HIPAA RIGHTS AND OBLIGATIONS
Please direct any questions to:
Hawks Quindel, S.C.
222 W. Washington Avenue, Suite 450
Madison, Wisconsin 53703
I.What Is HIPAA? Why Does It Matter?
a. Health Insurance Portability Accountability Act (enacted 1996, effective 2003).
i. “Portability" deals with the ability to easily change insurance providers.
ii. “Accountability" deals with protecting private health care information from improper disclosure.
Rules apply to anyone handling this information who works for a “Covered Entity."
A violation can occur anywhere, including outside of the workplace.
a. Protected Health Information (PHI):
All individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Any data about the patient that would tend to indentify the individual (name, hospital identification, SSN, diagnostics, lab results, photos, etc.). 45 C.F.R. § 160.103.
b. Covered Entities: HIPAA covers any heath care providers; health care clearing houses, employer sponsored heath plans; and health insurers, who “transmits any health information in electronic form." 45 C.F.R. § 160.103.
III.Basic Principals of HIPAA.
a. Patient Right Regarding PHI:
i. To receive a privacy notice to inform them about how protected information will be used and disclosed;
ii. To request that uses and disclosure of protected information be restricted (covered entities are not required to always agree to restrictions);
iii. To inspect, copy and amend their medical records (providers are allowed to charge a reasonable fee for copying expenses);
iv. To get an accounting of the disclosure of their protected information for the past six years; and
v. To file a complaint for any violation of the above or the HIPAA privacy rule.
b. The HIPAA Privacy Rule.
i. Purpose: to define and limit the circumstances in which an individual’s PHI may be used or disclosed by a covered entity.
ii. A covered entity may not use or disclose PHI except, either (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. 45 C.F.R. § 164.502(a).
- Releases Permitted by Privacy Rules:
a. In response to certain judicial or administrative proceedings. 45 C.F.R. § 164.152(e);
b. For law enforcement purposes pursuant to process and otherwise required by law. 45 C.F.R. 164.152(f);
c. Treatment, payment, and health care operation. 45 C.F.R. § 164.506(c);
d. In some instances, for purposes of research (“limited data set") 45 C.F.R. § 164.502(a)(1);
e. To the individual (see below);
f. Public Health Activities (disclosures to public agencies) 45 C.F.R. § 164.512(b);
g. Victims of Domestic Violence (disclosure to public agencies) 45 C.F.R. § 164.512(a), (c);
h. Workers Compensation. 45 C.F.R. 164.512(1).
IV. Permitted Disclosure in the Course of Treatment / Payment / or for Health Care Operation.
a. Is consent needed? Generally, not for treatment / payment or health care operations. However, some providers do obtain consent even for treatment purposes.
b. What is Treatment?
Treatment includes the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another." 45 C.F.R. § 164.501.
c. What is payment?
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual. 45 C.F.R. § 164.501.
d. What are Health Care Operations?
Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including, but not limited to: de-identifying protected health information, creating a limited data and certain fundraising for the benefit of the covered entity. 45 C.F.R. § 164.501.
V. Written Authorization.
a. When Needed? Any disclosure of PHI by a covered entity not covered by one of the eight exemptions.
b. What is required of the authorization?
ii. Specific terms.
Information to be disclosed.
Right to revoke.
iii. Made in plain language.
VI. Other Considerations.
i. Covered entity providing direct treatment must provide notice as follows:
ii. Describes how provider may use PHI;
iii. States privacy duties, privacy practice;
iv. Make patient aware of rights, including right to complain to HHS;
v. Provider should obtain acknowledgment of receipt.
b. Disclosure Accounting.
i. Patients have a right to six-year accounting of disclosures by the covered entity.
- Does not include:
a. Records of disclosure for treatment, payment, or health care operations;
b. Records of disclosures to the individual;
c. Records related to disaster recover or facility directories;
d. Records disclosed pursuant to an authorization;
e. And other additional narrow exceptions.
c. Requests for Restriction on Use / Confidential Communications Requests
i. HIPAA gives patients a right to request restrictions (beyond those imposed by HIPAA) on how PHI is used, but a covered entity does not have to accept the restriction. 45 C.F.R. § 164.522(a).
i. Covered entities must permit individuals to provide an alternate means to provide PHI. Reasonable requests must be followed. 45 C.F.R. 164.530(a).
VII. What Does this Mean for Me?
a. An unauthorized disclosure of PHI made outside of the course of treatment is generally prohibited under HIPAA.
You may not discuss patient information with friends / family if you provide adequate detail to make the patient identifiable to the listener.
You may not discard medical records with identifiable patient information except in a secure manner to avoid inadvertent disclosure.
You may not discuss patient information with coworkers if disclosure of the information in not in the course of treatment, related to payment, or health care operations.
Patients have a right to see their medical records, and also have a right to request that access to their medical records be restricted.
Patients can request that their PHI be sent to them through some alternative, but reasonable, manner.
Patients must be given notice of their rights under HIPAA.
You can share PHI with other providers in your facility as long as it is for the purposes of treatment, payment or health care operations.
b. What is there has Been a HIPAA Violation?
ii. HIPAA has no private right of action, you cannot be sued personally.
iii. HIPAA complaints are filed with the United States Department of Health and Human Services, and can result in civil or criminal penalties against the Covered Entity.
iv. Covered entities must also maintain an internal procedure for making HIPAA complaints.
v. HIPAA does offer anti-retaliation protection to individuals filing complaint with HHS, assisting in an investigation by HHS, or opposing a practice the person believes in good faith violates the Privacy Rule. 45 C.F.R. § 164.430(j).