Podcast
Questions and Answers
What is the main purpose of the Standards for Privacy of Individually Identifiable Health Information?
What is the main purpose of the Standards for Privacy of Individually Identifiable Health Information?
Which of the following is a responsibility of the Office for Civil Rights (OCR)?
Which of the following is a responsibility of the Office for Civil Rights (OCR)?
What is the maximum penalty for a person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule?
What is the maximum penalty for a person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule?
Under what circumstances may a penalty not be imposed for a violation of the Privacy Rule?
Under what circumstances may a penalty not be imposed for a violation of the Privacy Rule?
Signup and view all the answers
What is the time period during which a covered entity must submit written evidence to reduce or bar a penalty?
What is the time period during which a covered entity must submit written evidence to reduce or bar a penalty?
Signup and view all the answers
Which of the following is a right of a covered entity if OCR intends to impose a penalty?
Which of the following is a right of a covered entity if OCR intends to impose a penalty?
Signup and view all the answers
What is the compliance date for small health plans under the Privacy Rule?
What is the compliance date for small health plans under the Privacy Rule?
Signup and view all the answers
How is the annual receipt of a small health plan calculated?
How is the annual receipt of a small health plan calculated?
Signup and view all the answers
What is the purpose of the compliance schedule under the Privacy Rule?
What is the purpose of the compliance schedule under the Privacy Rule?
Signup and view all the answers
What is the definition of a small health plan under the Privacy Rule?
What is the definition of a small health plan under the Privacy Rule?
Signup and view all the answers
What is the role of the Office for Civil Rights (OCR) in administering the Privacy Rule?
What is the role of the Office for Civil Rights (OCR) in administering the Privacy Rule?
Signup and view all the answers
What is the consequence of failing to comply with the Privacy Rule?
What is the consequence of failing to comply with the Privacy Rule?
Signup and view all the answers
What is the purpose of the compliance schedule under the Privacy Rule?
What is the purpose of the compliance schedule under the Privacy Rule?
Signup and view all the answers
How are penalties determined under the Privacy Rule?
How are penalties determined under the Privacy Rule?
Signup and view all the answers
What is the role of the Department of Justice in the Privacy Rule?
What is the role of the Department of Justice in the Privacy Rule?
Signup and view all the answers
What is the purpose of providing written evidence to OCR?
What is the purpose of providing written evidence to OCR?
Signup and view all the answers
What happens if a covered entity fails to comply with the Privacy Rule?
What happens if a covered entity fails to comply with the Privacy Rule?
Signup and view all the answers
What is the maximum penalty cap for multiple violations of the same requirement?
What is the maximum penalty cap for multiple violations of the same requirement?
Signup and view all the answers
What is the consequence of willful neglect by a covered entity?
What is the consequence of willful neglect by a covered entity?
Signup and view all the answers
What is the purpose of the administrative hearing?
What is the purpose of the administrative hearing?
Signup and view all the answers
What is the primary focus of the Standards for Privacy of Individually Identifiable Health Information?
What is the primary focus of the Standards for Privacy of Individually Identifiable Health Information?
Signup and view all the answers
How does the Office for Civil Rights (OCR) approach enforcing the Privacy Rule?
How does the Office for Civil Rights (OCR) approach enforcing the Privacy Rule?
Signup and view all the answers
What is the maximum penalty for multiple violations of the same requirement in a calendar year?
What is the maximum penalty for multiple violations of the same requirement in a calendar year?
Signup and view all the answers
Under what circumstances may OCR choose to reduce a penalty?
Under what circumstances may OCR choose to reduce a penalty?
Signup and view all the answers
What is the role of the Department of Justice in the Privacy Rule?
What is the role of the Department of Justice in the Privacy Rule?
Signup and view all the answers
What is the purpose of providing written evidence to OCR?
What is the purpose of providing written evidence to OCR?
Signup and view all the answers
What is the consequence of a covered entity's failure to comply with the Privacy Rule?
What is the consequence of a covered entity's failure to comply with the Privacy Rule?
Signup and view all the answers
How does the compliance schedule vary for small health plans?
How does the compliance schedule vary for small health plans?
Signup and view all the answers
What is the definition of a small health plan?
What is the definition of a small health plan?
Signup and view all the answers
What is the purpose of an administrative hearing in the context of the Privacy Rule?
What is the purpose of an administrative hearing in the context of the Privacy Rule?
Signup and view all the answers
What is the primary responsibility of the Office for Civil Rights (OCR) in regards to the Privacy Rule?
What is the primary responsibility of the Office for Civil Rights (OCR) in regards to the Privacy Rule?
Signup and view all the answers
What is the maximum penalty for a covered entity that fails to comply with a requirement of the Privacy Rule?
What is the maximum penalty for a covered entity that fails to comply with a requirement of the Privacy Rule?
Signup and view all the answers
What is the effect of willful neglect by a covered entity on the penalty imposed by OCR?
What is the effect of willful neglect by a covered entity on the penalty imposed by OCR?
Signup and view all the answers
What is the purpose of the administrative hearing in the context of the Privacy Rule?
What is the purpose of the administrative hearing in the context of the Privacy Rule?
Signup and view all the answers
What is the compliance date for covered entities, except small health plans, under the Privacy Rule?
What is the compliance date for covered entities, except small health plans, under the Privacy Rule?
Signup and view all the answers
What is the role of the Department of Justice in the Privacy Rule?
What is the role of the Department of Justice in the Privacy Rule?
Signup and view all the answers
What is the effect of reasonable cause on the penalty imposed by OCR?
What is the effect of reasonable cause on the penalty imposed by OCR?
Signup and view all the answers
What is the time period during which a covered entity must submit written evidence to OCR to reduce or bar a penalty?
What is the time period during which a covered entity must submit written evidence to OCR to reduce or bar a penalty?
Signup and view all the answers
What is the purpose of providing written evidence to OCR?
What is the purpose of providing written evidence to OCR?
Signup and view all the answers
What is the definition of a small health plan under the Privacy Rule?
What is the definition of a small health plan under the Privacy Rule?
Signup and view all the answers
Study Notes
Summary of the Privacy Rule
Who is Covered by the Privacy Rule
- The Privacy Rule applies to health plans, health care clearinghouses, and health care providers who transmit health information electronically.
- Covered entities include:
- Health plans (e.g., health, dental, vision, and prescription drug insurers, HMOs, Medicare, Medicaid)
- Health care providers (e.g., hospitals, physicians, dentists, and other practitioners)
- Health care clearinghouses (e.g., billing services, repricing companies, community health management information systems)
Business Associates
- A business associate is a person or organization that performs certain functions or activities on behalf of a covered entity, involving the use or disclosure of protected health information.
- Examples of business associate functions include claims processing, data analysis, and billing.
- A business associate contract must be in place to protect the information and ensure compliance with the Rule.
What Information is Protected
- The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate.
- Protected health information (PHI) includes:
- Demographic data
- Information that identifies an individual or could be used to identify an individual
- Information that relates to an individual's physical or mental health, provision of health care, or payment for health care services
General Principle for Uses and Disclosures
- A covered entity may not use or disclose protected health information except:
- As permitted or required by the Privacy Rule
- As authorized by the individual in writing
Required Disclosures
- A covered entity must disclose protected health information:
- To the individual or their personal representative
- To HHS for compliance investigations or reviews
Permitted Uses and Disclosures
- A covered entity is permitted to use and disclose protected health information for:
- Treatment, payment, and health care operations
- To the individual or their personal representative
- For public interest and benefit activities (e.g., public health, research, health oversight)
- As required by law
- For law enforcement purposes
- For notification and other purposes (e.g., facility directories, notification of family members)
- Incident to an otherwise permitted use or disclosure
Public Interest and Benefit Activities
- The Privacy Rule permits use and disclosure of protected health information for 12 national priority purposes, including:
- Public health activities
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Decedents
- Cadaveric organ, eye, or tissue donation### Research
- Research is any systematic investigation designed to develop or contribute to generalizable knowledge.
- A covered entity can use and disclose protected health information for research purposes without an individual's authorization, provided the covered entity obtains:
- Documentation of an alteration or waiver of individuals' authorization approved by an Institutional Review Board or Privacy Board.
- Representations from the researcher that the use or disclosure is solely for research purposes and meets specified requirements.
- Representations from the researcher that the use or disclosure is solely for research on the protected health information of decedents and meets specified requirements.
Serious Threat to Health or Safety
- A covered entity can disclose protected health information to prevent or lessen a serious and imminent threat to a person or the public.
- Disclosures can be made to someone who can prevent or lessen the threat, including law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
Essential Government Functions
- A covered entity can use or disclose protected health information for certain essential government functions without an individual's authorization.
- Such functions include:
- Assuring proper execution of a military mission
- Conducting intelligence and national security activities
- Providing protective services to the President
- Making medical suitability determinations for U.S. State Department employees
- Protecting the health and safety of inmates or employees in a correctional institution
- Determining eligibility for or conducting enrollment in certain government benefit programs
Workers' Compensation
- A covered entity can disclose protected health information as authorized by, and to comply with, workers' compensation laws and other similar programs.
Limited Data Set
- A limited data set is protected health information from which certain direct identifiers of individuals and their relatives, household members, and employers have been removed.
- A limited data set can be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement.
Authorization
- A covered entity must obtain an individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment, or health care operations.
- An authorization must be written in specific terms and contain specified information, including:
- The information to be disclosed or used
- The person(s) disclosing and receiving the information
- Expiration
- Right to revoke in writing
- Other relevant data
Psychotherapy Notes
- A covered entity must obtain an individual's authorization to use or disclose psychotherapy notes, with certain exceptions.
Marketing
- Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service.
- A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications and promotional gifts of nominal value.
Limiting Uses and Disclosures to the Minimum Necessary
- A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose.
- A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.
Access and Uses
- A covered entity must develop and implement policies and procedures to restrict access and uses of protected health information based on the specific roles of the members of their workforce.
- A covered entity must establish and implement policies and procedures for routine, recurring disclosures, or requests for disclosures, that limit the protected health information disclosed to the minimum necessary.
Notice and Other Individual Rights
-
A covered entity must provide a notice of its privacy practices to individuals.
-
The notice must describe the ways in which the covered entity may use and disclose protected health information, and the individual's rights, including the right to:
- Review and obtain a copy of their protected health information
- Request amendments to their protected health information
- Request an accounting of disclosures
- Request restrictions on the use and disclosure of their protected health information
- Request confidential communications
- Complain to HHS and the covered entity if they believe their privacy rights have been violated### Non-Retaliation and Non-Waiver
-
A covered entity cannot retaliate against an individual for exercising their rights under the Privacy Rule, assisting in an investigation, or opposing an act that violates the Privacy Rule.
-
A covered entity cannot require an individual to waive their rights under the Privacy Rule as a condition for obtaining treatment, payment, or enrollment.
Documentation and Record Retention
- A covered entity must maintain privacy policies and procedures, privacy practices notices, disposition of complaints, and other required documents for six years.
- The documents must be maintained until six years after the date of their creation or last effective date.
Fully-Insured Group Health Plan Exception
- A fully-insured group health plan with no more than enrollment data and summary health information must comply with the ban on retaliatory acts and waiver of individual rights.
- The plan must also comply with documentation requirements with respect to plan documents if they are amended to provide for the disclosure of protected health information to the plan sponsor.
Organizational Options
Hybrid Entity
- A covered entity that conducts both covered and non-covered functions can elect to be a hybrid entity.
- The covered entity must designate in writing its operations that perform covered functions as one or more health care components.
- The hybrid entity is only subject to the Privacy Rule with respect to its health care components.
Affiliated Covered Entity
- Legally separate covered entities that are affiliated by common ownership or control can designate themselves as a single covered entity for Privacy Rule compliance.
- The designation must be in writing.
- The affiliated covered entity must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those functions.
Organized Health Care Arrangement
- An organized health care arrangement is a relationship in which participating covered entities share protected health information to manage and benefit their common enterprise.
- Covered entities in an organized health care arrangement can share protected health information with each other for the arrangement's joint health care operations.
Covered Entities with Multiple Covered Functions
- A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those functions.
- The covered entity cannot use or disclose protected health information from one covered function for another covered function if the individual is not involved with the other function.
Personal Representatives and Minors
Personal Representatives
- A covered entity must treat a personal representative the same as the individual with respect to uses and disclosures of protected health information and individual rights.
- A personal representative is a person legally authorized to make health care decisions on an individual's behalf or to act for a deceased individual or the estate.
Special Case: Minors
- In most cases, parents are the personal representatives for their minor children.
- In certain exceptional cases, the parent is not considered the personal representative, and the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children.
State Law
Preemption
- State laws that are contrary to the Privacy Rule are preempted by the federal requirements.
- The Privacy Rule provides exceptions to the general rule of federal preemption for contrary State laws that provide greater privacy protections or privacy rights, or relate to certain public health issues.
Enforcement and Penalties for Noncompliance
Compliance
- The Office for Civil Rights (OCR) is responsible for administering and enforcing the Privacy Rule.
- OCR may conduct complaint investigations and compliance reviews.
- Covered entities that fail to comply voluntarily with the Privacy Rule may be subject to civil money penalties and criminal prosecution.
Civil Money Penalties
- OCR may impose a penalty on a covered entity for a failure to comply with the Privacy Rule.
- Penalties vary depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure, and whether the failure was due to willful neglect.
- Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
Criminal Penalties
- A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.
- The criminal penalties increase to 100,000anduptofiveyearsimprisonmentifthewrongfulconductinvolvesfalsepretenses,andto100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to 100,000anduptofiveyearsimprisonmentifthewrongfulconductinvolvesfalsepretenses,andto250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.
Compliance Dates
- All covered entities, except small health plans, must have been compliant with the Privacy Rule by April 14, 2003.
- Small health plans had until April 14, 2004 to comply.
- A health plan with annual receipts of not more than $5 million is a small health plan.
Summary of the Privacy Rule
Who is Covered by the Privacy Rule
- The Privacy Rule applies to health plans, health care clearinghouses, and health care providers who transmit health information electronically.
- Covered entities include:
- Health plans (e.g., health, dental, vision, and prescription drug insurers, HMOs, Medicare, Medicaid)
- Health care providers (e.g., hospitals, physicians, dentists, and other practitioners)
- Health care clearinghouses (e.g., billing services, repricing companies, community health management information systems)
Business Associates
- A business associate is a person or organization that performs certain functions or activities on behalf of a covered entity, involving the use or disclosure of protected health information.
- Examples of business associate functions include claims processing, data analysis, and billing.
- A business associate contract must be in place to protect the information and ensure compliance with the Rule.
What Information is Protected
- The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate.
- Protected health information (PHI) includes:
- Demographic data
- Information that identifies an individual or could be used to identify an individual
- Information that relates to an individual's physical or mental health, provision of health care, or payment for health care services
General Principle for Uses and Disclosures
- A covered entity may not use or disclose protected health information except:
- As permitted or required by the Privacy Rule
- As authorized by the individual in writing
Required Disclosures
- A covered entity must disclose protected health information:
- To the individual or their personal representative
- To HHS for compliance investigations or reviews
Permitted Uses and Disclosures
- A covered entity is permitted to use and disclose protected health information for:
- Treatment, payment, and health care operations
- To the individual or their personal representative
- For public interest and benefit activities (e.g., public health, research, health oversight)
- As required by law
- For law enforcement purposes
- For notification and other purposes (e.g., facility directories, notification of family members)
- Incident to an otherwise permitted use or disclosure
Public Interest and Benefit Activities
-
The Privacy Rule permits use and disclosure of protected health information for 12 national priority purposes, including:
- Public health activities
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Decedents
- Cadaveric organ, eye, or tissue donation### Research and Privacy Rule
-
The Privacy Rule permits covered entities to use and disclose protected health information for research purposes without an individual's authorization, provided certain conditions are met.
-
These conditions include:
-
Obtaining documentation of an alteration or waiver of individuals' authorization approved by an Institutional Review Board or Privacy Board.
-
Obtaining representations from the researcher that the use or disclosure is solely for research purposes and meets certain criteria.
-
Obtaining representations from the researcher that the use or disclosure is solely for research on the protected health information of decedents.
Serious Threat to Health or Safety
- Covered entities may disclose protected health information to prevent or lessen a serious and imminent threat to a person or the public.
- Disclosure can be made to someone who can prevent or lessen the threat, including the target of the threat.
- Law enforcement can also be disclosed to if the information is needed to identify or apprehend an escapee or violent criminal.
Essential Government Functions
- Authorization is not required for uses and disclosures of protected health information for certain essential government functions, such as:
- Assuring proper execution of a military mission.
- Conducting intelligence and national security activities authorized by law.
- Providing protective services to the President.
- Making medical suitability determinations for U.S. State Department employees.
Workers' Compensation
- Covered entities may disclose protected health information as authorized by and to comply with workers' compensation laws and other similar programs.
Limited Data Set
- A limited data set is protected health information from which certain direct identifiers have been removed.
- Limited data sets can be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement.
Authorized Uses and Disclosures
- Authorization is required for uses and disclosures of protected health information that are not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule.
- Authorizations must be written in specific terms and contain certain elements, including:
- A description of the information to be used or disclosed.
- The person or entity authorized to make the use or disclosure.
- The expiration date of the authorization.
- The individual's right to revoke the authorization in writing.
Psychotherapy Notes
- Authorization is required to use or disclose psychotherapy notes, except for certain exceptions, such as:
- Use or disclosure for treatment or payment.
- Use or disclosure for health care operations.
- Use or disclosure as required by law.
Marketing
- Marketing is defined as any communication that encourages recipients to purchase or use a product or service.
- Authorization is required for marketing, except for face-to-face marketing communications and promotional gifts of nominal value.
- Authorizations for marketing must reveal that the covered entity will receive direct or indirect remuneration from a third party.
Minimum Necessary
- The minimum necessary standard requires covered entities to limit uses and disclosures of protected health information to the minimum amount necessary to achieve the intended purpose.
- Exceptions to the minimum necessary standard include:
- Disclosures to or requests by health care providers for treatment.
- Disclosures to individuals who are the subject of the information.
- Uses or disclosures made pursuant to an authorization.
Access and Uses
- Covered entities must develop and implement policies and procedures to restrict access and uses of protected health information based on the specific roles of their workforce members.
- Policies and procedures must identify the persons or classes of persons who need access to protected health information to carry out their duties.
Notice and Other Individual Rights
- Covered entities must provide a notice of their privacy practices to individuals, which must include:
- A description of the ways in which the covered entity may use and disclose protected health information.
- The covered entity's duties to protect privacy.
- Individuals' rights, including the right to complain to the covered entity or to HHS.
- A point of contact for further information and for making complaints.
Access
- Individuals have the right to review and obtain a copy of their protected health information, except for certain exceptions, such as:
- Psychotherapy notes.
- Information compiled for legal proceedings.
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access.
Amendment
- Individuals have the right to request that covered entities amend their protected health information when it is inaccurate or incomplete.
- Covered entities must provide a written denial or acceptance of the request, and individuals have the right to submit a statement of disagreement.
Disclosure Accounting
- Individuals have the right to an accounting of the disclosures of their protected health information by a covered entity or its business associates.
- Exceptions to the accounting requirement include:
- Disclosures for treatment, payment, or health care operations.
- Disclosures to the individual or the individual's personal representative.
- Disclosures pursuant to an authorization.
Restriction Request
- Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment, or health care operations.
- Covered entities are not obligated to agree to requests for restrictions.
Confidential Communications Requirements
- Health plans and covered health care providers must permit individuals to request alternative means or locations for receiving communications of protected health information.
- Covered entities must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the protected health information could endanger the individual.
Administrative Requirements
-
Covered entities must develop and implement written privacy policies and procedures.
-
Covered entities must designate a privacy official and a contact person or office responsible for receiving complaints and providing information on privacy practices.
-
Workforce members must be trained on privacy policies and procedures, and sanctions must be applied to workforce members who violate the Privacy Rule.
-
Mitigation is required to prevent harm from unauthorized use or disclosure of protected health information.
-
Data safeguards must be maintained to prevent intentional or unintentional use or disclosure of protected health information.### Non-Retaliation and Non-Waiver
-
A covered entity cannot retaliate against an individual for exercising their rights under the Privacy Rule, assisting in an investigation, or opposing an act that violates the Privacy Rule.
-
A covered entity cannot require an individual to waive their rights under the Privacy Rule as a condition for obtaining treatment, payment, or enrollment.
Documentation and Record Retention
- A covered entity must maintain privacy policies and procedures, privacy practices notices, disposition of complaints, and other required documents for six years.
- The documents must be maintained until six years after the date of their creation or last effective date.
Fully-Insured Group Health Plan Exception
- A fully-insured group health plan with no more than enrollment data and summary health information must comply with the ban on retaliatory acts and waiver of individual rights.
- The plan must also comply with documentation requirements with respect to plan documents if they are amended to provide for the disclosure of protected health information to the plan sponsor.
Organizational Options
Hybrid Entity
- A covered entity that conducts both covered and non-covered functions can elect to be a hybrid entity.
- The covered entity must designate in writing its operations that perform covered functions as one or more health care components.
- The hybrid entity is only subject to the Privacy Rule with respect to its health care components.
Affiliated Covered Entity
- Legally separate covered entities that are affiliated by common ownership or control can designate themselves as a single covered entity for Privacy Rule compliance.
- The designation must be in writing.
- The affiliated covered entity must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those functions.
Organized Health Care Arrangement
- An organized health care arrangement is a relationship in which participating covered entities share protected health information to manage and benefit their common enterprise.
- Covered entities in an organized health care arrangement can share protected health information with each other for the arrangement's joint health care operations.
Covered Entities with Multiple Covered Functions
- A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those functions.
- The covered entity cannot use or disclose protected health information from one covered function for another covered function if the individual is not involved with the other function.
Personal Representatives and Minors
Personal Representatives
- A covered entity must treat a personal representative the same as the individual with respect to uses and disclosures of protected health information and individual rights.
- A personal representative is a person legally authorized to make health care decisions on an individual's behalf or to act for a deceased individual or the estate.
Special Case: Minors
- In most cases, parents are the personal representatives for their minor children.
- In certain exceptional cases, the parent is not considered the personal representative, and the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children.
State Law
Preemption
- State laws that are contrary to the Privacy Rule are preempted by the federal requirements.
- The Privacy Rule provides exceptions to the general rule of federal preemption for contrary State laws that provide greater privacy protections or privacy rights, or relate to certain public health issues.
Enforcement and Penalties for Noncompliance
Compliance
- The Office for Civil Rights (OCR) is responsible for administering and enforcing the Privacy Rule.
- OCR may conduct complaint investigations and compliance reviews.
- Covered entities that fail to comply voluntarily with the Privacy Rule may be subject to civil money penalties and criminal prosecution.
Civil Money Penalties
- OCR may impose a penalty on a covered entity for a failure to comply with the Privacy Rule.
- Penalties vary depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure, and whether the failure was due to willful neglect.
- Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
Criminal Penalties
- A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.
- The criminal penalties increase to 100,000anduptofiveyearsimprisonmentifthewrongfulconductinvolvesfalsepretenses,andto100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to 100,000anduptofiveyearsimprisonmentifthewrongfulconductinvolvesfalsepretenses,andto250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.
Compliance Dates
- All covered entities, except small health plans, must have been compliant with the Privacy Rule by April 14, 2003.
- Small health plans had until April 14, 2004 to comply.
- A health plan with annual receipts of not more than $5 million is a small health plan.
Summary of the Privacy Rule
Who is Covered by the Privacy Rule
- The Privacy Rule applies to health plans, health care clearinghouses, and health care providers who transmit health information electronically.
- Covered entities include:
- Health plans (e.g., health, dental, vision, and prescription drug insurers, HMOs, Medicare, Medicaid)
- Health care providers (e.g., hospitals, physicians, dentists, and other practitioners)
- Health care clearinghouses (e.g., billing services, repricing companies, community health management information systems)
Business Associates
- A business associate is a person or organization that performs certain functions or activities on behalf of a covered entity, involving the use or disclosure of protected health information.
- Examples of business associate functions include claims processing, data analysis, and billing.
- A business associate contract must be in place to protect the information and ensure compliance with the Rule.
What Information is Protected
- The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate.
- Protected health information (PHI) includes:
- Demographic data
- Information that identifies an individual or could be used to identify an individual
- Information that relates to an individual's physical or mental health, provision of health care, or payment for health care services
General Principle for Uses and Disclosures
- A covered entity may not use or disclose protected health information except:
- As permitted or required by the Privacy Rule
- As authorized by the individual in writing
Required Disclosures
- A covered entity must disclose protected health information:
- To the individual or their personal representative
- To HHS for compliance investigations or reviews
Permitted Uses and Disclosures
- A covered entity is permitted to use and disclose protected health information for:
- Treatment, payment, and health care operations
- To the individual or their personal representative
- For public interest and benefit activities (e.g., public health, research, health oversight)
- As required by law
- For law enforcement purposes
- For notification and other purposes (e.g., facility directories, notification of family members)
- Incident to an otherwise permitted use or disclosure
Public Interest and Benefit Activities
-
The Privacy Rule permits use and disclosure of protected health information for 12 national priority purposes, including:
- Public health activities
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Decedents
- Cadaveric organ, eye, or tissue donation### Research and Privacy Rule
-
The Privacy Rule permits covered entities to use and disclose protected health information for research purposes without an individual's authorization, provided certain conditions are met.
-
These conditions include:
-
Obtaining documentation of an alteration or waiver of individuals' authorization approved by an Institutional Review Board or Privacy Board.
-
Obtaining representations from the researcher that the use or disclosure is solely for research purposes and meets certain criteria.
-
Obtaining representations from the researcher that the use or disclosure is solely for research on the protected health information of decedents.
Serious Threat to Health or Safety
- Covered entities may disclose protected health information to prevent or lessen a serious and imminent threat to a person or the public.
- Disclosure can be made to someone who can prevent or lessen the threat, including the target of the threat.
- Law enforcement can also be disclosed to if the information is needed to identify or apprehend an escapee or violent criminal.
Essential Government Functions
- Authorization is not required for uses and disclosures of protected health information for certain essential government functions, such as:
- Assuring proper execution of a military mission.
- Conducting intelligence and national security activities authorized by law.
- Providing protective services to the President.
- Making medical suitability determinations for U.S. State Department employees.
Workers' Compensation
- Covered entities may disclose protected health information as authorized by and to comply with workers' compensation laws and other similar programs.
Limited Data Set
- A limited data set is protected health information from which certain direct identifiers have been removed.
- Limited data sets can be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement.
Authorized Uses and Disclosures
- Authorization is required for uses and disclosures of protected health information that are not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule.
- Authorizations must be written in specific terms and contain certain elements, including:
- A description of the information to be used or disclosed.
- The person or entity authorized to make the use or disclosure.
- The expiration date of the authorization.
- The individual's right to revoke the authorization in writing.
Psychotherapy Notes
- Authorization is required to use or disclose psychotherapy notes, except for certain exceptions, such as:
- Use or disclosure for treatment or payment.
- Use or disclosure for health care operations.
- Use or disclosure as required by law.
Marketing
- Marketing is defined as any communication that encourages recipients to purchase or use a product or service.
- Authorization is required for marketing, except for face-to-face marketing communications and promotional gifts of nominal value.
- Authorizations for marketing must reveal that the covered entity will receive direct or indirect remuneration from a third party.
Minimum Necessary
- The minimum necessary standard requires covered entities to limit uses and disclosures of protected health information to the minimum amount necessary to achieve the intended purpose.
- Exceptions to the minimum necessary standard include:
- Disclosures to or requests by health care providers for treatment.
- Disclosures to individuals who are the subject of the information.
- Uses or disclosures made pursuant to an authorization.
Access and Uses
- Covered entities must develop and implement policies and procedures to restrict access and uses of protected health information based on the specific roles of their workforce members.
- Policies and procedures must identify the persons or classes of persons who need access to protected health information to carry out their duties.
Notice and Other Individual Rights
- Covered entities must provide a notice of their privacy practices to individuals, which must include:
- A description of the ways in which the covered entity may use and disclose protected health information.
- The covered entity's duties to protect privacy.
- Individuals' rights, including the right to complain to the covered entity or to HHS.
- A point of contact for further information and for making complaints.
Access
- Individuals have the right to review and obtain a copy of their protected health information, except for certain exceptions, such as:
- Psychotherapy notes.
- Information compiled for legal proceedings.
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access.
Amendment
- Individuals have the right to request that covered entities amend their protected health information when it is inaccurate or incomplete.
- Covered entities must provide a written denial or acceptance of the request, and individuals have the right to submit a statement of disagreement.
Disclosure Accounting
- Individuals have the right to an accounting of the disclosures of their protected health information by a covered entity or its business associates.
- Exceptions to the accounting requirement include:
- Disclosures for treatment, payment, or health care operations.
- Disclosures to the individual or the individual's personal representative.
- Disclosures pursuant to an authorization.
Restriction Request
- Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment, or health care operations.
- Covered entities are not obligated to agree to requests for restrictions.
Confidential Communications Requirements
- Health plans and covered health care providers must permit individuals to request alternative means or locations for receiving communications of protected health information.
- Covered entities must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the protected health information could endanger the individual.
Administrative Requirements
-
Covered entities must develop and implement written privacy policies and procedures.
-
Covered entities must designate a privacy official and a contact person or office responsible for receiving complaints and providing information on privacy practices.
-
Workforce members must be trained on privacy policies and procedures, and sanctions must be applied to workforce members who violate the Privacy Rule.
-
Mitigation is required to prevent harm from unauthorized use or disclosure of protected health information.
-
Data safeguards must be maintained to prevent intentional or unintentional use or disclosure of protected health information.### Non-Retaliation and Non-Waiver
-
A covered entity cannot retaliate against an individual for exercising their rights under the Privacy Rule, assisting in an investigation, or opposing an act that violates the Privacy Rule.
-
A covered entity cannot require an individual to waive their rights under the Privacy Rule as a condition for obtaining treatment, payment, or enrollment.
Documentation and Record Retention
- A covered entity must maintain privacy policies and procedures, privacy practices notices, disposition of complaints, and other required documents for six years.
- The documents must be maintained until six years after the date of their creation or last effective date.
Fully-Insured Group Health Plan Exception
- A fully-insured group health plan with no more than enrollment data and summary health information must comply with the ban on retaliatory acts and waiver of individual rights.
- The plan must also comply with documentation requirements with respect to plan documents if they are amended to provide for the disclosure of protected health information to the plan sponsor.
Organizational Options
Hybrid Entity
- A covered entity that conducts both covered and non-covered functions can elect to be a hybrid entity.
- The covered entity must designate in writing its operations that perform covered functions as one or more health care components.
- The hybrid entity is only subject to the Privacy Rule with respect to its health care components.
Affiliated Covered Entity
- Legally separate covered entities that are affiliated by common ownership or control can designate themselves as a single covered entity for Privacy Rule compliance.
- The designation must be in writing.
- The affiliated covered entity must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those functions.
Organized Health Care Arrangement
- An organized health care arrangement is a relationship in which participating covered entities share protected health information to manage and benefit their common enterprise.
- Covered entities in an organized health care arrangement can share protected health information with each other for the arrangement's joint health care operations.
Covered Entities with Multiple Covered Functions
- A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those functions.
- The covered entity cannot use or disclose protected health information from one covered function for another covered function if the individual is not involved with the other function.
Personal Representatives and Minors
Personal Representatives
- A covered entity must treat a personal representative the same as the individual with respect to uses and disclosures of protected health information and individual rights.
- A personal representative is a person legally authorized to make health care decisions on an individual's behalf or to act for a deceased individual or the estate.
Special Case: Minors
- In most cases, parents are the personal representatives for their minor children.
- In certain exceptional cases, the parent is not considered the personal representative, and the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children.
State Law
Preemption
- State laws that are contrary to the Privacy Rule are preempted by the federal requirements.
- The Privacy Rule provides exceptions to the general rule of federal preemption for contrary State laws that provide greater privacy protections or privacy rights, or relate to certain public health issues.
Enforcement and Penalties for Noncompliance
Compliance
- The Office for Civil Rights (OCR) is responsible for administering and enforcing the Privacy Rule.
- OCR may conduct complaint investigations and compliance reviews.
- Covered entities that fail to comply voluntarily with the Privacy Rule may be subject to civil money penalties and criminal prosecution.
Civil Money Penalties
- OCR may impose a penalty on a covered entity for a failure to comply with the Privacy Rule.
- Penalties vary depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure, and whether the failure was due to willful neglect.
- Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
Criminal Penalties
- A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.
- The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.
Compliance Dates
- All covered entities, except small health plans, must have been compliant with the Privacy Rule by April 14, 2003.
- Small health plans had until April 14, 2004 to comply.
- A health plan with annual receipts of not more than $5 million is a small health plan.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
A summary of the key elements of the HIPAA Privacy Rule, covering who is covered, what information is protected, and how it can be used and disclosed.