HIPAA privacy rule FAQs.A long with the new patient privacy rules ushered in by HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , there are many questions about the specifics of how the rules apply in various different scenarios. Below are several questions about HIPAA and the answers provided by the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. Department of Health & Human Services. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do? For the average health care provider or health plan, the Privacy Rule requires activities, such as: * Notifying no·ti·fy tr.v. no·ti·fied, no·ti·fy·ing, no·ti·fies 1. To give notice to; inform: notified the citizens of the curfew by posting signs. 2. patients about their privacy rights and how their information can be used. * Adopting and implementing privacy procedures for its practice, hospital, or plan. * Training employees so that they understand the privacy procedures. * Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed. * Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them. Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients' privacy. Covered entities of all types and sizes are required to comply with the Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability How much a system can be expanded. See scalable. scalability - How well a solution to some problem will work when the size of the problem increases. For example, a central server of some kind with ten clients may perform adequately but with a thousand clients it of the Rule provides a more efficient and appropriate means of safeguarding protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the than would any single standard. For example, * The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time full-time adj. Employed for or involving a standard number of hours of working time: a full-time administrative assistant. full position, and may have the regular support and advice of a privacy staff or board. * The training requirement may be satisfied by a small physician practice's providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs. * The policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system. Who must comply with these new HIPAA privacy standards? As required by Congress in HIPAA, the Privacy Rule covers: * Health plans * Health care clearinghouses * Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing Electronic billing is the electronic delivery and presentation of financial statements, bills, invoices, and related information sent by a company to its customers. Electronic billing is also referred to as the following:
These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (HHS HHS Department of Health and Human Services. ) the authority to regulate reg·u·late v. 1. To control or direct according to rule, principle, or law. 2. To adjust to a particular specification or requirement. 3. To adjust a mechanism for accurate and proper functioning. 4. other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See the fact sheet and frequently asked questions on this web site about the standards on "Business Associates" for a more detailed discussion of the covered entities' responsibilities when they engage others to perform essential functions or services for them. What is the difference between "consent" and "authorization The right or permission to use a system resource; the process of granting access. See access control. " under the HIPAA Privacy Rule? The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms? By contrast, an "authorization" is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified spec·i·fy tr.v. spec·i·fied, spec·i·fy·ing, spec·i·fies 1. To state explicitly or in detail: specified the amount needed. 2. To include in a specification. 3. purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must spec ify a number of elements, including a description of the protected health information to be used and disclosed dis·close tr.v. dis·closed, dis·clos·ing, dis·clos·es 1. To expose to view, as by removing a cover; uncover. 2. To make known (something heretofore kept secret). , the person authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date Expiration Date The day on which an options or futures contract is no longer valid and, therefore, ceases to exist. Notes: The expiration date for all listed stock options in the U.S. , and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization. Yes, Covered entities, such as physician's offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly ex·plic·it adj. 1. a. Fully and clearly expressed; leaving nothing implied. b. Fully and clearly defined or formulated: "generalizations that are powerful, precise, and explicit" permits the incidental Contingent upon or pertaining to something that is more important; that which is necessary, appertaining to, or depending upon another known as the principal. Under Workers' Compensation statutes, a risk is deemed incidental to employment when it is related to whatever a disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). Can a physician's office FAX patient medical information to another physician's office? The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician's office, and placing the fax machine in a secure location to prevent unauthorized access to the information. Does the HIPAA Privacy Rule require that covered entities document all oral communications? No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations. The Rule includes, however, documentation requirements for some information disclosures for other purposes. For example, some disclosures must be documented in order to meet the standard for providing a disclosure history to an individual upon' request Where a documentation requirement exists in the Rule, it applies to all relevant communications, whether in oral or some other form. For example, if a covered physician discloses information about a case of tuberculosis tuberculosis (TB), contagious, wasting disease caused by any of several mycobacteria. The most common form of the disease is tuberculosis of the lungs (pulmonary consumption, or phthisis), but the intestines, bones and joints, the skin, and the genitourinary, to a public health authority as permitted by the Rule at 45 CFR CFR See: Cost and Freight 164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally, by phone, or in writing. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers? Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion