HIPAA DEFINED AND REQUIREMENTS
WHAT IS HIPAA
Health Insurance Portability and Accountability Act
What is HIPAA, and what does it do?
Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Department of Health and Human Services promulgates rules and regulations to regulate the privacy and security of medical information. The purpose of the law is to improve portability of health insurance coverage, reduce healthcare fraud and abuse and to protect individual privacy of personal health records.
Please note that after HIPAA went into effect, several sets of regulations were promulgated, two rules are key for marketers—the “Privacy Rule” and the “Security Rule”. The Privacy rule creates national standards to protect the privacy of personal information, while the Security Rule governs the security of electronic healthcare information. Each must be reviewed by organizations that are using health information of individuals.
To view the entire rule and related materials, see http://www.hhs.gov/ocr/hipaa
HHS announced changes in January, 2013, called the “omnibus” rule, to provide the public with increased control over personal health information as a result of enhanced enforcement by the Health Information Technology for Economic and Clinical Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 and other rulemaking proceedings since 2009.
The omnibus final rule is comprised of some of the following additional requirements for your “protected health information” (PHI):
· Makes “business associates” of covered entities directly accountable for compliance under HIPAA unlike the previous rules—this is an important change.
· Strengthens limits on use and disclosure of protected health information for marketing and fundraising purposes and prohibits the sale of protected health information without individual authorization.
· Expands individual’s rights to electronic copies and restricts disclosures to health plans concerning fully-paid treatment.
· Provides modifications to and redistribution requirements of a “covered entity’s” privacy practices.
· Strengthens privacy protections for genetic information.
· Adds new breach notification requirements for unauthorized disclosures of unsecured PHI, the Federal Trade Commission also regulates health data breaches (see FTC Breach Notification Rule, 74 FR 42962, published August 25, 2009.)
GENERAL QUESTIONS
When do I have to be in compliance?
For the changes related to HITECH, September 23, 2013 (covered entities, business associates, and subcontractors.)
What legal documents should be developed under HIPAA?
Covered entities should develop the following legal documents through their legal counsel, and review additional requirements that may impact them, their business associates and subcontractors:
· Authorization Forms – to obtain written permissions from patients to authorize covered entities to use or disclose health information;
· Notice of Privacy Practices – to provide patients notice regarding disclosure and use of information; and
· Covered entities must have business associate agreements to assure that business associates also comply with the rule. Additionally, “subcontractors” of business associates may also be required to comply and this must be reviewed in all contracts. The rule grants an additional one-year time-frame for contract compliance.
To view a sample agreement, go to this link: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
What type information is protected?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Examples:
1. Full name or last name and initial(s)
2. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
3. Dates directly related to an individual, other than year
4. Phone Numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. IP addresses
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
What are “covered entities?”
· Health plans — HMOs, insurers;
· Health care clearinghouses – billing services, community health management information systems and “value added” networks and switches; and
· Health care providers – medical or health service provider and any other person or organization that furnishes, bills, or is paid for health care in electronic form (e.g., insurers, physicians, hospitals, labs and pharmacies).
What is meant by “business associates” covered by the Rule?
Business associates perform functions or services for the covered entity that involve the use of protected health information. They may include: direct marketers, pharmaceutical manufacturers, medical equipment suppliers, software and database vendors and suppliers. A covered entity can also be a business associate to other covered entities. Business associates can be held liable at the federal and state level.
Under the omnibus rule business associate include:
· A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services to a covered entity and requires access on a routine basis.
· A person that offers a personal health record to one or more individuals on behalf of a covered entity.
· A subcontractor that creates, receives, maintains or transmits protected health information on behalf of the business associate.
Receiving Permission:
AUTHORIZATION FORMS
Under HIPAA, covered entities must obtain written permission from individuals – by way of a signed authorization form – before they use or share health-related information for marketing and certain other purposes.
What is an authorization form?
An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or “health care operations,” or to disclose protected health information to a third party specified by the individual. Such specific purposes include for marketing purposes, disclosure of psychotherapy notes (where appropriate), disclosures of the sale of protected health information.
What is the definition of “health care operations”?
· Health care operations include but are not limited to the following:
· Certain fundraising activities for the covered entity’s own benefit;
· Quality assessment and improvement activities;
· Insurance underwriting, premium rating, and related insurance activities;
· Business planning, development and management activities;
· Licensing and audits;
· Evaluating health care professionals and plans; and
· Training health care professionals
Can health care providers and health plans condition treatment/service on obtaining authorization?
No. Providers and health plans may not condition treatment, enrollment in a health plan, benefits.
Can more than one authorization be obtained on one form?
Yes. More than one authorization may be obtained on one form, but the “authorization” cannot be expanded. Again, it is important to note that treatment or enrollment in a plan cannot be conditioned upon receiving authorization.
Can the authorization be included with other documentation?
No. The authorization needs to be conspicuous and separate from any other document, including any other written legal permission from the individual.
However, as noted in the previous question, more than one authorization may be obtained on one form. For example, an authorization for the disclosure of the individual’s demographic information for both marketing and fundraising purposes would be permitted. A health care provider could not, however, refuse to treat an individual because the individual refused to authorize disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.
PATIENT’S RIGHTS UNDER HIPAA
What are the individual’s rights under HIPAA?
· Under HIPAA, individuals have the right to:
· Receive a privacy notice to inform them about how protected information will be used and disclosed;
· Request that uses and disclosure of protected information be restricted (covered entities are not required to always agree to restrictions);
· Inspect, copy and amend their medical records (providers are allowed to charge a reasonable fee for copying expenses);
· Get an accounting of the disclosure of their protected information; and
· File a complaint.
Can individuals bring a private cause of action against a covered entity?
No. A private cause of action is not authorized by the Rule.
Are there other actions an individual can take to file a complaint against a covered entity’s failure to comply?
Individuals can file a complaint against covered entities that they believe have not complied. The complaint should be filed with the U.S. Department of Health and Human Services (DHHS). Here is the complaint portal: https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf
NOTICE OF PRIVACY PRACTICES (NPP)
The privacy notice requirements under HIPAA and related regulations are complex. Here are some key highlights:
What privacy notice is required?
An individual has the right to notice regarding the uses and disclosures by a covered entity of protected health information. Covered entities must have and distribute a notice of its privacy practices (“NPP”) The NPP must describe the uses and disclosures of protected health information, the covered entity’s legal duties and privacy practices with respect to protected health information, and the individual’s rights with regard to protected health information.
The NPP must contain a statement indicating most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information for marketing purposes, and states that other uses and disclosures not described in the NPP will be made only with authorization by the individual. If the entity plans to do fundraising, that must also be included in the privacy notice and the opportunity to opt-out.
The NPP should also inform individuals of their right to restrict disclosures of protected health information when the individual has paid out of pocket for the health care product or service.
A business associate does not need to provide a separate notice. But a covered entity must ensure through its contract with the business associate that the business associate’s uses and disclosures of protected health information and other actions are consistent with the covered entity’s privacy policies, as stated in covered entity’s notice. Also, a covered entity may use a business associate to distribute its notice to individuals.
Please note that the Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of protected information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice.
When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rule’s requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revision.
What notice is required for a breach of the health data? What if a breach occurs?
The NPP (above) should include a notice of the right of affected individuals to be notified in the event of a breach whereby the protected information is impermissibly used or disclosed to provide helpful context should a breach occur in the future.
The HITECH Act requires covered entities to provide notification to affected individuals, the Secretary of HHS, and the media (if more than 500 residents of the State or jurisdiction are impacted) following discovery of the breach. A breach is to be treated as discovered if any person (other than the individual committing the breach) that is an employee knows or should have known about the breach.
The notice should be sent within 60 days after it was discovered. The notice to the individual should include:
· description of what happened,
· description of types of protected information involved in the breach,
· any steps individuals should take to protect themselves from harm resulting from the breach,
· a brief description of what steps the covered entity (or business associate as applicable) is taking to investigate the breach, mitigate harm, preventative measures
· contact information for individuals to seek more information.
What obligations does a Business Associate have in the event of a breach?
A business associate is required to notify the covered entity (or all covered entities if they are multiple) of the breach of unsecured protected health information so that the covered entity can notify affected individuals. This should occur not later than 60 days following discovery of the breach.
Please note that law enforcement may require a delay prior to breach notification.
ENFORCEMENT/ COMPLIANCE ISSUES
Who enforces the rules and what are the potential penalties?
DHHS’ Office of Civil Rights (OCR) is the governmental body that has the enforcement responsibility. Violations range in the amount from $100 – $50,000 dependent on the type of violation, for a maximum of $1.5 million in a calendar year.
What steps do business associates need to take to comply with the Rule?
As a business associate of a covered entity, your organization will need to take the following actions:
· Enter into new contracts with covered entities in which you agree to safeguard protected health information and assume responsibility for certain HIPAA requirements;
· If requested by the covered entity, modify procedures for storing patient information to enable tracking of data disclosures and accessing of records by patient;
· Help the covered entity develop its privacy notice describing the types of uses and disclosures of protected health information as per your agreement;
· If requested by the covered entity, adopt procedures for handling patient requests for correction of information;
· Adopt procedures for handling patient requests for correction of information;
· Enter into new contracts with subcontractors to ensure that they safeguard any protected health information you transfer to them;
· Train employees regarding privacy requirements and the safeguarding of protected health information;
· If requested, provide copies of its policies, procedures, and records for handling protected health information to the covered entity and/or the U.S. Department of Health and Human Services;
· Inform the covered entity if there is any unauthorized use or disclosure of protected health information; and
· If feasible, return the protected health information to the covered entity upon termination of the contract between them.