Updated by Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
Regulated by the Department of Health and Human Services (HHS)
Does not preempt stricter state privacy laws (Ex: California Medical Information Privacy Act)
No private right of action
Differences FERPA vs HIPAA
FERPA applies to student health records.
HIPAA applies to non-student health records.
Applicability:
“covered entities”
healthcare providers
insurers
business associates
Healthcare providers:
doctors’ offices
hospitals
Health plans (health insurers)
Healthcare clearinghouses
Business associates (Ex: PHI stored on the cloud)
Privacy Notice: must provide notice at date of first service delivery and must describe rights to individual’s PHI
Authorization for uses and disclosures:
PHI use and disclosure for treatment, payment, and operations (TPO).
Other uses require individual to opt-in.
Minimum Necessary use or disclosure:
covered entities must limit use and disclosure to minimum necessary.
Business associates must be bound by this standard.
Access and accountings of disclosures:
Individuals have the right to access and copy their own PHI.
Individuals have the right to amend PHI, and if denied, individual may file a statement that must then be included in any future use or disclosure of info.
Safeguards:
covered entities and business associated must implement administrative, physical and technical safeguards to protect confidentiality and integrity of PHI and ePHI.
Accountability:
Entities must designate privacy official and personnel must be trained.
Must have complaint procedures in place.
Enforcement:
Office of Civil Rights (OCR).
U.S Department of Justice (DOJ) has criminal enforcement authority (prison sentences up to 10 years).
FTC can enforce under section 5 “unfair and deceptive practices.” State AGs.
Exceptions:
De-identified data:
1. Remove at least 17 data elements
2. Have an expert certify
Research: permitted on de-identified data
Other: public health activities, report victim of abuse, neglect, or domestic violence, judicial and administrative proceedings, certain law enforcement activities, specialized government functions. Must release to individual and HHS.
The Security Rule:
Minimum security requirements for PHI that a covered entity receives, creates, maintains or transmits in electronic form.
Ensure confidentiality, integrity, and availability of all ePHI
Protect against any reasonably anticipated threats to ePHI
Protect against any reasonably anticipated disclosures of ePHI
Ensure compliance with the Security Rule by its workforce
Each covered entity must have individual responsible for oversight and implementation
Covered entity must conduct initial and ongoing risk assessments
Covered entity must implement security awareness and training program for workforce
Qualified Protective Order (QPO) prohibits litigating parties from using or disclosing the protected health info for any purpose other than the litigation or proceeding for which such info was requested. It also requires the return to the covered entity or destruction of PHI (including copies) at the end of litigation.
Disclosure under HIPAA pursuant to a court order or subpoena is permitted if three criteria are met:
The info sought is relevant and material to legit law enforcement inquiry
The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the info is sought o De-identified info could not be reasonably used
Permits disclosure of PHI to authorized federal officials for the conduct of lawful intelligence, counter intelligence, and other national security under the National Security Act.
Strengthened HIPAA to address privacy impacts of the expanded use of electronic health records
Breach: must notify individuals within 60 days of discovery
If more than 500 people, must notify HHS immediately
If 500 or more in the same jurisdiction, must notify media
Covered entity can avoid liability if they utilize encryption software
Penalties: up to $1.5 mil for most willful violations
Disclosure: Must be minimum amount necessary
Covered entities may not sell Electronic Health Records (EHR) without the consent of the patient
Genetic Information Nondiscrimination Act of 2008 (GINA)
Created new national limits on the use of genetic information in health insurance and employment
Prohibits employers from requiring, requesting, or purchasing such genetic information about employees or family members except:
Such a request if inadvertent o Request is part of an employer-wellness program and voluntary o Request is made to comply with the Family and Medical Leave Act (FMLA) o Employer purchases commercially and publicly available info o The information is used for legally required genetic monitoring for toxin exposure in the