Chapter 8: Medical Privacy Flashcards
What is HIPAA?
The Health Insurance Portability and Accountability Act. A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.
What are covered entities?
- Healthcare providers that conduct certain transactions in electronic form
- Health Plans (e.g. health insurers)
- Healthcare clearinghouses (e.g. third-party organizations that host, handle or process medical information
What is PHI?
Protected Health Information. Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.
What is ePHI?
any PHI that is transmitted or maintained in electronic media (such as hard drives, magnetic tapes or disks, or digital memory cards, all of which are considered electronic storage media)
What is a business associate?
Any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI.
What are some key protections offered by the HIPAA Privacy Rule?
- Privacy Notices.
- Authorizations for uses and disclosures
- “Minimum necessary” use or disclosure
- Access and accountings of disclosures
- Safeguards
- Accountability
What exceptions are there to the HIPAA Privacy Rule?
- Major categories of treatment, payment, and healthcare operations
- De-identified information
- Medical Research
What is De-identification?
An action that one takes to remove identifying characteristics from data. De-identified data is information that does not actually identify an individual. Some laws require specific identifiers to be removed (See HIPAA 165.514(b)(2)). Hashing is not enough to de-identify data.
What methods does the HIPAA Privacy Rule provide for de-identifying data?
- Remove all of at least 17 data elements listed in the rule
- have an expert testify that the risk of re-identifying the individuals is very small
What is the HIPAA Security Rule?
A rule that established the minimum security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form.
The HIPAA Security Rule requires covered entities and business associates to:
- Ensure the confidentiality, integrity, and availability of al ePHI the covered entity creates, receives, maintains, or transmits
- Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
- Ensure compliance with the Security Rule by its workforce
- Identify an individual who is responsible for the implementation and oversight of the Security Rule
- Conduct initial and ongoing risk assessments
- Implement a Security Awareness and Training Program
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act. Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.
What must happen in event of a breach of unsecured information under the HITECH Act?
- The covered entity must perform a risk assessment to determine the risk of harm.
- If the is a significant risk of harm (financial reputational, or other) it must notify individuals within 60 days of discovery.
- If a business associate discovers a breach it must notify the covered entity.
- If the breach affects more than 500 people the covered entity must notify HHS immediately.
- If the breach affects more that 500 people in the same jurisdiction, it must notify the media.
- All breaches requiring notice must be reported to HHS at least annually.
What is GINA?
The Genetic Information Nondiscrimination Act of 2008. Prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms or the from requesting that applicants receive genetic testing, and prohibits employers from using genetic information in making employment decisions.
HIPAA Privacy Rule: Authorizations for uses and disclosures
- Authorizes use and disclosure of PHI for essential healthcare purposes. Others require opt-in authorization.
- Authorization must
1. be independent document
2. specific identifies into to be disclosed, purpose, person to which disclosed. - Can’t require consent to provide treatment.
- Rules for opt-in marketing and strict rules for psychotherapy notes.
HIPAA Privacy Rule: Minimum necessary use or disclosure
- other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the min necessary to accomplish intended purpose.
HIPAA Privacy Rule: Access and accounting of disclosures
- Have right to access and copy their PHI from CE or BA kept in a “designated record set” i.e. med and billing records, or other records used (by CE) to make decisions.
- Right to an accounting of certain disclosures by CE.
- Right to amend PHI held by CE.
HIPAA Privacy Rule: Safeguards
- Privacy rule requires implement admin, physical, tech measures.
- Security Rule covers only PHI
HIPAA Privacy Rule: Accountability
- CEs must designate a privacy official.
- Personnel must be trained
- procedures must be in place.
HIPAA Privacy Rule: Enforcement
- Primary enforcer is OCR at HHS. Process complaints, can assess civil fines up to $1.6M per year per type of violation.
- OCR regularly audits select CEs
- DOJ has criminal enforcement - up to 10 years in prison.
- FTC can bring unfair and deceptive even if covered by HIPAA.
- State AGs for state privacy laws.
Limits/Exceptions on Privacy Rule
- No consent required for treatment, payment and healthcare operations.
- Also, de-id is exempted from PR. 2 methods (expert and removal of specific elements).
- Also exempted is research - no consent necessary if IRB approves as consistent with PR and human subjects rules.
- Other exceptions:
Secy of HHS for compliance
information used for public health activities;
to report victims of abuse, neglect or domestic violence;
in judicial and administrative proceedings;
for certain law enforcement activities;
for certain specialized governmental functions
HIPAA Security Rule: Basics and Goal
- Admin, tech, physical measures for protecting ePHI in a tech neutral manner.
- Goal is for CEs to implement policies/procs to prevent, detect, contain, and correct security violations.
HIPAA Security Rule: Addressable vs. Required, for CEs
- Rule has standards and implementation specifications.
- Some impl. specs are required, others “addressable” meaning have to determine if appropriate. if so, must adopt and if not, must say why not reasonable and if appropriate, adopt an alternative measure.
HIPAA Security Rule: Requirements for CE and BA
Requirements:
- Ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits
- Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
- Ensure compliance with the Security Rule by its workforce
