If you’re running a business and you deal with any health information, you are likely aware of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule. Today’s post provides a summary of HIPAA, who it affects, what it protects, and what is permitted under the Privacy Rule.
Goals of HIPAA
The major goal of HIPAA’s Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care while protecting the public’s health and well being.
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information (PHI) may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Covered entities must make reasonable efforts to limit the use or disclosure of, and requests for, PHI to minimum amount necessary to accomplish the intended purpose. In order to better understand how this general rule is applied, it’s important to first understand who is a covered entity and what is PHI.
Who is a “Covered Entity?”
HIPAA applies to any covered entity. A “covered entity” is defined under three categories: (a) health care providers who transmit any health information electronically in connection with certain transactions, (b) health plans, and (c) health care clearinghouses.
A health care provider includes any person or organization who furnishes, bills, or is paid for health care in the normal course of business.
A health plan includes any individual or group plan (or combination) that provides, or pays for the cost, of medical care.
And a health care clearinghouse includes any organization that translates data content or format for another health care entity from non-standard to standard or vice versa.
What is “Protected Health Information?”
PHI includes any individually identifiable health information that is transmitted in any form or medium by a “Covered Entity” or its business associate. This includes health information, including demographic information, that relates to an individual’s physical or mental health or the provision of or payment for health care that identifies the individual. It’s worth noting that employment records of a covered entity and Family Education Rights and Privacy Act (“FERPA”) records are not considered PHI.
Furthermore, information that is considered PHI may be used for certain purposes if it if de-identified. To de-identify PHI, you must remove certain identifiers, such as names, geographic location, all elements of dates, and any Social Security Numbers, so that the individual who is subject of the PHI may no longer be identified.
When is disclosure of PHI required?
In a very limited set of circumstances, a covered entity is required to disclose PHI. First, if the individual requests access to their PHI for accounting purposes. And second, if the U.S. Department of Health and Human Services (HHS) requests the PHI to investigate and determine compliance with HIPAA.
When is a covered entity permitted to use and disclose PHI?
A covered entity may use and disclose PHI for a number of reasons. First, the entity is allowed to disclose the PHI to the individual, for treatment, payment and health care operations (TPO). Treatment, as defined under HIPAA, means any provision, coordination, or management of health care by one or more health care providers, including consultation between health care providers or patient referrals. Health care operations includes any administrative, financial, legal, and quality improvement activities necessary to run the entity’s business and to support core functions of the individual’s treatment and payment. A covered entity may share PHI for TPO purposes for the entity’s own TPO, for treatment activities of a provider, and to another covered entity or provider for recipient’s payment information.
Furthermore, PHI may be disclosed as required by public policy, which includes reasons such as (a) required by law, (b) for public health, (c) about victims of abuse, neglect, or domestic violence, (d) for health oversight activities, (e) for judicial & administrative proceedings, (f) about decedents (to a limited set of individuals), (g) for research purposes, and (h) to avert a serious threat to health or safety.
PHI that is disclosed “incident to,” or overheard in passing is permitted as long as reasonable precautions are taken. In addition, if the individual authorizes the release of the PHI, it is permitted. Authorizations are required for uses and disclosures that are not otherwise permitted under HIPAA. The authorization must contain certain elements including an expiration date or event, and statement that the authorization is revocable by the individual.
Stay tuned for next week’s blog post with tips on HIPAA compliance for websites and administrative requirements under HIPAA.