in “designated record sets”. The term “record”
does not include oral information.
What
is a “business associate”?
A person or entity that is not a member of your practice’s
workforce who uses or discloses PHI to carry out certain
activities on behalf of the medical practice or covered
entity.
Are
covered entities liable for the privacy violations of
a business associate?
No. A healthcare provider, health plan, or other covered
entity is not liable for privacy violations of a business
associate.
Does
the Privacy Rule allow parents the right to see their
children’s medical records?
Yes, however under state law, minors are entitled to
confidentiality under certain circumstances. For example,
because the Privacy Rule does not preempt state law
regarding the confidentiality of a minor who seeks treatment
for a sexually transmissible disease, the minor’s parent
may not access that particular information.
Must
permission of the patient be obtained prior to notifying
public health authorities of a reportable disease?
No. HIPAA privacy rules do not preempt state statutes
pertaining to such mandatory reporting requirements.
Does
the Privacy Rule prevent reporting to consumer credit
reporting agencies or otherwise create any conflict
with the Fair Credit Reporting Act?
No. However, disclosures are limited to the patient’s
name and address; date of birth; social security number;
payment history; account number. The name and address
of the provider making the report is allowed. The covered
entity may perform this payment activity directly or
may carry out this function through a third party, such
as a collection agency, under a business associate agreement.
Where a use or disclosure of PHI is necessary for a
covered entity to fulfill a legal duty, the Privacy
Rule would permit such use or disclosure as required
by law.
Are
violations of HIPAA privacy rules subject to penalties?
Yes. Violations are subject to both civil and Federal
criminal penalties. Depending on the circumstances,
improper disclosure of medical information can result
in fines – up to $250,000 if circumstances are egregious
enough. Enforcement of HIPAA regulations will be through
the Office of Civil Rights. Violations are also subject
to sanctions under state law.
Does
HIPAA permit patients the right to view and amend their
medical records?
While state law gives the patient a right to access
their personal health information and be furnished a
copy of the medical record – HIPAA privacy provisions
allow the patient to request that corrections be made
to their medical records. However, HIPAA regulations
and state law provide exceptions to the right to access
medical records under certain circumstances and the
request to correct or amend the medical record may be
denied if the information was not created by provider;
is not part of the health information in the medical
record; is not part of information that the patient
would otherwise be entitled to view or copy (such as
psychiatric records) or if the information is correct
and complete. If the patient’s request to amend the
record is denied, written denial must be sent to the
patient specifying one or more of the permissible reasons
for the denial. In response to a denial to amend the
record, the patient may submit a statement of disagreement
that must be maintained in their chart.
What
is the time frame for accommodating a patient’s access
to their PHI?
Under the Privacy Rule, requests to access PHI must
be acted on within 30 days unless the PHI is not maintained
or accessible on site, in which case the entity must
act within 60 days. If the entity is unable to act within
these time limits, the patient was be informed in writing
of the reasons for the delay and when, no later than
30 additional days, the PHI will be made available.
However, because certain state laws are not preempted
by HIPAA, access to and production of medical records
would have to be made in accordance with state law.
May
a patient be denied access to their PHI?
Yes. Under the Privacy Rule, there are a number of exceptions,
most notably psychotherapy notes and information a provider
has complied in anticipation of a civil, criminal or
administrative action. Access may also be denied to
the patient if a provider determines that access is
likely to endanger the life or physical safety of the
patient or another person or if the PHI was obtained
from someone other than the provider under a promise
of confidentiality, and the access would reveal the
source of the information.
When
access to PHI is denied, must written notice be provided?
Yes. Under the Privacy Rule, a written denial must be
sent containing the reason for the denial, a description
of the patient’s right to a review of the denial, if
any, and a description of how to complain to the provider
or to the U.S. Secretary of HHS.
Must
notice of HIPAA privacy practices for Protected Health
Information be provided?
Yes. Upon request of the patient, a provider must furnish
a paper copy of the current Notice of Privacy Practices
for protected health information in effect by the medical
or dental practice. The notice must be written in plain
language and contain the header statement “This Notice
Describes How Medical Information About You May Be Used
And Disclosed And How You Can Get Access To This Information.
Please Review It Carefully” The Notice must be revised
and distributed whenever there is a material change
and must be made available to any person. In addition,
a good faith effort must be made to have the patient
sign an acknowledgement of receipt of the Notice.
Do
HIPAA privacy regulations set forth Notice requirements
for electronic communications?
Yes. If the provider maintains a website that provides
information about the provider’s services, it must prominently
post the Notice on the website and make it available
electronically through the website. The Notice may be
made by e-mail if the patient agrees to electronic notice,
however the patient retains the right to obtain a paper
copy, upon request.
Must
the Business Associate Agreement be in writing?
Yes. The Privacy Rule sets forth very specific requirements
and language that must be contained in a Business Associate
Agreement.
Must
an accounting of the disclosures made of a patient’s
protected health information be provided?
Yes. HIPAA privacy regulations give patients the right
to obtain an accounting of the disclosures made of disclosures
of their protected health information. Accountings must
include disclosures made in the six years prior to the
date on which the accounting is requested, unless the
patient requests an accounting for a lesser time frame.
However, accountings do not have to include disclosures
made prior to April 14, 2003 or disclosures made to
carry out treatment, payment or healthcare operations;
disclosures made to the patient or their legal representative;
pursuant to an authorization; to correctional institutions
or law enforcement officials or for facility directory
purposes. Additional exceptions may also apply.
Must
the Accounting of Disclosures of PHI contain specific
information?
Yes. Under the Privacy Rule, the Accounting of Disclosures
of PHI must include disclosures to or by business associates
of the provider, the date of the disclosure, the name
of the entity or person who received the PHI, and if
known, their address; a brief description of the PHI
disclosed and a statement of the purposes of the disclosure
informing the patient of the basis of the disclosure.
How
must the Accounting of Disclosures be made when multiple
disclosures of PHI was made to the same person or entity?
The provider must provide the information required for
the first disclosure; the frequency, periodicity, or
number of disclosure made during the accounting period,
and the date of the last disclosure.
Do
privacy regulations set forth a required timeframe for
complying with the Accounting of Disclosures of PHI?
Yes. A provider must act on the request for an accounting
no later than 60 days after receipt of a request by
providing the accounting requested; or if unable to
provide the accounting within 60 days, providing the
patient with a written statement of the reasons for
the delay and the date by which the accounting will
be provided, but no longer than 90 days from the date
of the request.
May
a provider charge the patient for furnishing the Accounting
of Disclosures?
Not for the first accounting requested by the patient
in any 12-month period. However, privacy rules permit
that a reasonable cost-based fee may then be charged
for subsequent accountings within the 12-month period.
The patient must be informed in advance of the fee and
an opportunity must be given for the patient to withdraw
or modify the request for the subsequent accounting(s).
How
long must an Accounting of Disclosures be retained?
Under the Privacy Rule, the accountings provided to
patients, the titles of the persons or offices responsible
for receiving and processing requests for accountings
and the information required to be included in an accounting
must be documented and retained for a six-year period.
Disclaimer
NOTE: APAC provides HIPAA guidance as a benefit to its
policyholders for educational and informational purposes
only. Any representations or written reports rendered
in conjunction with this benefit should not be considered
a certification of HIPAA compliance nor should it be
interpreted as offering legal, financial, or other professional
services. Policyholders that are developing policies
and procedures to comply with HIPAA’s Privacy Rule
should seek legal and/or professional assistance to
be sure that an appropriate compliance plan is implemented
for their particular practice.
BACK
TO HIPAA
|
