What the privacy legislation says
What the privacy legislation says
What you might encounter under new regulations
Here is more detail about the "Standards for Privacy of Individually Identifiable Health Information," issued by the U.S. Department of Health and Human Services (HHS) on Nov. 3.1
o Information protected:
• Information that relates to an individual’s health, health care treatment, or payment for health care and that identifies the individual is protected from time it becomes electronic. That protection continues as long as the data are in the hands of a covered entity, such as a health care provider who transmits data electronically, a health plan, or a health care clearinghouse. Paper versions of the information, such as computer printouts, also are protected.
o Individual rights:
• the right to receive a written notice of information practices from health plans and providers;
• the right to access one’s own health information, including the right to inspect and obtain a copy of the information;
• the right to request amendment or correction of protected health information that is inaccurate or incomplete;
• the right to receive an accounting (audit trail) of instances when protected health information has been disclosed for purposes other than treatment, payment, or health care operations.
o Obligations of health care providers/plans:
• Develop a notice of information practices. Providers would provide the notice to each patient at the first service after the effective date of the rule and post a copy of the notice.
• Allow individuals to inspect and copy their protected health information.
• Develop a mechanism for accounting for all disclosures of protected health information for purposes other than treatment, payment, or health care operations.
• Allow individuals to request amendments or corrections to their protected health information.
• Designate a privacy officer who will be responsible for all necessary activities.
• Provide privacy training through the facility’s policies and procedures to all staff and any others who would have access to protected health information.
• Establish administrative, technical, and physical safeguards to protect identifiable health information from unauthorized access or use.
• Establish policies and procedures to allow individuals to complain about possible violations of privacy.
• Develop and apply sanctions, ranging from re-training to reprimand to termination, for employee violation of entity privacy policies.
• Have available documentation on compliance with the requirements of the regulation.
• Develop methods for disclosing only the minimum amount of protected information necessary to accomplish any intended purpose.
• Develop and use contracts that will ensure that business partners also protect the privacy of identifiable health information.
• Be prepared to respond to requests for protected health information that do not require consent, such as for public health, health oversight, or judicial activities.
o Disclosures without patient authorization:
• Covered entities could use and disclose protected health information without patient authorization for purposes of effecting treatment, payment, or health care operations. Individuals must be informed of the right to request restrictions concerning the use of protected health information for treatment, payment, or health care operations.
• Under specific conditions, covered entities are permitted to disclose protected health information for federal, state, and other health oversight activities; public health activities and emergencies; judicial and administrative proceedings; to a law enforcement official with a warrant or subpoena; to next-of-kin; to coroners and medical examiners; for government health data systems; for purposes of hospital and other facility directory listings; for certain banking and payment processes; and for health research.
o Uses and disclosures with patient authorization:
• Covered entities could use or disclose protected health information with the individual’s consent for lawful purposes. If an authorization would allow the covered entity to sell or barter information, that fact would have to be disclosed on the authorization form.
• Authorizations must specify the information to be disclosed, who would receive the information, and when the authorization would expire. Individuals could revoke an authorization at any time.
• Covered entities would be prohibited from conditioning treatment or payment upon an individual’s agreeing to authorize disclosure of information for other purposes.
o Scalability:
HHS intends that these new privacy standards be flexible and scalable, taking into account each covered entity’s size and resources.
o Preemption:
The regulation establishes a "floor" of privacy protections. State laws that are "less protective" of privacy are preempted, but states are free to enact "more stringent" statutes or regulations.
o Enforcement:
• Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HHS Sec retary has the authority to impose civil monetary penalties against those covered entities that fail to comply with the requirements of the regulation.
• HIPAA also established criminal penalties for certain wrongful disclosures of protected health information. Those penalties are graduated, increasing if the offense is committed under false pretenses or with intent to sell the information or reap other personal gain.
• Civil monetary penalties are capped at $25,000 for each calendar year for each standard that is violated.
Reference
1. 99 Fed Reg 59,917 (Nov. 3, 1999).
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.