Fed Regulation 1- HIPAA PRIVACY RULE Flashcards
To Whom Does the HIPAA Privacy Rule Apply? Who is subjected?
Two major classes covered:
Covered Entities:
(1) health plans, health insurance issuer, (2) healthcare clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. Health Plans include a group health plan, an HMO, etc.
Business Associates: entities or persons that are not employees of covered entities, but it gets information from a covered entity and does something with that information. (data analysis, claims processing, utilization review,quality assurance, billing, etc.). Sometimes a business associate is a covered entity that gets information from another covered entity.
Not covered: apple, neuralink, 23 and me, oura, fitbit
What Information is Protected- What is PHI (protected health information)?
1) Individually identifiable health information created by a healthcare provider, health plan, employer, or healthcare clearinghouse.
Standard: Minimum amount necessary to achieve purpose of request.
Or, for which there is a reasonable basis to believe the information can be identified with the individual
SSNs, phone numbers, birth dates, etc.
NOTE: Even if there is no information about the condition, just saying the person is at the hospital is PHI.
2) That Relates To:
Individuals past, present, future physical or mental health
Provision of health care to individual or
Past, present, future payment for health care
Default General Rule for HIPAA Privacy
A covered entity or business associate may not use or disclose protected health information, except as permitted or required by the HIPAA privacy rule.
Required Disclosure under HIPAA Privacy
To an individual whose records they belong to when the individual asks for it
When requested by the secretary (HHS) under Subpart C to investigate or determine the covered entity’s compliance with this subchapter
PERMIT Disclosure WITHOUT Authorization? and;
1) If You de-identify it:
Removing all information that prevents someone from going back and ID who the information is about
- 18 HIPAA Identifiers:
Names
Geographic subdivision that is smaller than the state
Dates more specific than the year
Contact Information
ID Numeric Codes (SSN, Medical Record #, Etc.)
Digital ID’s (URLs, IP Addresses)
Photos
Biometric Identifiers
Any other unique identifying information
(2) Disclose it to the individual
(3) For treatment, payment, or health care operations
Treatment: Other healthcare providers involved in patient care to ensure proper diagnosis and treatment
Payment: For billing, claims, processing, or payment collection for reimbursement purposes
Health care operations: Hospital can use records to conduct internal quality assessments or evaluate provider performance
(4) Where required by law
For public health activities
Ex: someone goes to a hospital and is diagnosed with monkeypox.
(5) About victims of abuse, neglect or domestic violence
(6) For health oversight activities
(7) For judicial and administrative proceedings
Ex: HIPAA Hypo: We have a subpoena to the hospital by an opposing party for the plaintiff’s medical records.
If subpoena issued by a judge → then covered entity MUST disclose
If subpoena issued by an attorney → then covered entity will have to get additional assurances from the party asking and make sure that the information will be destroyed after or given back
(8) For law enforcement purposes
(9) For cadaveric organ, eye, or tissue donation purposes
(10) For research purposes
PERMIT Disclosure Only WITH Authorization?
Must get valid authorization for:
(1) Psychotherapy notes except:
To carry out the following treatment, payment, or health care operations: use by the originator of notes, by a covered entity for training purposes, or by a covered entity to defend itself in a legal action brought by the individual
(2) Marketing
Except for if the communication is
A face to face communication made by a covered entity to an individual or
A promotional gift of nominal value provided by the covered en
(3) Sale of Info
What is the Standard for Disclosure?
Minimally Necessary
R: A covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
How is the HIPAA Privacy Rule Enforced?
Civil monetary penalties
Criminal penalties, deliberately stealing
Individuals can file complaint with the office of civil rights in HHS
But HIPAA provides NO private right of action. Individuals cannot enforce it. You can get around it by arguing that courts should read an implied right of action.
Only very small fraction of HIPAA enforcement matters are pursued annually.
HIPAA + State Remedies
State common law actions can be preempted by federal law. State common law= constitution, statute, regulation, rule, common law, or other state action having the force and effect of law. If states legislate more stringently, the federal law will not preempt the state law.
The state law prohibited any disclosure of a patient’s medical records without express authorization → more stringent than HIPAA, HIPAA doesn’t preempt
HIPAA post-Dobbs (Final Rule HIPAA)
R: A new addition to HIPAA by the Biden Administration that bans sharing information from reproductive healthcare facilities.
Pros: Specifically says “DO NOT DISCLOSE”. Creates a new category for non disclosure.
Limitations: Only available in states where abortion is legal. Does not cover apps.
