HIPAA Guide

Health Insurance Portability and Accountability Act

HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act. HIPAA is a federal law that was enacted in 1996 to implement healthcare reform. This law requires administrative, physical and technical safeguards to be implemented to address the confidentiality, integrity and availability of protected health information. HIPAA is made of three rules:

1. Privacy Rule
2. Security Rule
3. Breach of Notification Rule

This chapter will cover these three rules in depth. If you would like to find the safeguards Accend Services, Inc has in place because of these rules, look to our Data Privacy and Security guide.

The Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. These are referred to as "the covered entities" by HIPAA. The Privacy Rule requires appropriate safguards to protect the privacy of health information. It sets limits and conditions on the uses and disclosures that may be made of personal health information and gives client's rights over their health information.

Protected Health Information

So, what is the information we need to be protecting? Well, it is any "individually identifiable health information" which we refer to as Protected Health information (PHI). The Privacy Rule protects all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information is information, including demographic data, that relates to:

• > the client's past, present or future physical or mental health or condition
• > the provision of health care to the client
• > the past, present, or future payment for the provision of health care to the client

There are 18 identifiers which are listed under what is protected health information. These identifiers are listed below:

1. Name
2. Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
4. Telephone numbers
5. Fax number


Be Aware:

It gets tricky when sharing mental health information about a client. It is hard to know what is identifying information or what is not. As a simple common sense guideline, if you are unsure...don't share it. Always be aware of what you share!

6. Email address
7. Social Security Number
8. Medical record number
9. Health plan beneficiary number
10. Account number
11. Certificate or license number
12. Any vehicle or other device serial number
13. Device identifiers and serial numbers
14. Web URL
15. Internet Protocol (IP) Address
16. Finger or voice print
17. Photographic image - Photographic images are not limited to images of the face
18. Any other characteristic, identifying number, or identifying code that could uniquely identify the individual

Uses and Disclosure of Protected Health Information

As stated previously, the Privacy Rule is used to define and limit the circumstances in which a client's protected health information may be used or disclosed by a covered entity. These limits and circumstances are listed below. Please read carefully!

Basic Principle: A covered entity may not use or disclose protected health information unless:

1. the Privacy Rule permits or requires
2. the client who is the subject of the information (or the client’s personal representative) authorizes in writing

Required Disclosures: A covered entity must disclose protected health information in only two situations:

1. To the clients (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information
2. To Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action

Permitted Uses and Disclosures: A covered entity is permitted, but not required, to use and disclose protected health information, without a client’s authorization, for the following purposes or situations:

1. To the client (unless required for access or accounting of disclosures)
   • > A covered entity may disclose protected health information to the individual who is the subject of the information
2. Treatment, Payment, and Health Care Operations
   • > A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities
3. Opportunity to Agree or Object
   • > Informal permission may be obtained by asking the client outright, or by circumstances that clearly give the client the opportunity to agree or object. In an emergency situation, covered entities may make such uses and disclosures, if in their professional judgment, the disclosure is determined to be in the best interest of the client.
4. Incident to an otherwise permitted use and disclosure
   • > A use or disclosure of protected health information that occurs as a result of, or as "incident to," an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule and if the information being shared is limited to the "minimum necessary" requirement.
5. Public Interest and Benefit Activities
   • > It is permitted to use and disclose protected health information, without an client’s authorization or permission, for 12 national priority purposes. These purposes are included below. They do, however, all have specific condition or limitations, so read carefully.
     • Required by Law
       • Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).
     • Public Health Activities
       • Covered entities may disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.
     • Victims of Abuse, Neglect or Domestic Violence
       • In certain circumstances, covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.
     • Health Oversight Activities
       • Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
     • Judicial and Administrative Proceedings
       • Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.
     • Law Enforcement Purposes
       • Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime..
     • Decedents
       • Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.
     • Cadaveric Organ, Eye, or Tissue Donation
       • Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
     • Research
       • “Research” is any systematic investigation designed to develop or contribute to generalizable knowledge.37 The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.38 A covered entity also may use or disclose, without an individuals’ authorization, a limited data set of protected health information for research purposes (see discussion below)
     • Serious Threat to Health or Safety
       • Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
     • Essential Government Functions
       • An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs
     • Workers’ Compensation
       • Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.
6. Limited Data Set for the purposes of research, public health or health care operations
   • > A limited data set may be used and disclosed for research, health care operations and public health puposes, provided that the recipent enters into a data user agreement promising specified safeguards for the protected health information. The limited data set must have certain specified direct identifiers of the clients removed.

Minimum Necessary

An essential condition of the Privacy Rule is the principle of "minimum necessary" use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. The only exceptions to the minimum necessary requirement are the times when a covered entity is disclosing information for the following reasons:

• > Treatment
• > Sharing information to the client who is the subject of the information, or the client’s personal representative
• > Purposes for which and authorization is signed
• > To HHS for compliant investigation, compliance reveiw or enforcement
• > Disclosures required by law
  
  

  Client Rights with Data Privacy

  As said previously, client's have a right to their personal private health records. Federal and state law requires that clients may review any information in their health records that are kept by health care providers regarding any diagnosis, treatment and prognosis. If a client or authorized representative asks in writing, we will provide copies of records or copies of a summary of the information in the records. We may not provide this information if we have determined that it is detrimental to the client's physical or mental health, or is likely to cause the client to inflict self harm, or to harm another. If such a determination has been made, then the information shall be given to an appropriate third party. In cases where clients make reasonable requests, we will provide a summary of the information in the client's record at no cost.

  Accend Services shall notify all clients of their rights regarding privacy and confidentiality of their health data using the following methods:

  • > We will post our Data Privacy Notification on our website, in admission material and in conspicuous locations in our offices;
  • > Upon initiation of services, admitting personnel shall provide clients with a Data Privacy Notification and request for authorization for disclosure to additional persons or agencies as needed;
  • > At least annually, service provider staff members will remind clients of their data privacy rights and request continuing authorization for disclosures outside of those listed in the notification;
  • > At any time, clients may withdraw or add to previous authorizations to disclose information.
  

The Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Electronic protected health infromation is a subset of information covered by the Privacy Rule. It is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.

The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Specifically, covered entities must:

• > Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
• > Identify and protect against reasonably anticipated threats to the security or integrity of the information
• > Protect against reasonably anticipated, impermissible uses or disclosures
• > Ensure compliance by their workforce

Accend Services, Inc. safeguard's are located on our Data Privacy and Security guide. Refer to this guide for any questions and please read carefully.

The Breach of Notification Rule

The Breach of Notification Rule requires a covered entity to notify affected individuals and HHS following a breach of unsecured PHI. It requires that a covered entity notifies affected individuals and HHS without reasonable delay but no later than 60 calendar days from discovering the breach.

Definition of a Breach

What is a breach? A breach is any impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI and poses a significant risk of financial, reputational, or other harm to the affected individual. An impermissible use or disclosure of PHI is assumed to be a breach unless the covered entity demonstrates that there is a low probablity that the PHI has been compromised based on a risk assessment of at least the following factors:

• > The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
• > The unauthorized person who used the protected health information or to whom the disclosure was made
• > Whether the protected health information was actually acquired or viewed
• > The extent to which the risk to the protected health information has been mitigated

There are three exceptions to the definition of a breach. A breach is not:

1. Unintentional access or use of PHI by an employee or individual acting under the authority of a covered entity
2. Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access phi a different covered entity
3. Unauthorized disclosures in which an unauthorized person to whom PHI was disclosed would not reasonably have been able to retain the information

Consequences of a Breach

Health and Human Services is now required to investigate and impose civil penalties where violations are due to willful neglect. This can be against a covered entity or It's business associate. The penalties are based off of the HIPAA violation tiers. It has four teirs and ranges from $100 per incident to $1.5 million per incident. See the image for further information on tiers and penalities.

There can also be penalties for a HIPAA violation for an employee. The type of sanctions depend on the severity of the violation, intent, etc. Below are a few examples of HIPAA violations along with the penalties on the employee:

• > Wrongfully accessing or disclosing PHI
  • Up to 50,000, up to 1 year in jail
• > Obtaining PHI under false pretense
  • Up to 100,000, up to 5 years in jail
• > Wrongfully using PHI for commercial activity
  • Fines up to 250,000, up to 10 years in jail

Reporting, Investigating and Responding to a Breach

Any staff member, client or other affected party may report data privacy violations by contacting a privacy officer or director of Accend Services. You should notify the privacy officer of any suspicious incident as soon as possible after learning of the potential privacy violation. It is better to report than not to. For more information on reporting look to our Data Privacy and Security guide.

Feedback or Questions about this Chapter

This guide is a living document. We want to improve it with your help. Do you have questions? Found a typo? Find yourself wanting more information? Please send us your thoughts about anything in this chapter by tapping on the link below.

The information on this guide was obtained from HHS.gov, for more detailed information go to: HIPAA for Professionals