AUC Logo

Minnesota AUC Administrative Simplification
 

Privacy

Background

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, the US Department of Health and Human Services (DHHS) published on December 28, 2000 final regulations establishing national standards for privacy of health information.

Who Is Subject to These Regulations? "Covered Entities"

The following entities are covered by the proposed regulations

  • All health care providers who choose to transmit health information electronically
  • All health plans
  • All health care clearinghouses

Covered entities are allowed to disclose health information to persons or organizations they hire to perform functions on their behalf. These "business associates" are not permitted to use or disclose protected health information in ways that are not permitted of the covered entity itself.

What Health Information Is Covered by the Proposed Regulations?

"Protected health information"

The regulations protect health information that:

  1. identifies an individual
  2. relates to a person’s physical or mental health, the provision of health care or the payment of health care
  3. can be created or received by a covered entity, and
  4. is maintained or exchanged in any medium.
If the information has any components that could be used to identify a person, it is covered.

The protection stays with the information as long as the information is in the hands of a covered entity or a business associate.

Covered entities can use or disclose protected health information with the individual’s authorization for any lawful purpose. A standard form is established for this purpose. Each authorization must specify the information to be disclosed, who will get the information, and when the authorization expires. Individuals can revoke an authorization at any time. Covered health care providers must obtain patient consent prior to using or disclosing protected health information to carry out treatment, payment or health care operations. Providers may condition treatment on the patient signing the consent. A health plan or health care clearinghouse may obtain consent to carry out these purposes. A health plan may condition enrollment on the patient’s consent.

Uses and Disclosures of Health Information Permitted Without Authorization

Covered entities can use and disclose protected health information without individual authorization for the following purposes:

  • Oversight of the health care system, including fraud investigations

  • Public health, and in emergencies affecting life or safety

  • Research if approved by an IRB or Privacy Board

  • Judicial and administrative proceedings

  • Law enforcement

  • To provide information to next-of-kin

  • For identification of the body of a deceased person, or the cause of death

  • For facilities’(hospitals, etc.) directories

  • In other situations where the use of disclosure is mandated by other laws.

  • Workers Compensation

Individual

The regulations provide basic rights for individuals with respect to their protected health information. Individuals have:

  • The right to receive a written notice of information practices from health plans and providers. The notice must describe the types of uses and disclosures that the plan or provider would make with health information (not just those uses and disclosures that could lawfully be made).The right to obtain access to protected health information about them, including a right to inspect and obtain a copy of the information.

  • The right to request amendment or correction of protected health information that is inaccurate or incomplete.

  • The right to receive an accounting of the instances where protected health information about them has been disclosed by a covered entity for purposes other than treatment, payment, or health care operations.

Minimum Necessary

The minimum necessary provisions of the regulations state that covered entities must limit the disclosure of protected health information to the minimum necessary to accomplish the purpose of the use, disclosure or request for health information from another covered entity.

Administrative Requirements for Covered Entities

Under the regulations, providers and payers are required to implement basic administrative procedures to protect health information. Among them:

  • Develop a Notice of Information Practice

  • Allow individuals to inspect and copy their protected health information

  • Develop a mechanism for accounting all disclosures made for purposes other than treatment, payment, and health care operations.

  • Allow individuals to request amendments or corrections to their protected health information

  • Designate a privacy official

  • Provide privacy training to members of its workforce who would have access to protected health information

  • Implement physical and administrative safeguards to protect health information from intentional or accidental misuse

  • Establish policies and procedures to allow individuals to log complaints about the entity’s information practices, and maintain a record of any complaints

  • Develop a system of sanctions for members of the workforce and business associates who violate the entity’s policies.

  • Have available documentation regarding compliance with the requirements of the regulation

  • Develop methods for disclosing only the minimum amount of protected information necessary to accomplish any intended purpose

  • Develop and use contracts that will ensure that business associates also protect the privacy of identifiable health information

Preemption

Pursuant to the HIPAA law, this rule will preempt state laws that are in conflict with the regulatory requirements with exceptions for certain public health functions and related activities.

Enforcement and Penalties

Under HIPAA, the Secretary is granted the authority to impose civil and criminal penalties against those covered entities that fail to comply with the requirements of this regulation. DHHS has delegated the HIPAA enforcement authority to the Office of Civil Rights (OCR).

  
 Most Viewed