HIPAA Resource Guide
HIPAA's Privacy Requirements
Covered entities, which include health plans, healthcare clearinghouses and most healthcare providers with access to protected health information (PHI) are subject to numerous privacy requirements under HIPAA.
Two types of notices are required:
Notice of Privacy Practices
Covered entities must provide individuals (patients and health plan members) with a notice of their privacy rights and the privacy practices of the covered entity. In addition, direct treatment providers must make a good faith effort to obtain patients' written acknowledgment of the notice of privacy rights and practices.
Notice of Breaches
Beginning September 23, 2009, covered entities must notify each individual whose unsecured PHI has been (or is reasonably believed to have been) accessed, acquired or disclosed as a result of a breach. If information is disclosed to an unauthorized person who would not reasonably have been able to retain the information, it is not considered a breach. If a business associate discovers a breach, it must notify the covered entity and identify the affected individuals. Affected individuals must be notified without unreasonably delay within 60 calendar days of discovering the breach. If the breach affects the PHI of more than 500 individuals, covered entities must notify prominent media outlets and notify HHS immediately. (If fewer than 500 individuals are affected, covered entities should maintain a log of such breaches and submit it to HHS annually.)
Minimum Necessary Requirements
Covered entities must take reasonable steps to limit use, disclosure or requests of PHI, to the extent possible, to the limited data set (information that excludes certain direct identifiers of the individual or his or her relatives, employers or household members) or, if needed, to the minimum necessary to accomplish the intended purpose. They must also implement policies and procedures for minimum necessary uses and disclosures. These policies and procedures will allow covered entities to avoid making a minimum necessary determination on a case-by-case basis. (Note that the minimum necessary standard does not apply to uses and disclosures made pursuant to a written authorization obtained from an individual.)
Covered entities must usually obtain specific authorization from patients (or employees) before using or disclosing protected information in non-routine circumstances. (Routine circumstances involve treatment, payment or healthcare operations purposes.) Also, covered entities and business associates may not directly or indirectly receive remuneration in exchange for an individual's PHI unless a valid authorization exists.
Covered entities must obtain satisfactory assurances through written agreements from their business associates who have access to PHI that the business associate will appropriately safeguard the information. Effective February 17, 2010, business associates became directly subject to privacy requirements (and penalties) in the same manner as covered entities. Business associate contracts should be updated to reflect the changes.
- HIPAA Business Associates & Sample Contract
- HIPAA Limited Data Set and Business Associate Agreements
Covered entities must get prior written authorization to use an individual's PHI for marketing purposes, except for a face-to-face encounter or a communication involving a promotional gift of nominal value. Effective February 17, 2010, a communication that encourages recipients to purchase or use a product or service will not be considered healthcare operations, and will therefore require individual authorization.
Covered entities must maintain physical, administrative and technical safeguards to protect PHI. Physical safeguards include locked file cabinets, separation of health information from personnel information, and password protection; administrative safeguards include employee access controls based on job functions; and technical safeguards include firewalls and system security measures.
Covered entities must implement employee training programs on the privacy requirements. Employees with access to PHI need to be aware of the privacy rules, and how their jobs are impacted. Training should be ongoing.
Covered entities must designate a privacy officer, who will be responsible for the implementation and development of the entity's privacy policies and procedures. There must also be a person designated to receive complaints and provide information regarding privacy. This person may or may not be the privacy officer.
- Security Rule Risk Analysis
- American Medical Association (AMA) Frequently Asked Questions About HIPAA
The primary text for this document was taken from the HRAnswersNow database located on the Medical Mutual website. Access Healthcare HRAnswersNow:
- Log in to Medical Mutual's website using your policyholder information.
- Click on the "Healthcare HRAnswersNow" link.
- First-time users: Establish a user name & password (different than your Medical Mutual website log in information).
- Enter search text "HIPAA privacy".
Contact HR|Experts at 888.473.9778 for more information.
HR|Experts is not designed or intended to render legal advice to its members.