The HIPAA Privacy Rule 45 CFR Parts 160 - PowerPoint PPT Presentation

1 / 96
About This Presentation

The HIPAA Privacy Rule 45 CFR Parts 160


CFR: Code of Federal Regulations. HHS: Department of Health and Human Services ... To Whom the Regulations Apply ... protected by Federal HIPAA privacy law. ... – PowerPoint PPT presentation

Number of Views:224
Avg rating:3.0/5.0
Slides: 97
Provided by: Corp332


Transcript and Presenter's Notes

Title: The HIPAA Privacy Rule 45 CFR Parts 160

The HIPAA Privacy Rule45 CFR Parts 160 164
Get Hip With HIPAA!
Glossary of Acronyms
  • BA/BAA Business Associate/
  • Business Associate Agreement
  • CE Covered Entity
  • CFR Code of Federal Regulations
  • HHS Department of Health and Human Services
  • FDA Food and Drug Administration
  • HCP Health Care Provider
  • HIPAA Heath Insurance Portability and
  • Accountability Act

Glossary of Acronyms (contd.)
  • IRB Internal Review Board
  • MN Minimum Necessary/Minimally Necessary
  • MOU Memorandum of Understanding
  • OHCA Organized Health Care Arrangement
  • PH Public Health
  • PHI Protected Health Information
  • SSN Social Security Number
  • TPO Treatment, Payment and Health Care
  • Operations

The Health Insurance Portability and
Accountability Act (HIPAA)
  • Purpose To improve the efficiency and
    effectiveness of the health care system by
    standardizing the electronic exchange of
    administrative and financial data. (The
    Administrative Simplification Provisions).
  • In order to carry out its mandate, HHS developed
    specific transaction standards/code sets and
    unique identifiers, security standards, and
    privacy standards.
  • The major goal of the of the HIPAA Privacy Rule
    is to assure that individuals health information
    is properly protected while allowing the flow of
    health information needed to provide and promote
    high quality health care and to protect the
    publics health and well being.

  • 42 USC 1320d HHS/OCR February/March 2003, HIPAA
    Privacy Rule, 2003 National Conferences 2003,
    Slides 2-4 and, ORC Privacy Rule Summary,
    Introduction, Page 1.

To Whom the Regulations Apply
  • HIPAA regulations apply to those deemed to be
    COVERED ENTITIES under the regulations, which
  • Health Plans
  • Health Care Clearinghouses
  • Health Care Providers who transmit any health
    information electronically in connection with
    certain transactions set forth in the

  • 160.102(a) 164.500

What is a Health Care Provider?
  • A healthcare provider is any person who
    furnishes, bills or is paid for health care in
    the normal course of business.
  • Are All Health Care Providers
  • Covered?
  • Health care providers are covered only if they
    transmit health information electronically in
    connection with a transaction covered by the
    HIPAA Transaction Rule
  • ? Directly or through a business associate.
  • 160.103, 160.102, HHA/OCR 2003

HIPAA Transactions Rule Standards
  • Health care claims or equivalent encounter
  • Health care payment and remittance advice.
  • Coordination of benefits.
  • Health care claim status.
  • Enrollment or disenrollment in a health plan.
  • Eligibility for a health plan.
  • Health plan premium payments.
  • Referral certification and authorization.
  • Other transactions will likely be added to this
    list as
  • HHS may prescribe by regulation.

  • 162.1101162.1802,
    HHS/OCR 2003

  • Organizational Structures
  • Hybrid Entity
  • Affiliated Covered Entity
  • Organized Health Care Arrangement (OHCA)

  • 164.103 164.105(a),
    164.105(b), and 160.103, respectively

The HIPAA Privacy Rule

The General Rule
  • Information Protected Under the Rule
  • Protected Health Information (PHI)
  • - Past, present, or future health information.
  • - Individually identifiable.
  • - Created or received by a Covered Entity
  • - In any form (oral, written, or electronic).
  • Use and Disclosure Prohibited Under the Rule
  • - Use the sharing, application, utilization,
    or analysis of PHI within a CE.
  • - Disclosure the release, transfer, or
    divulging, in any way, of PHI outside of
    a CE.
  • 164.501

  • Minimum Necessary (MN) Standard limits uses,
  • disclosures, and requests for PHI made pursuant
  • the regulations to the minimum necessary amount.
  • Limits on Uses
  • A CE is required to identify who, within its
    workforce, needs access to what categories of PHI
    to carry out their duties, and any conditions
    appropriate to such access.
  • Limits on Disclosures Requests
  • For routine and recurring disclosures and
    requests, policies and procedures are required
    (e.g., standard protocols) that limit PHI to only
    the amount reasonably necessary to achieve the
    purpose of the disclosure or request.
  • For non-routine/non-recurring disclosures and
    requests, policies and procedures should require
    individual review of each, and should set
    out review criteria. 164.502(b)(1)

  • Where Minimum Necessary (MN) Standard
  • Is Not Applicable
  • 1. Disclosures to or requests by a health care
    provider for treatment purposes.
  • 2. Uses or disclosures made to the individual or
    pursuant to the individuals authorization.
  • 3. Disclosures to HHS overseeing compliance.
  • Uses or disclosures required by law.
  • Uses or disclosures required for compliance with
    the regulations.
  • 164.502(b)(2)

  • Where Minimum Necessary (MN) Standard
  • Can Be Presumed
  • When disclosing to a public official and the
    public official represents that the PHI requested
    is what is MN.
  • When PHI is requested by another CE.
  • 3. When PHI is requested by a member of the CEs
    workforce or a business associate, and said
    professional represents that the PHI requested is
    what is MN.
  • 4. When the research exception applies and the
    researcher provides the supporting
    representations or documentation.
  • 164.514(d)(3)(iii)

Required Exceptions(Required use and
disclosure of PHI)
  • 1. When an Individual Requests Access Regarding
    PHI About Themselves
  • This includes when individuals
  • Invoke their Right to Inspect Copy.
  • Invoke their Right to An Accounting of
  • (These rights, and the limits thereto,
    will be discussed in greater detail later
    in this session, after a review of the
    privacy protections.)

  • 164.502(a)(2)(i)

  • When Compelled by the Secretary for Compliance
    and Enforcement Purposes
  • Secretary means the Secretary of Health and
    Human Services or any other officer or employee
    of HHS to whom the authority involved has been
  • A CE has a duty to
  • Timely provide records and requested
  • compliance reports
  • Cooperate with complaint investigations and
    compliance reviews
  • Permit access to information.
  • 160.103,
    164.502(a)(2)(ii) 160.310

Permitted ExceptionsWITH Written
Authorization(Permitted use and disclosure of
PHI, but only with a written authorization)
1. Certain Psychotherapy Notes
  • Psychotherapy notes means notes recorded (in any
    medium) by a healthcare provider who is a mental
    health professional documenting or analyzing the
    contents of conversation during a private
    counseling session or group, joint, or family
    counseling session and that are separated from
    the rest of the individuals medical record.
  • (This does NOT include notes regarding medication
    prescription and monitoring, counseling start and
    stop times, frequency and modalities of
    treatment, clinical test results, or any summary
    of the diagnosis, functional status, treatment
    plan, symptoms, prognosis, and progress to date.
    These notes are not given the heightened
    protections of the certain specified
    psychotherapy notes indicated above, but they do
    constitute PHI that is otherwise given minimum
    privacy protections under HIPAA.)
  • 164.501 164.508(a)

LIMITED instances where certain psychotherapy
notes can be used and/or disclosed without
written authorization
  • For the following Treatment, Payment, Healthcare
    Operation (TPO) Purposes
  • When the originator of the psychotherapy notes
    needs them for treatment purposes
  • When a CE uses or discloses them for its own
    training programs in which students, trainees, or
    practitioners in mental health learn under
    supervision to practice or improve their skills
    in group, joint, family, or individual
    counseling or
  • When a CE uses or discloses them to defend itself
    in a legal action or other proceeding brought by
    the individual.
  • 2. When required by the Secretary in determining
    HIPAA compliance.
  • 3. As required by law.
  • 4. For health oversight activities regarding the
    originator of the notes.
  • To coroners and medical examiners under the about
    decedents exception.
  • Under the averting a serious health or safety
    threat exception, with respect to
    uses/disclosures that need to be made in order to
    prevent or lessen a serious and imminent threat
    to the health or safety of a person or the
    public, and which are made to someone reasonably
    able to prevent or lessen the threat.

Note These exceptions are much narrower than
the broader range of exceptions that otherwise
restrict the use and
disclosure of other types of PHI.
2. Marketing
  • Marketing is making a communication that
    encourages an individual to use or purchase a
    product or service unless the communication is
    made for treatment of the individual or for case
    management, care coordination, or to direct or
    recommend alternative treatments, therapies,
    providers, or care settings to the individual.
  • Exceptions Written authorization is not
    required, if the communication is
  • - Face-to-face by a CE to an individual or,
  • - A promotional gift of nominal value by the
  • Note If a CE stands to gain direct or indirect
    remuneration from a third party in exchange for
    PHI disclosure, that must be indicated in the
  • 164.501

3. Uses/Disclosures Not Otherwise
Required or Permitted by the HIPAA Privacy
  • If you cannot root an anticipated use/disclosure
    of PHI in one of the required or permitted
    exceptions to the general prohibition rule, then
    you must obtain a written authorization in order
    to make said use/disclosure.
  • 164.508(a)(1)

Elements of a Valid Written Authorization
  • 1. Who can use/disclose the PHI.
  • 2. To whom the PHI can be used/disclosed.
  • 3. Purpose of the use/disclosure.
  • 4. Specific description of PHI to be
  • 5. Expiration date or event.
  • 6. Signature of patient and date.
  • 7. Right to revoke, in writing, exceptions
  • instructions regarding the procedure to
  • 8. A statement about the CEs
    ability/inability to
  • condition the authorization on treatment,
  • eligibility, or enrollment.
  • 9. A statement that the PHI may no longer be
  • protected by Federal HIPAA privacy law.
  • For marketing, a statement when CE gets
    remuneration by a third party.
  • 164.508(c)

Prohibition on Conditioning Authorizations
  • A CE may not condition treatment, payment,
  • enrollment, or eligibility, on an individuals
    signing of
  • an authorization, except
  • A CE may condition research-related treatment on
    an individuals signing of an authorization to
    enable the use and disclosure of PHI for such
  • A CE may condition the provision of health care
    that is solely for the purpose of creating PHI
    for disclosure to a third party on an
    individuals signing of an authorization allowing
    for the disclosure of the PHI to such third
  • (A 3rd exception exists for health plans, not
    addressed here.)
  • 164.508(b)(4)

Compound Authorizations Forbidden
  • An authorization cannot be combined with any
  • other document except
  • Authorization for use/disclosure for a research
    study can be combined with any other type of
    written permission for the same research study.
  • Authorization for use/disclosure of psychotherapy
    notes for multiple purposes may be combined in a
    single document, but may not be combined with
    authorizations for use or disclosure of other
  • Authorizations for PHI other than psychotherapy
    notes can be combined, provided that the CE has
    not conditioned the provision of treatment,
    payment, enrollment, or eligibility on obtaining
    the authorization.

  • 164.508(b)(3)

Defective Authorization
  • Is it expired?
  • Does it contain all the required elements for a
    valid authorization?
  • Do you have knowledge that the authorization has
    been revoked?
  • If its a compound authorization, is it one that
    is expressly permitted by the rules?
  • Is it unlawfully conditioned?
  • Is information in the authorization known by you
    to be false?
  • If yes to any of the above, the authorization
  • is defective, and you cannot request, use or
  • disclose PHI based on that authorization!
  • 164.508(b)(2)

Additional Written Authorization Requirements
  • Copy to the Individual
  • A CE must provide a copy of any signed
    authorization requested by the CE to the
  • ? Required Retention Period
  • A CE must document and retain any signed
    authorization relied upon to make a use or
    disclosure of PHI for a period of 6 years
    from the date of its creation or the date
    when it was last in effect, whichever is later.

  • 164.508(c)(4),
    164.508(b)(6), 164.530(j)

Permitted ExceptionsWITHOUT Written
Authorization (Permitted use and disclosure of
PHI without the need for a written authorization)
1. To the Individual
  • PHI can be disclosed to the individual who is the
    subject of the information without written

  • 164.502(a)(1)(i)

2. Treatment, Payment, and Health Care
Operations (TPO)
A CE may use/disclose PHI for 1. A CEs own
TPO 2. T activities of a Health Care Provider 3.
P activities of another CE or a Health Care
Provider 4. For certain O of another CE
- If each entity has or had a relationship with
the individual who is the subject of the PHI and
the requested info pertains to that
relationship - And the purpose of the
disclosure is for quality assessment or
improvement, performance evaluation, or training
to improve skills or to detect fraud and
abuse. 5. For O of a Organized Health Care
Arrangement (OHCA), as between CEs within
the OHCA.
164.502(a)(1)(ii) 164.506

  • Means the provision, coordination, or
  • management of health care and related services
  • by one or more health care providers,
  • including
  • Coordination or management of health care
  • by an HCP with a third party.
  • Consultation between HCPs relating to a patient.
  • Referral of a patient for health care from
  • one HCP to another.
  • 164.501

  • Means activities undertaken by
  • An HCP or health plan to obtain or provide
    reimbursement for the provision of health care.
  • A health plan to obtain premiums or to determine
    or fulfill its responsibility for coverage and
    provision of benefits under the health plan.
  • Payment includes, but is not limited to
  • Billing and collection activities.
  • Claims management (auditing payments, resolving
    and investigating payment disputes, responding to
    customer inquiries, etc.).
  • Review of health care services for medical
    necessity, justification of charges.
  • Utilization review, concurrent and retrospective.
  • Determining eligibility or coverage.
  • 164.501

Health Care Operations
  • Quality assessment and improvement activities.
  • Personnel competence, qualification, performance
    reviews, and training.
  • Some insurance-related activities.
  • Arrangement for legal services and audits.
  • Business planning and development.
  • Business management activities, including
    - Marketing (as
    permitted w/o authorization).
    - Fundraising (permitted by the
  • Management activities for privacy compliance.
  • Customer services to CEs existing customer base.
  • Resolution of internal grievances.
  • Sale, merger, acquisition, consolidation,
  • Creation of Limited Data Sets.
  • 164.501

Fundraising as a health care operation
  • A CE may use and disclose PHI without the
  • individuals authorization to raise funds on its
  • behalf, if it meets certain criteria
  • It only discloses PHI to a Business Associate
    (BA) or to an institutionally related foundation.
  • It limits PHI used or disclosed to demographic
    information related to an individual and the
    dates health care was provided.
  • It specifically states that it uses PHI for
    fundraising in its notice of privacy practices.
  • It includes, in any fundraising materials,
    directions for individual to opt-out.
  • 5. It takes reasonable efforts to abide by the
    opt-out right exercised by an individual.
  • 164.514(f)

Limited Data Sets as permitted in health care
  • Remove direct identifiers from PHI (e.g., names,
    addresses, account numbers, SSNs, phone and fax
    numbers, full-face photos, and a few others as
    listed in the regulation).
  • Require Data Use Agreements, in which the
    recipient of PHI agrees to
  • - Limit the use of the data set for the
  • purposes to whom and for which it is
  • - Ensure security of the data.
  • - Report breaches of the agreement of which it
  • becomes aware.
  • - Ensure that agents/subcontractors agree to the
  • same restrictions and conditions.
  • - Not re-identify the PHI or use it to contact
  • individual.
  • 164.514(e)

Special Provision Regarding the TPO Exception
  • Patient has a Right to Request Restrictions on
    a CEs use of PHI to carry out TPOs. The CE is
    not required to agree, but if agreement is made,
    the CE must document it and abide by its terms.
  • (This right is discussed in greater detail

3. Incidental Uses and Disclosures
  • Uses or disclosures that occur as a byproduct of
    another permissible or required use or disclosure
    are not considered a violation of the
    regulations, provided that the CE has
  • Applied Reasonable Safeguards Appropriate
    administrative, technical, and physical
    safeguards that protect against uses and
    disclosures not permitted by the rule and limit
    incidental uses or disclosures.
  • Implemented the MN Standard (if applicable)
    Policies and procedures that limit how much PHI
    is used, disclosed, and requested for certain
    purposes and, who, based on job responsibilities
    and the nature of the business within a CE, has
    access to what PHI and under what conditions.
  • 164.502(a)(1)(iii) ORC HIPAA Privacy,
    Incidental Uses Disclosures, 12/3/2003, revised

Examples of Incidental Uses and Disclosures
  • Sign-in sheets.
  • Maintaining patient charts outside of exam
  • rooms.
  • Group therapy settings.
  • Side-bar discussions by clinical staff.
  • Visitor overhears communication with provider
  • or patient.
  • Allowable, as long as reasonable safeguards are
    made to protect the privacy of patient-specific
    information, and minimally necessary information
    is conveyed, where said standard applies.
  • ORC HIPAA Privacy, Incidental
    Uses Disclosures, 12/3/2003, revised 4/3/2003

4. Facility Directory
  • Allows for use of the following PHI to maintain a
    facility directory
  • Individuals name.
  • Individuals location in the facility.
  • Individuals condition in general terms.
  • Religious affiliation (for disclosure only to
    clergy members).
  • Allows for the above-noted disclosures to be made
    to (1) members of the clergy, and/or (2) persons
    who ask for the individual by name.
  • Only allowed if the individual, in advance, is
    given an opportunity to agree to, restrict, or
    prohibit some or all of such uses and
    disclosures. (These communications can be oral.)
  • 164.502(a)(1)(v) 164.510(a)

Facility Directory Exception With Incapacitated
Patients and Emergency Situations
  • Where an opportunity to agree, restrict, and/or
    prohibit cannot
  • practicably be provided, a CE can use/disclose
    some or all
  • PHI in this regard, if
  • 1. Such use or disclosure is consistent with
    any prior expressed preference of the individual
    that is known to the covered health care
    provider and
  • Such use or disclosure is in the individuals
    best interest as determined by the covered
    health care provider in the exercise of
    professional judgment.
  • But the health care provider must provide the
    individual with
  • an opportunity to object to the use or disclosure
    for directory
  • purposes as soon as it becomes practical to do
  • 164.510(a)(3)

5. Next of Kin/Caregiver
  • Allows for
  • Disclosure of PHI directly relevant to a persons
    involvement with the individuals care or
    payment of the individuals health care. (This
    includes disclosure to an individuals family
    member, relative, close personal friend, or other
    person identified by the individual.)
  • Use or disclosure of PHI to notify a family
    member, personal representative, or another
    person responsible for the individuals care of
    the individuals location, general condition, or
  • Only allowed if individual, in advance, is given
    an opportunity to agree to or prohibit such
    disclosure (these communications can be oral) OR
    if the CE reasonably infers from the
    circumstances, based on the exercise of
    professional judgment, that the individual does
    not object.
  • 164.502(a)(1)(v) 164.510(b)

Special Provision Regarding the Next of
Kin/Caregiver Exception
  • Individual has a Right to Request Restrictions
    on a CEs use or disclosure of PHI otherwise
    permitted by the Next of Kin/Caregiver Exception.
    The CE is not required to agree, but if
    agreement is made, the CE must document the
    agreement and abide by its terms.
  • (This right is discussed in greater detail
  • 164.522

Next of Kin/Caregiver Exception When Individual
Is Not Present, Is Incapacitated, or Is in an
Emergency Situation
  • If the individual is not present, or the
    opportunity to agree or object cannot practicably
    be provided, a CE should use best professional
    judgment and experience with common practice in
    deciding whether the disclosure under this
    exception is appropriate under the circumstances.
  • Example This exception can be used to allow a
    person to act on behalf of the individual to
    pick up filled prescriptions, medical supplies,
    X-rays, or other similar forms of PHI.

  • 164.510(b)(3)

6. Business Associate (BA)
A CE may disclose PHI to a BA and may allow a BA
to create or receive PHI on its behalf, if the
CE obtains satisfactory assurance that the BA
will safeguard the information.


Definition of a Business Associate (BA)
  • A business associate is a person or entity that
  • performs a function or activity on behalf of a CE
  • provides services to a CE that involves the use
  • disclosure of PHI. A written contract or other
  • agreement or arrangement with the BA is required
  • establish this relationship.
  • A member of the CEs workforce is not a BA.
  • A CE can be a BA of another CE.
  • A mere conduit of PHI is not a BA.
  • (e.g., U.S. Postal or Messenger Service.)
  • (Note Not everyone that a CE does business with
  • is a business associate!)
  • 160.103, 164.502(e)(2), ORC HIPAA
    Privacy, Business Associates, 12/3/2003, revised

Examples of Possible BA Relationships
For or on behalf of a CE - Claims processing or
administration. - Data analysis, processing, or
administration. - Utilization review. - Quality
assurance. - Billing. - Practice
management. Providing services to a CE - Legal,
actuarial, and accounting. - Data
aggregation. - Financial services. -


Exception to the BA Requirement(where a BA
relationship would otherwise exist)
  • Disclosures can be made by a CE to a health
  • care provider for treatment of the individual
  • without the need for a BA Agreement (BAA).
  • For example
  • A physician is not required to have a BAA with a
    laboratory as a condition of disclosing PHI for
    treatment of an individual.
  • A hospital is not required to have a BAA with the
    specialist to whom it refers a patient and
    transmits the patients medical chart for
    treatment purposes.
  • (Other exceptions, not covered here, exist for
    health plans.)
  • 164.502(e)(1)(ii)(A) ORC HIPAA
    Privacy, Business Associates, 12/3/2003, revised

The Business Associate Agreement (BAA)
  • 1. Establishes the permitted and required uses
    and disclosures of PHI by the BA.
  • Obtains certain promises from the BA.
  • (BA Assurances listed on the next slide.)
  • Authorizes the termination of the
    contract/relationship by the CE if the CE
    determines that the BA has violated a material
    term of the contract.
  • (The BA relationship is usually established
    through a
  • written contract. If a CE and its BA are both
  • governmental entities, an MOU can be used.)

  • 164.504(e)

Required BA Assurances
  • The BA must agree that it
  • Will not use or further disclose PHI other than
  • Will use safeguards to prevent inappropriate
  • Will report to CE any disallowed use/disclosure.
  • Will ensure any of its agents (including
    subcontractors) agree to same restrictions.
  • Will make available PHI in its possession for
    inspection, copying, and amendment.
  • Will incorporate amendments forwarded by CE.
  • Will provide an accounting of disclosures.
  • Will make evidence related to uses/disclosures of
    PHI available to HHS for compliance oversight.
  • Will return or destroy all PHI at the end of the
  • 164.504(e)(2)(ii)

Permitted Uses/Disclosures Within the BA
  • Assuming you have a relationship that meets the
  • definition of a BA relationship under the
  • and youve appropriately gotten the required
  • satisfactory assurances, then
  • A CE can disclose PHI to the BA as necessary to
    permit the BA to perform agreed-upon functions,
    activities, or services to, for, or on behalf of
    the CE.
  • A BA may only use PHI it receives in its capacity
    as a BA to the CE as permitted by contract or
    agreement with the CE.
  • 164.502(e) 164.504(e)

Liability Issues
The regulations do not directly regulate BAs to
enforce their compliance. But by regulating CEs,
HHS controls and restricts the flow of PHI by
BAs. When BA a CE The regulations are clear
that a violation of the BA agreement constitutes
a violation of the regulations. When the BA is
not a CE The CE has responsibilities when
specified satisfactory assurances are violated by
the BA. A CE who knows of a pattern of practice
of the BA that constitutes a material
breach/violation of the BAs agreed- upon
obligations must take reasonable steps to cure
the breach or end the violation and, if such
steps are unsuccessful 1. Terminate
the arrangement, if feasible or 2.
If termination is not feasible, report the
problem to HHS.

164.502(e)(1)(iii) 164.504(e)(1)

Compliance Periods for Previous Agreements
Previous contracts, MOUs, or other arrangements
entered into by the CE prior to October 15, 2002,
that are not renewable or amended prior to April
14, 2003, must be brought into compliance by
April 14, 2004. Small plans have until April 14,
2004 to comply with all of the regulation


7. Averting a Serious Threat to Health
or Safety
  • A CE may use or disclose PHI if the CE, in good
  • believes disclosure is
  • 1. Necessary to prevent or lessen a serious
    and imminent threat to the health or safety of a
    person or the public, and the disclosure is made
    to person(s) reasonably able to lessen the
  • 2. Necessary for law enforcement authorities
    to identify or apprehend an individual who
    admitted to participating in a violent crime that
    the CE believes may have caused serious physical
    harm to the victim (so long as that disclosure is
    not made in the course of treatment or the
    initiation of seeking treatment and as long as
    disclosure is appropriately limited) or
  • 3. Where it appears from all the
    circumstances that the individual escaped from a
    correctional institution or from lawful custody.
  • 164.502(a)(1)(vi) 164.512(j)

8. Health Oversight Activities
  • A CE may use or disclose PHI to health oversight
    agencies for oversight activities authorized by
    law, such as
  • Audits.
  • Civil, administrative, or criminal.
    investigations or proceedings.
  • Inspections.
  • Licensure or disciplinary actions.
  • Note The information that law enforcement
    collects in the course of an oversight
    investigation should only be used for those
    purposes and should not be further disclosed.
  • 164.502(a)(1)(vi) 164.512(d)
    Exec. Order No. 13,181, 65 Fed. Reg. 81, 321

9. Judicial and Administrative Proceedings
  • A CE may disclose PHI in response to
  • A court order or administrative tribunal order,
    but only the PHI that is expressly authorized by
    the order.
  • A subpoena, discovery request, or other lawful
    process, if it obtains satisfactory assurances
    that the individual who is the subject of the
    request has been given notice of the request, or
    that the party seeking the PHI has made
    reasonable efforts to secure a qualified
    protective order.
  • 164.502(a)(1)(vi)

  • Satisfactory Assurances
  • Means that the CE receives a written statement
  • accompanying documentation that
  • Written notice was provided to the individual
    providing sufficient information about the
    proceeding in which PHI is requested to enable
    the individual to object and that the time for
    objection has elapsed.
  • Parties have agreed to a qualified protective
    order, or the party seeking the PHI has
    requested such an order from the court or
    tribunal. (This is an order that prohibits the
    use or disclosure of PHI for any purpose other
    than the proceeding for which the PHI is
    requested and requires destruction or return of
    the PHI to the CE when proceedings end.)

10. For Law Enforcement Purposes
  • A CE may disclose PHI to law enforcement
  • As required by law.
  • 2. Pursuant to
  • a. A court order, warrant, subpoena, or
    summons issued by a judicial officer.
  • b. A grand jury subpoena.
  • c. An administrative request, such as an
    administrative summons or a civil investigative
    demand, that is
  • - Relevant and material to the inquiry.
  • - Specific and limited in scope.
  • Unable to utilize de-identified information
  • 3. Pursuant to other relevant circumstances
  • (crime/law enforcement related).

  • Other Relevant Circumstances
  • (permitting disclosure to law enforcement)
  • In Summary
  • A. Identifying or locating a suspect, fugitive,
    material witness, or missing person.
  • B. About an individual who is, or is suspected
    to be, a crime victim.
  • C. About a deceased individual if death is
    suspected to be a result of criminal conduct.
  • D. About evidence of criminal conduct that
    occurred on the premises of the CE.
  • E. When necessary to report a crime in a medical
  • (The following slides provide details about each
  • 164.512(f)

  • Other Relevant Circumstances (contd.)
  • A. Upon request by law enforcement, a CE may
    disclose the following PHI for the purpose of
  • identifying or locating a suspect, fugitive,
  • material witness, or missing person
  • Name and address.
  • Date and place of birth.
  • SSN.
  • ABO blood type and RH factor.
  • Type of injury.
  • Date and time of treatment.
  • Date and time of death (if applicable).
  • Distinguishing physical characteristics.
  • 164.512(f)(2)

  • Other Relevant Circumstances (contd.)
  • Upon request by law enforcement, a CE may
    disclose PHI about an individual who is, or is
    suspected to be, a crime victim if the individual
    agrees or if the individual is incapacitated or
    in an emergency situation, provided that
  • Law enforcement represents that PHI is needed to
    determine if a law violation has occurred by
    someone other than victim and is not intended for
    use against the individual
  • Law enforcement represents that enforcement
    activity depending on the PHI would be adversely
    and materially affected by delay and
  • CE, in exercise of professional judgment,
    determines that disclosure is in the best
    interest of the individual.

  • Other Relevant Circumstances (contd.)
  • C. A CE may disclose PHI to law enforcement about
    an individual who has died if the CE has a
    suspicion that such death may have resulted from
    criminal conduct.
  • D. A CE may disclose PHI to law enforcement that
    the CE believes, in good faith, constitutes
    evidence of criminal conduct that occurred on the
    premises of the CE.
  • 164.512(f)(4) (5)

  • Other Relevant Circumstances (contd.)
  • E. A CE providing emergency medical treatment may
    disclose PHI to law enforcement if necessary to
    alert law enforcement to
  • The commission and nature of a crime.
  • The location of such crime or victim.
  • The identity, description, and location of the
    perpetrator of such crime.
  • 164.512(f)(6)(i)

11. For Public Health (PH) Activities
  • A CE is permitted to make PH disclosures
  • To PH authority for the purpose of preventing or
    controlling disease, injury, or disability.
  • To PH authority receiving child abuse reports.
  • To the FDA for reports related to the quality,
    safety, or effectiveness of an FDA-regulated
    product or activity.
  • To a person who may have been exposed to a
    communicable disease or may otherwise be at risk
    of contracting or spreading a disease or
    condition if the CE is otherwise authorized to do
    so by law.
  • To an employer about an individual who is a
    member of the workforce if the CE is a member of
    the employers workforce or the CE provides care
    at request of the employer

  • 164.502(a)(1)(vi) 164.512(b)


Recall Limited Data Sets? (that a CE is permitted
to create under the health care operations
exception) With a Data Use Agreement, limited
data sets can be used or disclosed for public
health purposes (without the individuals

12. As Required By Law
  • A CE may use or disclose PHI to the extent that
    the use or disclosure is required by law, and the
    use or disclosure complies with and is limited to
    the relevant requirements of such law.
  • 164.502(a)(1)(vi)

13. For Research
A CE may use or disclose PHI for research,
if 1. An Internal Review Board (IRB) or a
privacy board, as permitted under the rules,
approves an alteration or waiver, in whole or in
part, of the standard written authorization
requirements and the CE obtains sufficient
documentation confirming the alteration or
waiver. 2. If disclosure is needed prior to and
in preparation for research or is in regards to
decedent information, the CE must obtain certain
representations from the researcher as specified
in the regulations.
164.502(a)(1)(vi) 164.512(i)
Required Documentation To Invoke the Research
  • Documentation must contain
  • The identity of the IRB or privacy board that
    approved the waiver or alteration and the
    approval date.
  • Verification that the board determined that the
    approved waiver or alteration satisfies certain
    specified standards as outlined in the
  • Description of PHI deemed necessary by the board
    to conduct the research.
  • A statement as to whether review was under normal
    or expedited procedures as set forth in the
  • A signature by an authorized member of the
  • 164.512(i)(2)

Representations Needed by the CE From the
Researcher for Use/Disclosure Prior to and in
Preparation for Research
  • The use/disclosure of PHI is sought solely for
    preparing for the research (e.g., in order to
    create research protocol).
  • 2. No PHI will be removed from the CE by the
  • The requested PHI is necessary for research
  • 164.512(i)(1)(ii)

Representations Needed by the CE From the
Researcher for Use/Disclosure forDecedent
  • That the use/disclosure of PHI is sought solely
    for research on decedents.
  • 2. That the researcher will provide, upon request
    of the CE, documentation verifying death of the
  • That the PHI sought is necessary for research
  • 164.512(i)(1)(iii)


Another Potential Opportunity for the Use of
Limited Data Sets! With a Data Use
Agreement, limited data sets may also be used or
disclosed to researchers, in accordance with the
rules (without an individuals authorization or a
waiver or alteration of an authorization from an
IRB or privacy board).

14. Concerning Victims of Abuse,
Neglect, or Domestic Violence
  • A CE may disclose PHI about an individual whom it
  • reasonably believes to be a victim of abuse,
  • or domestic violence to a government authority,
  • provided that
  • The disclosure is required by and complies with
    the law and is limited in terms of relevancy
  • The individual agrees or
  • The disclosure is expressly authorized by statute
    or regulation, and
  • The CE, in the exercise of professional judgment,
    believes disclosure to be necessary to prevent
    serious harm to the individual or other potential
    victims or
  • If the individual is incapacitated, a public
    official authorized to receive the report
    represents that the PHI sought is urgently
    needed, is not intended for use against the
    individual, and that a delay in obtaining the
    needed PHI would materially and adversely affect
    imminent enforcement activity.
  • 164.502(a)(1)(vi)

If the Victims Exception is Invoked
  • A CE must promptly notify the individual, unless
  • 1. The CE, in the exercise of professional
    judgment, believes that informing the individual
    would place the individual at risk of serious
    harm or
  • 2. The CE would be informing a personal
    representative, and the CE reasonably believes
    that the personal representative is responsible
    for the abuse, neglect, or other injury, and that
    informing such person would not be in the best
    interest of the individual.
  • 164.512(c)(2)

15. About Decedents
  • A CE may disclose PHI
  • To a coroner or medical examiner for the purpose
    of identifying a deceased person or determining
    cause of death.
  • (If the CE performs such duties, it can use PHI
    in this regard.)
  • To a funeral director consistent with applicable
    law, as necessary, to carry out their duties.
  • (PHI of this nature can be disclosed prior to
    and in reasonable anticipation of an individuals

  • 164.502(a)(1)(vi) 164.512(g)

Other Exceptions
  • There are a few other, less common but
  • exceptions that are provided in the HIPAA privacy
  • provisions that we have not reviewed but that we
  • note here, and they include uses and disclosures
  • 16. For Workers Compensation
  • 17. For Cadaveric Donation
  • 18. For Specialized Government Functions,
  • Military and veterans activities.
  • Protective services for the president and others.
  • Medical suitability determinations.
  • Between covered entities that are government
    programs providing public benefits.
  • National security and intelligence activities.
  • Custodial situations with correctional
    institutions and law enforcement.
  • 164.502(a)(1)(vi)
    and164.512(l), 164.512(h), 164.512(k),

The HIPAA Privacy Rule

Rights Under HIPAA
  • Right to Inspect and Copy.
  • Right to an Accounting of Disclosures.
  • Right to Request Amendment.
  • Right to Request Restrictions.
  • Right to Request Confidential Communications.
  • 6. Right to File a Complaint.

  • Right To Inspect and Copy
  • A CE must respond to a request for access
  • within 30 days (60 days if PHI is offsite) with
  • The requested PHI
  • A written explanation of the need for an
    extension up to 30 days, and a date certain for
  • If denied basis for denial, a statement of
    patients right to have denial reviewed and
    procedure for doing so (if applicable), and
    instructions on how patient can file a complaint
    with the Secretary or CE or
  • If CE does not have the requested PHI, where
    individual can direct PHI request, if known.
  • Note Written requests can be required, and a
  • reasonable cost-based fee is permitted!

  • Permitted Denial of Right To Inspect and Copy
  • WITHOUT Opportunity for Review
  • If PHI requested is within psychotherapy notes.
  • If PHI requested is in anticipation for use in a
    civil, criminal, or administrative proceeding.
  • If CE is subject to the Clinical Laboratory
    Improvements Amendments (CLIA) and CLIA prohibits
  • If CE is under direction of correctional
    institution, and PHI requested by an inmate may
    jeopardize health, safety, or rehabilitation of a
  • If PHI is requested in midst of a research
    project and patient had previously agreed to wait
    for such PHI until completion of project.
  • If requested PHI is contained in records subject
    to the Privacy Act and denial is consistent with
  • If requested PHI was obtained from someone other
    than a health care provider under a promise of
    confidentiality and disclosure would reveal the
  • 164.524(a)(2)

  • Permitted Denial of Right To Inspect and Copy
  • WITH Opportunity for Review
  • A licensed health care provider (HCP) determines,
    in the exercise of professional judgment, that it
    is reasonably likely that access to requested PHI
    would endanger the life or physical safety of the
    individual or another person.
  • The requested PHI makes reference to another
    person (except other HCPs), and a licensed health
    care professional, in the exercise of
    professional judgment, determines that providing
    access is reasonably likely to cause substantial
    harm to that other person.
  • The request is made by the individuals personal
    representative, and a licensed HCP, in the
    exercise of professional judgment, determines
    that providing access is reasonably likely to
    cause harm to the individual or another person.

  • 164.524(a)(3)

  • 2. Right to an Accounting of Disclosures
  • This is an accounting of PHI disclosures made by
  • CE, including those made to or by Business
  • Associates, up to a 6-year period prior to the
  • Except for disclosures
  • 1. To carry out TPO.
  • 2. To the individual, as permitted/required.
  • 3. Incidental.
  • 4. Made per an individuals authorization.
  • 5. Made per the Facility Directory Exception or
    the Next of Kin/Caregiver
  • 6. Made per the Specialized Government Function
    Exception for national security or intelligence
    activities or to correctional institutions.
  • 7. Made as part of a Limited Data Set.
  • 8. That occurred prior to the compliance date
    (April 14, 2003).

  • Accounting of Disclosures
  • This right extends only to disclosures (outside
    of the CE) and not to uses.
  • The CE must respond within 60 days of the
    request, but may, in writing, extend up to 30
    days, to a date certain, with written
    explanation, unless temporary suspension of the
    individuals right is justifiably directed by the
    agency receiving disclosures under the health
    oversight or law enforcement exceptions, and it
    is documented.
  • Accounting must include
  • Date of each disclosure.
  • Name and address (if known) of entity or person

    who received the PHI.
  • Description of the PHI disclosed.
  • Statement of the purpose of the disclosure.
  • First accounting in 12-month period must be free
    a reasonable cost-based fee permitted thereafter
  • prior notice to patient. 164.528

  • Special Accounting Provisions
  • When multiple required or permitted disclosures
    are made to the same person or entity for a
    single purpose, the CE may give full information
    required for the first disclosure during the
    accounting period and then give the number of
    times the disclosure was made during the
    accounting period and the date of the last such
    disclosure during that period.
  • If the CE has made disclosures per the Research
    Exception for 50 or more individuals, it can give
    general information, as specified in the rule,
    about such research-related disclosures whether
    or not the PHI for the individual who requested
    the accounting was actually disclosed. But if it
    is reasonably likely that the PHI of an
    individual was disclosed for research protocol or
    activity, a CE must assist the individual in
    contacting the sponsor of the research and the
    researcher upon an individuals request.

  • 164.528(a)(3) (a)(4)

  • Right To Request Amendment
  • A CE may require, in advance, that individuals
    make requests for amendment in writing and
    provide supporting rationale.
  • A CE must respond to a request for amendment
    within 60 days but may, in writing, extend up to
    30 days, to a date certain, with written
    explanation. (This date can be extend only once!)
  • A CE may deny amendment of PHI or of a record in
    a designated record set if the PHI or record
  • 1. Was not created by the CE, unless the
    originator is no longer available.
  • 2. Is not part of the designated record set.
  • 3. Would not be available under the individuals
    right to inspect and copy.
  • 4. Is accurate and complete.
  • 164.526

  • Responding to a Request for Amendment
  • If Amendment Accepted
  • CE must make the amendment and inform the
    individual in a timely fashion that the
    amendment was accepted. The CE must provide the
    amendment to entities identified by the
    individual and other entities known to have
    received erroneous PHI.
  • If Amendment Denied
  • CE must give the individual written notice of
    the denial that includes
  • Basis for the denial.
  • The individuals right to submit a written
    statement disagreeing with the denial and how to
    exercise that right.
  • A statement that the individual can request the
    CE to include the individuals request and the
    denial with any future disclosures of PHI (if the
    individual does not file a statement of
  • A description of how the individual can file a
    complaint with the Secretary or CE.
  • 164.526

  • If Individual Files a Statement of Disagreement
  • The CE may reasonably limit the length of an
    individuals statement of disagreement.
  • The CE can prepare a rebuttal to the individuals
    statement, but must provide a copy of the
    rebuttal to the individual.
  • Handling Future Disclosures
  • With any subsequent disclosure of PHI or a record
    at issue, the CE must also disclose a copy of the
    request for amendment and the denial (if
    individual has not filed disagreement and
    requests this be done), the statement of
    disagreement (if any), and rebuttal (if any), or
    an accurate summary of such information.
  • 164.526

  • Right To Request Restricted Uses/Disclosures
  • Patients have a right to request restrictions to
    uses/disclosures otherwise permitted within the
    following two exceptions
  • - TPO.
  • - Next of Kin/Caregiver.
  • The CE is not required to agree to such requested
    restrictions, but if the CE enters into an
    agreement to restrict, the CE must document such
    agreement and abide by its terms, except in
    emergency situations where such PHI is needed to
    provide emergency treatment to the individual
    (where CE must request that provider not further
    disclose PHI).
  • 164.522(a)(1)

  • How to Terminate a Prior Agreed-Upon
  • Restriction
  • The individual agrees to or requests the
    termination in writing,
  • The individual orally agrees and the oral
    agreement is documented, or
  • The CE informs the individual that it is
    terminating the restriction, at which point the
    termination becomes effective with regard to PHI
    created or received after so informing the
  • 164.522(a)(2)

  • 5. Right To Request Confidential Communications
  • Individual has the right to request that PHI be
    communicated by the CE to him/her by alternative
    means or at alternative locations (e.g., only at
    work or only by mail).
  • CE may require that the request be in writing but
    may not require an explanation as to why.
  • CE must accommodate reasonable requests.
  • CE may condition the provision of a reasonable
    accommodation on (1) the individual specifying
    an alternative method of contact and, (2) the
    individual providing information on how payment,
    if any, will be handled.
  • 164.522(b)

  • 6. Right To File A Complaint
  • A person who believ
Write a Comment
User Comments (0)