The modern Hippocratic Oath states, “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.
WHY strict privacy laws exist for healthcare????
First, at the most basic level, medical information is related to the inner workings of one’s body or mind. One’s individual sense of self may be violated if others have unfettered access to this information.
Second, most doctors believe that patients will be more open about their medical conditions if they have assurance that embarrassing medical facts will not be revealed.
Third, medical privacy protections can protect employees from the risk of unequal treatment by employers
HIPAA does not preempt stricter state privacy laws.
California Confidentiality of Medical Information Act (CMIA), for example, expands health information privacy protection duties to providers of software, hardware and online services.
Protected Health Information (PHI)
Any individually identifiable health information that:
Is transmitted or maintained in any form or medium;
Is held by a covered entity or its business associate;
Identifies the individual or offers a reasonable basis for identification;
Is created or received by a covered entity or an employer;
Relates to a past, present or future physical or mental condition, provision of health care or payment for health care to that individual.
Electronic Protected Health Information (ePHI)
any PHI that is transmitted or maintained in electronic media.
This statutory link to electronic reimbursements helps clarify which healthcare information is covered under HIPAA.
Entities covered:
Healthcare Providers that conduct certain transactions in electronic form
Health Plans (e.g. health insurers)
Healthcare clearinghouses (e.g. third-party organizations that host, handle or prices medical information)
HIPAA does not apply to all healthcare providers.
Ex. Some doctors accept only cash and credit cards and do not bill insurance.
Individuals reveal medical information in a wide variety of settings (conversations, online, etc.).
Before the Health Information Technology for Economic and Clinical Health (HITECH) Act, business associates were not subject to HIPAA but became subject to privacy and security protections under the written contracts they signed with covered entities.
Under HITECH, HIPAA privacy and security rules are codified and apply directly to business associates.
Business Associates – may provide services such as claims processing, data analysis, utilization review and billing as well as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and/or financial services.
The Privacy Rule and the Fair Information Privacy Practices
Privacy Notices – provide a detailed privacy notice at the date of first service delivery.
Exceptions:
A privacy notice does not have to be provided when the healthcare provider has an “indirect treatment relationship” with the patient
In the case of medical emergencies.
Authorization for uses and disclosures – authorizes the use and disclosure of PHI for essential health care purposes: treatment, payment and operations, for certain other established compliance purposes.
Other uses or disclosures of PHI require opt-in authorization.
Cannot require an individual to sign authorization in condition of receiving treatment.
“Minimum Necessary” use or disclosure
other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to accomplish the intended purpose.
Access and Accountings of Disclosure – individuals have the right to access and copy their own PHI from a covered entity/business associate.
Safeguard – implement administrative, physical and technical safeguards to protect the confidentiality and integrity of all PHI.
Accountability – to foster compliance, they are subject to a set of administrative requirements.
They must designate a privacy official responsible for the development and implementation of privacy protections.
Personnel must be trained
Complaint procedures, along with other procedures, must be in place.
Note: People (Designated Official, employees) & Procedures
Enforcement:
The primary enforcer for the Privacy Rule in HHS is the Office of Civil Rights (OCR), who processes individual complaints and can assess civil monetary penalties of up to approximately 1.6 million per year per type of violation.
DOJ with criminal enforcement authority.
Limits on and Exceptions on the Privacy Rule
De-identification – Privacy Rule does not apply to information that has been “de-identified” – information that does not actually identify an individual.
Research - Research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule.
Other Exceptions
These include information used for public health activities
To report victims of abuse, neglect, or domestic violence
In judicial and administrative proceedings
For certain law enforcement activities
For certain specialized government functions.
The HIPAA Security Rule
This establishes minimum security requirements for PHI that a covered entity receives, creates, maintains or transmits in electronic form. It requires them to implement “reasonable” security measures in a technology-neutral manner.
Security Rule is comprised of “standards” and “implementation specifications,” which encompass administrative, technical and physical safeguards.
Each Security Rule standard is a requirement.
Covered entities and business associates must comply with all of the standards of the Security Rule with respect to the ePHI they create, receive, transmit, or maintain.
Many of the standards contain implementation specifications.
Some of the implementation specifications are required, while others are considered “addressable.”
This means that the covered entity must assess whether it is an appropriate safeguard for the entity to adopt. If not, the covered entity must document why it is not reasonable and, if appropriate, adopt an alternative measure.
The HIPAA Security Rule requires entities and business associates them to:
Ensure confidentiality, integrity, and availability of all ePHI that they create, receive, maintain, or transmit.
Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI.
Protect against any reasonably anticipated uses or disclosures or such information that are not permitted or required under the Privacy Rule
Ensure compliance with the Security Rule by its Workforce.
Technology: Requirements for implementation of security measures, implement based on the following:
The size, complexity and capabilities of the covered entity
The covered entity’s technical infrastructure, hardware and software security capabilities
The costs of security measures
The probability and criticality of potential risks to electronic protected health information.
HIPAA Security Rule allows organizations to forego compliance with addressable implementation specifications when the entity has assessed that it is not an appropriate safeguard to adopt, and has documented why it is not reasonable, and any alternative measures adopted
Organization Rule
Designate Individual to run Security Program
Risk Assessments
Security and Awareness training program
Enacted (2009) to promote the adoption and meaningful use of health information technology (electronic health records).
It also strengthened HIPAA to address the privacy impacts of the expanded use of electronic health records.
Notice of Breach
Language provides covered entities have the burden of proof that an impermissible use or disclosure did not constitute breach. If there is a high probability that the security or privacy of the information ( nancial, reputational or other) has been compromised, a covered entity must notify individuals.
Must notify individuals within 60 days. If 500 are affected, must notify HHS. 500 or more in the same jurisdiction, must notify the media.
They can avoid liability by using encryption software.
Increase in Penalties – up to $1.5 million for the most willful violations and extends criminal liability to individuals who misuse PHI.
Limited Data – to protect health information that excludes direct identifiers.
Limited Data Set - Refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.
A limited data set is described as health information that excludes certain, listed direct identifiers (see below) but that may include city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers.
Electronic Health Records (HER) – created important incentives for health providers but receiving funds.
Part 2: Confidentiality of Substance Use Disorder Patient Records (Part 2) was first promulgated in 1975 to address concerns about the potential use of Substance Use Disorder (SUD)
Scope
The scope of the Rule covers the disclosure and use of “patient identifying information by treatment programs for alcohol and substance abuse.
Applicability - The law applies to any program that receives federal funding.
Law applies to any program that receives federal funding. The term program means any of the following:
an individual or entity (other than a general medical facility) who holds itself out as providing, and provides substance abuse treatment.
an identified unit within a general medical facility that holds itself out as providing, and provides,” alcohol or substance abuse diagnosis, treatment, or referral for treatment. (the substance abuse ward)
Medical personnel or other staff in a general medical facility whose primary function is provision of” the alcohol or substance abuse diagnosis, treatment, or referral for treatment. Single therapist has this and other jobs
Other entities may become subject to the regulation in either of the following ways:
A state licensing agency requires them to comply
The clinician uses controlled substances for detoxification, requiring licensing through the U.S. Drug Enforcement Administration (DEA). A DR prescribes methodone or other chemicals for detox.
Disclosure – the program must obtain written patient consent before disclosing information subject to the Rule.
Consent form may include a general designation that allows disclosure to either individuals or entities so long as those entities have a treating provide relationship with the patient.
May allow disclosure to either individuals or entities that have a treating provider relationship with the patient
Allow the consumer to receive a list of entities to whom their information has been disclosed
Must explicitly describe the type of information being disclosed
Upon request, patient receives a lists of entities to which his information has been disclosed.
Consent form must explicitly describe the type of information that is to be disclosed related to alcohol or drug abuse treatment.
Redisclosure – Redisclosing information obtained from a program is prohibited when that information would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment.”
Exceptions – disclosure without consent:
Emergencies
Scientific Research
Audits and Evaluations
Communications with a qualified service organization (QSO) related to information needed by the organization to provide services to the program.
Crimes on program premises or against program personnel
Child Abuse Reporting
Court Order
Security of Records – must have formal policies and procedures in place to protect the security of this information. There are separate requirements for paper and electronic records.
Violation is criminal. 1st offense - <$500
Each subsequent is fined <$5000.
These violations are reported to the US Attorney’s Office.
Protects individuals from genetic discrimination in health insurance and employment. GINA amended a variety of existing pieces of legislation including:
The Employee Retirement Income Security Act (ERISA),
The Social Security Act
The Civil Rights Act
Ammendments prohibit health plan providers from requesting genetic testing, except for requests for voluntary testing in connection with research.
The modification to HIPAA, made in 2013, states that genetic information is considered to be health information; therefore, it cannot be used by health insurers to make any decisions about health insurance benefits, eligibility for benefits, or the calculation of premiums under a health plan
Statutory penalty is set at $100 each day of noncompliance for each plan participant or beneficiary
GINA also affects employers and the way they hire employees
Exceptions:
Employee offered Wellness Program voluntary
Research Exception
GINA includes a "research exception" to the general prohibition against health insurers or group health plans requesting that an individual undergo a genetic test. This exception allows health insurers and group health plans engaged in research to request (but not require) that an individual undergo a genetic test.
Compliance is voluntary
Research will have no effect on enrollment or contributions
No genetic information will be used for underwriting purposes
GINA itself does not provide for a private right of action, but depending on the violation private rights of action may be available under the federal laws that it revises as well as under similar state laws.
GINA mandates the creation of a commission to review the
developments in the science of genetics and make recommendations as to
whether to establish a “disparate impact cause of action” under GINA
Expedite research quicken the process for drug approval, and reform mental health treatment.
Privacy provision includes:
Certain individual biomedical research information exempted from disclosure under FOIA
Researchers permitted to remotely view PHI
Information blocking prohibited but HIPAA’s protection of PHI remains
Certificate of confidentiality for research
Compassionate sharing of mental health or substance abuse information with family or caregivers