• Safeguarding Personal Health Information: HIPAA's Privacy Rule
  • June 20, 2014 | Author: James C. Warmbrodt
  • Law Firm: Weltman, Weinberg & Reis Co., L.P.A. - Pittsburgh Office
  • One of the cornerstones of the Health Insurance Portability and Accountability Act of 1996, commonly known by the acronym "HIPAA", is the "Privacy Rule", regulations issued by the Secretary of Health and Human Services which provide national standards to protect the confidentiality of an individual's medical records and personal health information.1 The Privacy Rule restricts and defines the ability of "covered entities" (health plans, health care clearinghouses, every health care provider, regardless of size, who transmits any health information in electronic form in connection, and prescription drug card sponsors)2 to divulge patients' identifiable health information. The Rule also extends to business associates of covered entities.3 "Individually identifiable health information" is information, including demographic information collected from an individual, that is created or received by a covered entity that is related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

    (i) That identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.4

    The Privacy Rule provides generally, that protected health information may be used or divulged only with the written authorization of the individual who is the subject of the information.5 However, an authorization is not required with every use or disclosure of protected health information. Whether or not an authorization is required depends on a variety of factors; including the specific nature of the information, the recipient of the information, and the purpose for which the information is being used or divulged. For example, a covered entity or business associate is permitted to use or disclose protected health information for its own treatment, payment, or health care operations without having obtained the patient’s authorization.6 In very limited circumstances a covered entity is required to make disclosures of protected health information without the patient's authorization, such as when an individual requests his or her own records, or when access to the information is requested by Health and Human Services in connection with an investigation or an enforcement action.7 An authorization is almost always required in connection with the disclosure of psychotherapy notes8 and for most marketing purposes.9

    In every instance when using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.10 When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.11

    The Privacy Rule imposes strict requirements for a valid authorization. A valid authorization must contain at least the following elements:12

    (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
    (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
    (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
    (iv) A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
    (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
    (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

    In addition to the elements set forth above, the authorization must contain statements adequate to place the individual on notice of the individual's right to revoke the authorization in writing, the exceptions to the right to revoke and a description of how the individual may revoke the authorization. The authorization must notify the individual of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, and the potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected. The authorization must be written in plain language, and the covered entity must provide the individual with a copy of the signed authorization.13 An authorization is defective if the expiration date has passed, the authorization has not been filled out completely, or the authorization is known to have been revoked.14

    Health care providers are required to implement written policies and procedures with respect to protected health information that are designed to comply with the Privacy Rule as part of their overall regulatory compliance system. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance.15 As reflected in the discussion above, applying the Privacy Rule to a health care practice or health care facility can be complex; the general requirement that authorizations be obtained from patients is subject to numerous exceptions, and where authorizations are necessary, the format of the authorization is subject to strict specifications. Staff must be trained to recognize the circumstances where authorizations are required, and what information must be included in authorizations. Policies, procedures and forms must be reviewed and revised to account for changes in the law. The attorneys at WWR are available to assist with these and other regulatory and compliance matters.

    1 45 CFR Part 160 and Part 164
    2 45 CFR § 160.102. Prescription drug card sponsors were added to the original list of covered entities. See, 42 U.S.C. 1395w-141(h)(6)(A)
    3 Generally, a "business associate" with respect to a covered entity, is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Summary of the HIPAA Privacy Rule, United States Department of Health & Human Services, Office for Civil Rights, Page 3; 45 CFR § 160.103.
    4 45 CFR § 160.103
    5 45 CFR § 164.502(a)(1)(iv)
    6 45 CFR § 164.502(a)(1)
    7 45 CFR § 164.502(a)(2)
    8 45 CFR § 164.508(a)(2)
    9 45 CFR § 164.508(a)(3)
    10 45 CFR § 164.502(b)(1)
    11 45 CFR § 164.508(a)(1)
    12 45 CFR § 164.508(c)(1)
    13 45 CFR § 164.508(c)(2)
    14 45 CFR § 164.508(b)(2)
    15 45 CFR § 164.530(i)