About HISPC
FAQ PROVIDERS
1) When will universal standards be adopted for EMR?
3) Obtaining informed consents
4) Verification of HIPAA compliance by outsourced firms
5) What is the minimum necessary amount of PHI?
6) Who owns the personal health information? Is there consensus?
7) Authorization for release of PHI for deceased individuals
8) Legal liability between entities exchanging PHI?
9) State Laws regarding handling of sensitive information – how does PHI fit in?
10) Variations in standard HIPAA procedures between organizations
When will universal standards be adopted for EMR?
Universal standards for EMR have already been adopted, as set by HL7 and CCHIT.
HL7 (Health Level 7) is an ANSI standard for healthcare specific data exchange between computer applications. The name comes from “Health Level 7”, which refers to the top layer (Level 7) of the Open Systems Interconnection (OSI) layer protocol for the health environment.
CCHIT is the Certification Commission for Healthcare Information Technology
The safe harbor method includes a list of data elements that must be removed in order for information to be considered de-identified.
For safe harbor to apply, you must be able to answer true to both of the following statements:
1. Covered entity does not have actual knowledge that information could be used alone or in combination with other reasonably available information to re- identify the individual.
2. The following identifiers of the individual or of relatives, employers, or household members of the individual have been removed or are not present (Note: only part of the list appears here. For the entire list, review 45 CFR 164.514):
- Names
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, Zip Codes
- All elements of dates (except year) or dates relating to an individual, including birth date, admission date, discharge date, date of death and all ages over 89, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone and fax numbers
- Electronic mail addresses
- Social security numbers
The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.
By contrast, an authorization is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
Verification of HIPAA compliance by outsourced firms
The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof.
Under 45 CFR 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must amend protected health information in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity.
Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate.
What is the “minimum necessary” amount of PHI?
The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information.
The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacrificing the quality of health care.
Who owns the personal health information? Is there consensus?
The covered entity owns the PHI. The covered entity is the physician, hospital or other organization that is required to abide by the HIPAA regulations.
Medical records of a patient maintained in a health care provider’s office are the property and business records of the health care provider. [R.S. 40:1299.96 A.(2)(a)]
Authorization for release of PHI for deceased individuals
The HIPAA Privacy Rule recognizes that a deceased individuals protected health information may be relevant to a family members health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative. First, disclosures of protected health information for treatment purposeseven the treatment of another individualdo not require an authorization; thus, a covered entity may disclose a decedents protected health information, without authorization, to the health care provider who is treating the surviving relative. Second, a covered entity must treat a deceased individuals legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation. Therefore, if it is within the scope of such personal representatives authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure.
Covered entities could use and disclose protected health information without individual Authorization for the following national priority activities:
- Oversight of the health care system, including quality assurance activities
- Public health, and in emergencies affecting life or safety
- Research
- Judicial and administrative proceedings
- Law enforcement
- To provide information to next-of-kin
- For government health data systems
- For identification of the body of a deceased person, or the cause of death
- For facilities (hospitals, etc.) directories
- In other situations where the use of disclosure is mandated by other laws
Legal liability between entities exchanging PHI?
No. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates which protect the privacy of protected health information; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates. However, if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights. See 45 CFR 164.504(e)(1).
With respect to business associates, a covered entity is considered to be out of compliance with the Privacy Rule if it fails to take the steps described above. If a covered entity is out of compliance with the Privacy Rule because of its failure to take these steps, further disclosures of protected health information to the business associate are not permitted. In cases where a covered entity is also a business associate, the covered entity is considered to be out of compliance with the Privacy Rule if it violates the satisfactory assurances it provided as a business associate of another covered entity.
The HIPAA Privacy Rule does not pass through its requirements to business associates or otherwise cause business associates to comply with the terms of the Rule. The assurances that covered entities must obtain prior to disclosing protected health information to business associates create a set of contractual obligations far narrower than the provisions of the Rule, to protect information generally and help the covered entity comply with its obligations under the Rule.
Business associates, however, are not subject to the requirements of the Privacy Rule, and the Secretary cannot impose civil monetary penalties on a business associate for breach of its business associate contract with the covered entity, unless the business associate is itself a covered entity. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of protected health information.
State Laws regarding handling of sensitive information – how does PHI fit in?
The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law (1) relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information, (2) provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or (3) requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.
In addition, the Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, determine that a provision of State law which is “contrary” to the Federal requirements as defined by the HIPAA Administrative Simplification Rules and which meets certain additional criteria, will not be preempted by the Federal requirements. Thus, preemption of a contrary State law will not occur if the Secretary or designated HHS official determines, in response to a request, that one of the following criteria apply: the State law (1) is necessary to prevent fraud and abuse related to the provision of or payment for health care, (2) is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation, (3) is necessary for State reporting on health care delivery or costs, (4) is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or (5) has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.
It is important to recognize that only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law.
Variations in standard HIPAA procedures between organizations
Designated Standards Maintenance Organization (DSMO)
The Secretary of HHS named six organizations to maintain the standards defined under HIPAA. The criteria for choosing these organizations are specified in the Privacy and Security Rules. These organizations are referred to as Designated Standards Maintenance Organizations (DSMOs). They are:
- ANSI Accredited Standards Committee (ASC) X12
- Dental Content Committee of the American Dental Association
- Health Level Seven (HL7)
- National Council for Prescription Drug Programs (NCPDP)
- National Uniform Billing Committee (NUBC)
- National Uniform Claim Committee (NUCC)
HIPAA replaces most of these transactions with the following twelve standardized electronic transactions:
- 270/271: Health Care Eligibility/Benefit Inquiry and Information Response
- 277/275: Health Care Claim Request for Additional Information and Response
- 276/277: Health Care Claim Status Request and Response
- 278: Health Care Services Review Request for Review and Response
- 820: Payroll Deducted and Other Group Premium Payment for Insurance Products
- 834: Benefit Enrollment and Maintenance
- 835: Health Care Claim Payment/Advice
- 837: Health Care Claim: Institutional
- 837: Health Care Claim: Dental
- 837: Health Care Claim: Professional
Non-Routine Disclosures are required under HIPAA to be tracked. This is another Patient Right. This tracking is called an Accounting of Disclosures. Patients have the right to see this Accounting of Disclosures upon request. Here is a partial list of the type of disclosures you will see on the Accounting of Disclosures. These types of disclosures are considered non-routine.
- National Priority Activities – A covered entity is allowed to disclose PHI to federal officials to assist with intelligence and other national security activities authorized by the National Security Act, or to protect the President of the United States or other foreign head of state.
- State Licensing Boards – To protect the public, data may need to be used in overseeing the healthcare system.
- Public Health – Certain contagious diseases are required to be reported to the Centers for Disease Control and Prevention (CDC), such as Lyme Disease, Ebola, or smallpox. Disclosures may be made in order to facilitate notifying individuals who may have been exposed, or may risk spreading a communicable disease.
- Research – In some cases, PHI can be distributed for research purposes without an authorization; but states vary in the stringency of their laws
- Judicial and Administrative Proceedings – Covered entities are permitted to disclose PHI in response to a court order, a court issued subpoena, or a discovery request. A provider may need to use PHIit to defend itself in a legal action brought about by an individual.
- Law Enforcement – Gun shot wounds, sexual/domestic violence, child abuse, and bedsores may be required to be reported by local or state law. A covered health care provider may provide law enforcement with PHI to report the commission of a crime and its characteristics. A covered entity may also provide limited health information to aid in identifying or locating a suspect, fugitive, or witness. Additionally, PHI of suspected crime victims, decedents whose death might be due to criminal conduct, can be shared.
- Medical Examiner – PHI, such as dental records or DNA samples, can be released to help identify a body or to determine the cause of death.
- Next of Kin Notification – If a person has died, the next of kin may be notified and provided with the cause of death.
- Government Health Medical Error Databases – PHI submitted to these databases allows the tracking of trends and protection of the public.
- Emergency Treatment – The provider may use professional judgment to determine what PHI may be disclosed during a life-threatening emergency. doesnt have to go to extremes to protect PHI in the case of an emergency. As a rule of thumb, share what is necessary to see that the patient gets immediate care.
- Physical storage and security requirements are not clear
The HIPAA Security Rule outlines the requirements in three major categories: Administrative safeguards, Physical safeguards, and Technical safeguards
The administrative safeguards form the foundation on which the other standards depend. Covered entities are required to implement administrative, physical and technical safeguards. These entities must ensure that data are protected, to the extent feasible, from inappropriate access, modification, dissemination, and destruction.
In the HIPAA Security Rule, the implementation specification is either required or addressable. The concept of addressable implementation specifications is to provide covered entities additional flexibility with respect to compliance with the security standards. If the addressable implementation specification is not implemented, the rationale behind that decision and any alternative safeguard implemented to meet the standard must be documented.