The HIPAA Privacy Rule 45 CFR Parts 160

About This Presentation

Title:

The HIPAA Privacy Rule 45 CFR Parts 160

Description:

CFR: Code of Federal Regulations. HHS: Department of Health and Human Services ... To Whom the Regulations Apply ... protected by Federal HIPAA privacy law. ... – PowerPoint PPT presentation

Number of Views:224

Avg rating:3.0/5.0

Slides: 97

Provided by: Corp332

Category:

more less

Transcript and Presenter's Notes

Title: The HIPAA Privacy Rule 45 CFR Parts 160

1
The HIPAA Privacy Rule45 CFR Parts 160 164
Get Hip With HIPAA!
2
Glossary of Acronyms

BA/BAA Business Associate/
Business Associate Agreement
CE Covered Entity
CFR Code of Federal Regulations
HHS Department of Health and Human Services
FDA Food and Drug Administration
HCP Health Care Provider
HIPAA Heath Insurance Portability and
Accountability Act

3
Glossary of Acronyms (contd.)

IRB Internal Review Board
MN Minimum Necessary/Minimally Necessary
MOU Memorandum of Understanding
OHCA Organized Health Care Arrangement
PH Public Health
PHI Protected Health Information
SSN Social Security Number
TPO Treatment, Payment and Health Care
Operations

4
The Health Insurance Portability and
Accountability Act (HIPAA)

Purpose To improve the efficiency and
effectiveness of the health care system by
standardizing the electronic exchange of
administrative and financial data. (The
Administrative Simplification Provisions).
In order to carry out its mandate, HHS developed
specific transaction standards/code sets and
unique identifiers, security standards, and
privacy standards.
The major goal of the of the HIPAA Privacy Rule
is to assure that individuals health information
is properly protected while allowing the flow of
health information needed to provide and promote
high quality health care and to protect the
publics health and well being.
42 USC 1320d HHS/OCR February/March 2003, HIPAA
Privacy Rule, 2003 National Conferences 2003,
Slides 2-4 and, ORC Privacy Rule Summary,
Introduction, Page 1.

5
To Whom the Regulations Apply

HIPAA regulations apply to those deemed to be
COVERED ENTITIES under the regulations, which
include
Health Plans
Health Care Clearinghouses
Health Care Providers who transmit any health
information electronically in connection with
certain transactions set forth in the
regulations.
160.102(a) 164.500

6
What is a Health Care Provider?

A healthcare provider is any person who
furnishes, bills or is paid for health care in
the normal course of business.
Are All Health Care Providers
Covered?
Health care providers are covered only if they
transmit health information electronically in
connection with a transaction covered by the
HIPAA Transaction Rule
? Directly or through a business associate.
160.103, 160.102, HHA/OCR 2003

7
HIPAA Transactions Rule Standards

Health care claims or equivalent encounter
information.
Health care payment and remittance advice.
Coordination of benefits.
Health care claim status.
Enrollment or disenrollment in a health plan.
Eligibility for a health plan.
Health plan premium payments.
Referral certification and authorization.
Other transactions will likely be added to this
list as
HHS may prescribe by regulation.
162.1101162.1802,
HHS/OCR 2003

Organizational Structures
Hybrid Entity
Affiliated Covered Entity
Organized Health Care Arrangement (OHCA)
164.103 164.105(a),
164.105(b), and 160.103, respectively

9
The HIPAA Privacy Rule

MINIMUM PRIVACY PROTECTIONS
MINIMUM RIGHTS
ADMINISTRATIVE REQUIREMENTS
DUTIES OF COVERED ENTITIES

10
The HIPAA Privacy RuleMINIMUM PRIVACY
PROTECTIONS
11
The General Rule

Information Protected Under the Rule
Protected Health Information (PHI)
- Past, present, or future health information.
- Individually identifiable.
- Created or received by a Covered Entity
(CE).
- In any form (oral, written, or electronic).
Use and Disclosure Prohibited Under the Rule
- Use the sharing, application, utilization,
or analysis of PHI within a CE.
- Disclosure the release, transfer, or
divulging, in any way, of PHI outside of
a CE.
164.501

12
Exceptions

Minimum Necessary (MN) Standard limits uses,
disclosures, and requests for PHI made pursuant
to
the regulations to the minimum necessary amount.
Limits on Uses
A CE is required to identify who, within its
workforce, needs access to what categories of PHI
to carry out their duties, and any conditions
appropriate to such access.
Limits on Disclosures Requests
For routine and recurring disclosures and
requests, policies and procedures are required
(e.g., standard protocols) that limit PHI to only
the amount reasonably necessary to achieve the
purpose of the disclosure or request.
For non-routine/non-recurring disclosures and
requests, policies and procedures should require
individual review of each, and should set
out review criteria. 164.502(b)(1)
164.514(d)

Where Minimum Necessary (MN) Standard
Is Not Applicable
1. Disclosures to or requests by a health care
provider for treatment purposes.
2. Uses or disclosures made to the individual or
pursuant to the individuals authorization.
3. Disclosures to HHS overseeing compliance.
Uses or disclosures required by law.
Uses or disclosures required for compliance with
the regulations.
164.502(b)(2)

Where Minimum Necessary (MN) Standard
Can Be Presumed
When disclosing to a public official and the
public official represents that the PHI requested
is what is MN.
When PHI is requested by another CE.
3. When PHI is requested by a member of the CEs
workforce or a business associate, and said
professional represents that the PHI requested is
what is MN.
4. When the research exception applies and the
researcher provides the supporting
representations or documentation.
164.514(d)(3)(iii)

15
Required Exceptions(Required use and
disclosure of PHI)
16

1. When an Individual Requests Access Regarding
PHI About Themselves
This includes when individuals
Invoke their Right to Inspect Copy.
Invoke their Right to An Accounting of
Disclosures.
(These rights, and the limits thereto,
will be discussed in greater detail later
in this session, after a review of the
privacy protections.)
164.502(a)(2)(i)

When Compelled by the Secretary for Compliance
and Enforcement Purposes
Secretary means the Secretary of Health and
Human Services or any other officer or employee
of HHS to whom the authority involved has been
delegated.
A CE has a duty to
Timely provide records and requested
compliance reports
Cooperate with complaint investigations and
compliance reviews
Permit access to information.
160.103,
164.502(a)(2)(ii) 160.310

18
Permitted ExceptionsWITH Written
Authorization(Permitted use and disclosure of
PHI, but only with a written authorization)
164.502(a)(1)(iv)
19
1. Certain Psychotherapy Notes

Psychotherapy notes means notes recorded (in any
medium) by a healthcare provider who is a mental
health professional documenting or analyzing the
contents of conversation during a private
counseling session or group, joint, or family
counseling session and that are separated from
the rest of the individuals medical record.
(This does NOT include notes regarding medication
prescription and monitoring, counseling start and
stop times, frequency and modalities of
treatment, clinical test results, or any summary
of the diagnosis, functional status, treatment
plan, symptoms, prognosis, and progress to date.
These notes are not given the heightened
protections of the certain specified
psychotherapy notes indicated above, but they do
constitute PHI that is otherwise given minimum
privacy protections under HIPAA.)
164.501 164.508(a)

20
LIMITED instances where certain psychotherapy
notes can be used and/or disclosed without
written authorization

For the following Treatment, Payment, Healthcare
Operation (TPO) Purposes
When the originator of the psychotherapy notes
needs them for treatment purposes
When a CE uses or discloses them for its own
training programs in which students, trainees, or
practitioners in mental health learn under
supervision to practice or improve their skills
in group, joint, family, or individual
counseling or
When a CE uses or discloses them to defend itself
in a legal action or other proceeding brought by
the individual.
2. When required by the Secretary in determining
HIPAA compliance.
3. As required by law.
4. For health oversight activities regarding the
originator of the notes.
To coroners and medical examiners under the about
decedents exception.
Under the averting a serious health or safety
threat exception, with respect to
uses/disclosures that need to be made in order to
prevent or lessen a serious and imminent threat
to the health or safety of a person or the
public, and which are made to someone reasonably
able to prevent or lessen the threat.

Note These exceptions are much narrower than
the broader range of exceptions that otherwise
restrict the use and
disclosure of other types of PHI.
164.508(a)(2)
164.508(a)(1)
21
2. Marketing

Marketing is making a communication that
encourages an individual to use or purchase a
product or service unless the communication is
made for treatment of the individual or for case
management, care coordination, or to direct or
recommend alternative treatments, therapies,
providers, or care settings to the individual.
Exceptions Written authorization is not
required, if the communication is
- Face-to-face by a CE to an individual or,
- A promotional gift of nominal value by the
CE.
Note If a CE stands to gain direct or indirect
remuneration from a third party in exchange for
PHI disclosure, that must be indicated in the
authorization.
164.501
164.508(a)(3)

22
3. Uses/Disclosures Not Otherwise
Required or Permitted by the HIPAA Privacy
Rule

If you cannot root an anticipated use/disclosure
of PHI in one of the required or permitted
exceptions to the general prohibition rule, then
you must obtain a written authorization in order
to make said use/disclosure.
164.508(a)(1)

23
Elements of a Valid Written Authorization

1. Who can use/disclose the PHI.
2. To whom the PHI can be used/disclosed.
3. Purpose of the use/disclosure.
4. Specific description of PHI to be
used/disclosed.
5. Expiration date or event.
6. Signature of patient and date.
7. Right to revoke, in writing, exceptions
instructions regarding the procedure to
revoke.
8. A statement about the CEs
ability/inability to
condition the authorization on treatment,
payment,
eligibility, or enrollment.
9. A statement that the PHI may no longer be
protected by Federal HIPAA privacy law.
For marketing, a statement when CE gets
remuneration by a third party.
164.508(c)
164.508(a)(3)(ii)

24
Prohibition on Conditioning Authorizations

A CE may not condition treatment, payment,
enrollment, or eligibility, on an individuals
signing of
an authorization, except
A CE may condition research-related treatment on
an individuals signing of an authorization to
enable the use and disclosure of PHI for such
research.
A CE may condition the provision of health care
that is solely for the purpose of creating PHI
for disclosure to a third party on an
individuals signing of an authorization allowing
for the disclosure of the PHI to such third
party.
(A 3rd exception exists for health plans, not
addressed here.)
164.508(b)(4)

25
Compound Authorizations Forbidden

An authorization cannot be combined with any
other document except
Authorization for use/disclosure for a research
study can be combined with any other type of
written permission for the same research study.
Authorization for use/disclosure of psychotherapy
notes for multiple purposes may be combined in a
single document, but may not be combined with
authorizations for use or disclosure of other
PHI.
Authorizations for PHI other than psychotherapy
notes can be combined, provided that the CE has
not conditioned the provision of treatment,
payment, enrollment, or eligibility on obtaining
the authorization.
164.508(b)(3)

26
Defective Authorization

Is it expired?
Does it contain all the required elements for a
valid authorization?
Do you have knowledge that the authorization has
been revoked?
If its a compound authorization, is it one that
is expressly permitted by the rules?
Is it unlawfully conditioned?
Is information in the authorization known by you
to be false?
If yes to any of the above, the authorization
is defective, and you cannot request, use or
disclose PHI based on that authorization!
164.508(b)(2)

27
Additional Written Authorization Requirements

Copy to the Individual
A CE must provide a copy of any signed
authorization requested by the CE to the
individual.
? Required Retention Period
A CE must document and retain any signed
authorization relied upon to make a use or
disclosure of PHI for a period of 6 years
from the date of its creation or the date
when it was last in effect, whichever is later.
164.508(c)(4),
164.508(b)(6), 164.530(j)

28
Permitted ExceptionsWITHOUT Written
Authorization (Permitted use and disclosure of
PHI without the need for a written authorization)
29
1. To the Individual

PHI can be disclosed to the individual who is the
subject of the information without written
authorization.
164.502(a)(1)(i)

30
2. Treatment, Payment, and Health Care
Operations (TPO)
A CE may use/disclose PHI for 1. A CEs own
TPO 2. T activities of a Health Care Provider 3.
P activities of another CE or a Health Care
Provider 4. For certain O of another CE
- If each entity has or had a relationship with
the individual who is the subject of the PHI and
the requested info pertains to that
relationship - And the purpose of the
disclosure is for quality assessment or
improvement, performance evaluation, or training
to improve skills or to detect fraud and
abuse. 5. For O of a Organized Health Care
Arrangement (OHCA), as between CEs within
the OHCA.
164.502(a)(1)(ii) 164.506

31
Treatment

Means the provision, coordination, or
management of health care and related services
by one or more health care providers,
including
Coordination or management of health care
by an HCP with a third party.
Consultation between HCPs relating to a patient.
Referral of a patient for health care from
one HCP to another.
164.501

32
Payment

Means activities undertaken by
An HCP or health plan to obtain or provide
reimbursement for the provision of health care.
A health plan to obtain premiums or to determine
or fulfill its responsibility for coverage and
provision of benefits under the health plan.
Payment includes, but is not limited to
Billing and collection activities.
Claims management (auditing payments, resolving
and investigating payment disputes, responding to
customer inquiries, etc.).
Review of health care services for medical
necessity, justification of charges.
Utilization review, concurrent and retrospective.
Determining eligibility or coverage.
164.501

33
Health Care Operations

Quality assessment and improvement activities.
Personnel competence, qualification, performance
reviews, and training.
Some insurance-related activities.
Arrangement for legal services and audits.
Business planning and development.
Business management activities, including
- Marketing (as
permitted w/o authorization).
- Fundraising (permitted by the
regulations).
Management activities for privacy compliance.
Customer services to CEs existing customer base.
Resolution of internal grievances.
Sale, merger, acquisition, consolidation,
restructure.
Creation of Limited Data Sets.
164.501

34
Fundraising as a health care operation

A CE may use and disclose PHI without the
individuals authorization to raise funds on its
own
behalf, if it meets certain criteria
It only discloses PHI to a Business Associate
(BA) or to an institutionally related foundation.
It limits PHI used or disclosed to demographic
information related to an individual and the
dates health care was provided.
It specifically states that it uses PHI for
fundraising in its notice of privacy practices.
It includes, in any fundraising materials,
directions for individual to opt-out.
5. It takes reasonable efforts to abide by the
opt-out right exercised by an individual.
164.514(f)

35
Limited Data Sets as permitted in health care
operations

Remove direct identifiers from PHI (e.g., names,
addresses, account numbers, SSNs, phone and fax
numbers, full-face photos, and a few others as
listed in the regulation).
Require Data Use Agreements, in which the
recipient of PHI agrees to
- Limit the use of the data set for the
specified
purposes to whom and for which it is
given.
- Ensure security of the data.
- Report breaches of the agreement of which it
becomes aware.
- Ensure that agents/subcontractors agree to the
same restrictions and conditions.
- Not re-identify the PHI or use it to contact
any
individual.
164.514(e)

36
Special Provision Regarding the TPO Exception

Patient has a Right to Request Restrictions on
a CEs use of PHI to carry out TPOs. The CE is
not required to agree, but if agreement is made,
the CE must document it and abide by its terms.
(This right is discussed in greater detail
below.)

37
3. Incidental Uses and Disclosures

Uses or disclosures that occur as a byproduct of
another permissible or required use or disclosure
are not considered a violation of the
regulations, provided that the CE has
Applied Reasonable Safeguards Appropriate
administrative, technical, and physical
safeguards that protect against uses and
disclosures not permitted by the rule and limit
incidental uses or disclosures.
Implemented the MN Standard (if applicable)
Policies and procedures that limit how much PHI
is used, disclosed, and requested for certain
purposes and, who, based on job responsibilities
and the nature of the business within a CE, has
access to what PHI and under what conditions.
164.502(a)(1)(iii) ORC HIPAA Privacy,
Incidental Uses Disclosures, 12/3/2003, revised
4/3/2003

38
Examples of Incidental Uses and Disclosures

Sign-in sheets.
Maintaining patient charts outside of exam
rooms.
Group therapy settings.
Side-bar discussions by clinical staff.
Visitor overhears communication with provider
or patient.
Allowable, as long as reasonable safeguards are
made to protect the privacy of patient-specific
information, and minimally necessary information
is conveyed, where said standard applies.
ORC HIPAA Privacy, Incidental
Uses Disclosures, 12/3/2003, revised 4/3/2003

39
4. Facility Directory

Allows for use of the following PHI to maintain a
facility directory
Individuals name.
Individuals location in the facility.
Individuals condition in general terms.
Religious affiliation (for disclosure only to
clergy members).
Allows for the above-noted disclosures to be made
to (1) members of the clergy, and/or (2) persons
who ask for the individual by name.
Only allowed if the individual, in advance, is
given an opportunity to agree to, restrict, or
prohibit some or all of such uses and
disclosures. (These communications can be oral.)
164.502(a)(1)(v) 164.510(a)

40
Facility Directory Exception With Incapacitated
Patients and Emergency Situations

Where an opportunity to agree, restrict, and/or
prohibit cannot
practicably be provided, a CE can use/disclose
some or all
PHI in this regard, if
1. Such use or disclosure is consistent with
any prior expressed preference of the individual
that is known to the covered health care
provider and
Such use or disclosure is in the individuals
best interest as determined by the covered
health care provider in the exercise of
professional judgment.
But the health care provider must provide the
individual with
an opportunity to object to the use or disclosure
for directory
purposes as soon as it becomes practical to do
so.
164.510(a)(3)

41
5. Next of Kin/Caregiver

Allows for
Disclosure of PHI directly relevant to a persons
involvement with the individuals care or
payment of the individuals health care. (This
includes disclosure to an individuals family
member, relative, close personal friend, or other
person identified by the individual.)
Use or disclosure of PHI to notify a family
member, personal representative, or another
person responsible for the individuals care of
the individuals location, general condition, or
death.
Only allowed if individual, in advance, is given
an opportunity to agree to or prohibit such
disclosure (these communications can be oral) OR
if the CE reasonably infers from the
circumstances, based on the exercise of
professional judgment, that the individual does
not object.
164.502(a)(1)(v) 164.510(b)

42
Special Provision Regarding the Next of
Kin/Caregiver Exception

Individual has a Right to Request Restrictions
on a CEs use or disclosure of PHI otherwise
permitted by the Next of Kin/Caregiver Exception.
The CE is not required to agree, but if
agreement is made, the CE must document the
agreement and abide by its terms.
(This right is discussed in greater detail
below.)
164.522

43
Next of Kin/Caregiver Exception When Individual
Is Not Present, Is Incapacitated, or Is in an
Emergency Situation

If the individual is not present, or the
opportunity to agree or object cannot practicably
be provided, a CE should use best professional
judgment and experience with common practice in
deciding whether the disclosure under this
exception is appropriate under the circumstances.
Example This exception can be used to allow a
person to act on behalf of the individual to
pick up filled prescriptions, medical supplies,
X-rays, or other similar forms of PHI.
164.510(b)(3)

44
6. Business Associate (BA)
A CE may disclose PHI to a BA and may allow a BA
to create or receive PHI on its behalf, if the
CE obtains satisfactory assurance that the BA
will safeguard the information.

164.502(e)(1)(i)

45
Definition of a Business Associate (BA)

A business associate is a person or entity that
performs a function or activity on behalf of a CE
or
provides services to a CE that involves the use
or
disclosure of PHI. A written contract or other
written
agreement or arrangement with the BA is required
to
establish this relationship.
A member of the CEs workforce is not a BA.
A CE can be a BA of another CE.
A mere conduit of PHI is not a BA.
(e.g., U.S. Postal or Messenger Service.)
(Note Not everyone that a CE does business with
is a business associate!)
160.103, 164.502(e)(2), ORC HIPAA
Privacy, Business Associates, 12/3/2003, revised
4/3/2003

46
Examples of Possible BA Relationships
For or on behalf of a CE - Claims processing or
administration. - Data analysis, processing, or
administration. - Utilization review. - Quality
assurance. - Billing. - Practice
management. Providing services to a CE - Legal,
actuarial, and accounting. - Data
aggregation. - Financial services. -
Accreditation.

160.103

47
Exception to the BA Requirement(where a BA
relationship would otherwise exist)

Disclosures can be made by a CE to a health
care provider for treatment of the individual
without the need for a BA Agreement (BAA).
For example
A physician is not required to have a BAA with a
laboratory as a condition of disclosing PHI for
treatment of an individual.
A hospital is not required to have a BAA with the
specialist to whom it refers a patient and
transmits the patients medical chart for
treatment purposes.
(Other exceptions, not covered here, exist for
health plans.)
164.502(e)(1)(ii)(A) ORC HIPAA
Privacy, Business Associates, 12/3/2003, revised
4/3/2003

48
The Business Associate Agreement (BAA)

1. Establishes the permitted and required uses
and disclosures of PHI by the BA.
Obtains certain promises from the BA.
(BA Assurances listed on the next slide.)
Authorizes the termination of the
contract/relationship by the CE if the CE
determines that the BA has violated a material
term of the contract.
(The BA relationship is usually established
through a
written contract. If a CE and its BA are both
governmental entities, an MOU can be used.)
164.504(e)

49
Required BA Assurances

The BA must agree that it
Will not use or further disclose PHI other than
permitted.
Will use safeguards to prevent inappropriate
uses/disclosures.
Will report to CE any disallowed use/disclosure.
Will ensure any of its agents (including
subcontractors) agree to same restrictions.
Will make available PHI in its possession for
inspection, copying, and amendment.
Will incorporate amendments forwarded by CE.
Will provide an accounting of disclosures.
Will make evidence related to uses/disclosures of
PHI available to HHS for compliance oversight.
Will return or destroy all PHI at the end of the
relationship.
164.504(e)(2)(ii)

50
Permitted Uses/Disclosures Within the BA
Relationship

Assuming you have a relationship that meets the
definition of a BA relationship under the
regulations
and youve appropriately gotten the required
satisfactory assurances, then
A CE can disclose PHI to the BA as necessary to
permit the BA to perform agreed-upon functions,
activities, or services to, for, or on behalf of
the CE.
A BA may only use PHI it receives in its capacity
as a BA to the CE as permitted by contract or
agreement with the CE.
164.502(e) 164.504(e)

51
Liability Issues
The regulations do not directly regulate BAs to
enforce their compliance. But by regulating CEs,
HHS controls and restricts the flow of PHI by
BAs. When BA a CE The regulations are clear
that a violation of the BA agreement constitutes
a violation of the regulations. When the BA is
not a CE The CE has responsibilities when
specified satisfactory assurances are violated by
the BA. A CE who knows of a pattern of practice
of the BA that constitutes a material
breach/violation of the BAs agreed- upon
obligations must take reasonable steps to cure
the breach or end the violation and, if such
steps are unsuccessful 1. Terminate
the arrangement, if feasible or 2.
If termination is not feasible, report the
problem to HHS.

164.502(e)(1)(iii) 164.504(e)(1)

52
Compliance Periods for Previous Agreements
Previous contracts, MOUs, or other arrangements
entered into by the CE prior to October 15, 2002,
that are not renewable or amended prior to April
14, 2003, must be brought into compliance by
April 14, 2004. Small plans have until April 14,
2004 to comply with all of the regulation
requirements.

164.532(d)

53
7. Averting a Serious Threat to Health
or Safety

A CE may use or disclose PHI if the CE, in good
faith,
believes disclosure is
1. Necessary to prevent or lessen a serious
and imminent threat to the health or safety of a
person or the public, and the disclosure is made
to person(s) reasonably able to lessen the
threat
2. Necessary for law enforcement authorities
to identify or apprehend an individual who
admitted to participating in a violent crime that
the CE believes may have caused serious physical
harm to the victim (so long as that disclosure is
not made in the course of treatment or the
initiation of seeking treatment and as long as
disclosure is appropriately limited) or
3. Where it appears from all the
circumstances that the individual escaped from a
correctional institution or from lawful custody.
164.502(a)(1)(vi) 164.512(j)

54
8. Health Oversight Activities

A CE may use or disclose PHI to health oversight
agencies for oversight activities authorized by
law, such as
Audits.
Civil, administrative, or criminal.
investigations or proceedings.
Inspections.
Licensure or disciplinary actions.
Note The information that law enforcement
collects in the course of an oversight
investigation should only be used for those
purposes and should not be further disclosed.
164.502(a)(1)(vi) 164.512(d)
Exec. Order No. 13,181, 65 Fed. Reg. 81, 321
(2000)

55
9. Judicial and Administrative Proceedings

A CE may disclose PHI in response to
A court order or administrative tribunal order,
but only the PHI that is expressly authorized by
the order.
A subpoena, discovery request, or other lawful
process, if it obtains satisfactory assurances
that the individual who is the subject of the
request has been given notice of the request, or
that the party seeking the PHI has made
reasonable efforts to secure a qualified
protective order.
164.502(a)(1)(vi)
164.512(e)

Satisfactory Assurances
Means that the CE receives a written statement
and
accompanying documentation that
Written notice was provided to the individual
providing sufficient information about the
proceeding in which PHI is requested to enable
the individual to object and that the time for
objection has elapsed.
Parties have agreed to a qualified protective
order, or the party seeking the PHI has
requested such an order from the court or
tribunal. (This is an order that prohibits the
use or disclosure of PHI for any purpose other
than the proceeding for which the PHI is
requested and requires destruction or return of
the PHI to the CE when proceedings end.)

57
10. For Law Enforcement Purposes

A CE may disclose PHI to law enforcement
officials
As required by law.
2. Pursuant to
a. A court order, warrant, subpoena, or
summons issued by a judicial officer.
b. A grand jury subpoena.
c. An administrative request, such as an
administrative summons or a civil investigative
demand, that is
- Relevant and material to the inquiry.
- Specific and limited in scope.
Unable to utilize de-identified information
3. Pursuant to other relevant circumstances
(crime/law enforcement related).

Other Relevant Circumstances
(permitting disclosure to law enforcement)
In Summary
A. Identifying or locating a suspect, fugitive,
material witness, or missing person.
B. About an individual who is, or is suspected
to be, a crime victim.
C. About a deceased individual if death is
suspected to be a result of criminal conduct.
D. About evidence of criminal conduct that
occurred on the premises of the CE.
E. When necessary to report a crime in a medical
emergency.
(The following slides provide details about each
category.)
164.512(f)

Other Relevant Circumstances (contd.)
A. Upon request by law enforcement, a CE may
disclose the following PHI for the purpose of
identifying or locating a suspect, fugitive,
material witness, or missing person
Name and address.
Date and place of birth.
SSN.
ABO blood type and RH factor.
Type of injury.
Date and time of treatment.
Date and time of death (if applicable).
Distinguishing physical characteristics.
164.512(f)(2)

Other Relevant Circumstances (contd.)
Upon request by law enforcement, a CE may
disclose PHI about an individual who is, or is
suspected to be, a crime victim if the individual
agrees or if the individual is incapacitated or
in an emergency situation, provided that
Law enforcement represents that PHI is needed to
determine if a law violation has occurred by
someone other than victim and is not intended for
use against the individual
Law enforcement represents that enforcement
activity depending on the PHI would be adversely
and materially affected by delay and
CE, in exercise of professional judgment,
determines that disclosure is in the best
interest of the individual.
164.512(f)(3)

Other Relevant Circumstances (contd.)
C. A CE may disclose PHI to law enforcement about
an individual who has died if the CE has a
suspicion that such death may have resulted from
criminal conduct.
D. A CE may disclose PHI to law enforcement that
the CE believes, in good faith, constitutes
evidence of criminal conduct that occurred on the
premises of the CE.
164.512(f)(4) (5)

Other Relevant Circumstances (contd.)
E. A CE providing emergency medical treatment may
disclose PHI to law enforcement if necessary to
alert law enforcement to
The commission and nature of a crime.
The location of such crime or victim.
The identity, description, and location of the
perpetrator of such crime.
164.512(f)(6)(i)

63
11. For Public Health (PH) Activities

A CE is permitted to make PH disclosures
To PH authority for the purpose of preventing or
controlling disease, injury, or disability.
To PH authority receiving child abuse reports.
To the FDA for reports related to the quality,
safety, or effectiveness of an FDA-regulated
product or activity.
To a person who may have been exposed to a
communicable disease or may otherwise be at risk
of contracting or spreading a disease or
condition if the CE is otherwise authorized to do
so by law.
To an employer about an individual who is a
member of the workforce if the CE is a member of
the employers workforce or the CE provides care
at request of the employer
164.502(a)(1)(vi) 164.512(b)

64

Recall Limited Data Sets? (that a CE is permitted
to create under the health care operations
exception) With a Data Use Agreement, limited
data sets can be used or disclosed for public
health purposes (without the individuals
authorization).
164.514(e)

65
12. As Required By Law

A CE may use or disclose PHI to the extent that
the use or disclosure is required by law, and the
use or disclosure complies with and is limited to
the relevant requirements of such law.
164.502(a)(1)(vi)
164.512(a)

66
13. For Research
A CE may use or disclose PHI for research,
if 1. An Internal Review Board (IRB) or a
privacy board, as permitted under the rules,
approves an alteration or waiver, in whole or in
part, of the standard written authorization
requirements and the CE obtains sufficient
documentation confirming the alteration or
waiver. 2. If disclosure is needed prior to and
in preparation for research or is in regards to
decedent information, the CE must obtain certain
representations from the researcher as specified
in the regulations.
164.502(a)(1)(vi) 164.512(i)
67
Required Documentation To Invoke the Research
Exception

Documentation must contain
The identity of the IRB or privacy board that
approved the waiver or alteration and the
approval date.
Verification that the board determined that the
approved waiver or alteration satisfies certain
specified standards as outlined in the
regulations.
Description of PHI deemed necessary by the board
to conduct the research.
A statement as to whether review was under normal
or expedited procedures as set forth in the
regulations.
A signature by an authorized member of the
board.
164.512(i)(2)

68
Representations Needed by the CE From the
Researcher for Use/Disclosure Prior to and in
Preparation for Research

The use/disclosure of PHI is sought solely for
preparing for the research (e.g., in order to
create research protocol).
2. No PHI will be removed from the CE by the
researcher.
The requested PHI is necessary for research
purposes.
164.512(i)(1)(ii)

69
Representations Needed by the CE From the
Researcher for Use/Disclosure forDecedent
Research

That the use/disclosure of PHI is sought solely
for research on decedents.
2. That the researcher will provide, upon request
of the CE, documentation verifying death of the
individual.
That the PHI sought is necessary for research
purposes.
164.512(i)(1)(iii)

70

Another Potential Opportunity for the Use of
Limited Data Sets! With a Data Use
Agreement, limited data sets may also be used or
disclosed to researchers, in accordance with the
rules (without an individuals authorization or a
waiver or alteration of an authorization from an
IRB or privacy board).
164.514(e)

71
14. Concerning Victims of Abuse,
Neglect, or Domestic Violence

A CE may disclose PHI about an individual whom it
reasonably believes to be a victim of abuse,
neglect,
or domestic violence to a government authority,
provided that
The disclosure is required by and complies with
the law and is limited in terms of relevancy
The individual agrees or
The disclosure is expressly authorized by statute
or regulation, and
The CE, in the exercise of professional judgment,
believes disclosure to be necessary to prevent
serious harm to the individual or other potential
victims or
If the individual is incapacitated, a public
official authorized to receive the report
represents that the PHI sought is urgently
needed, is not intended for use against the
individual, and that a delay in obtaining the
needed PHI would materially and adversely affect
imminent enforcement activity.
164.502(a)(1)(vi)
164.512(c)(1)

72
If the Victims Exception is Invoked

A CE must promptly notify the individual, unless
1. The CE, in the exercise of professional
judgment, believes that informing the individual
would place the individual at risk of serious
harm or
2. The CE would be informing a personal
representative, and the CE reasonably believes
that the personal representative is responsible
for the abuse, neglect, or other injury, and that
informing such person would not be in the best
interest of the individual.
164.512(c)(2)

73
15. About Decedents

A CE may disclose PHI
To a coroner or medical examiner for the purpose
of identifying a deceased person or determining
cause of death.
(If the CE performs such duties, it can use PHI
in this regard.)
To a funeral director consistent with applicable
law, as necessary, to carry out their duties.
(PHI of this nature can be disclosed prior to
and in reasonable anticipation of an individuals
death.)
164.502(a)(1)(vi) 164.512(g)

74
Other Exceptions

There are a few other, less common but
recognized,
exceptions that are provided in the HIPAA privacy
provisions that we have not reviewed but that we
note here, and they include uses and disclosures
16. For Workers Compensation
17. For Cadaveric Donation
18. For Specialized Government Functions,
including
Military and veterans activities.
Protective services for the president and others.
Medical suitability determinations.
Between covered entities that are government
programs providing public benefits.
National security and intelligence activities.
Custodial situations with correctional
institutions and law enforcement.
164.502(a)(1)(vi)
and164.512(l), 164.512(h), 164.512(k),
respectively

75
The HIPAA Privacy Rule

v MINIMUM PRIVACY PROTECTIONS
MINIMUM RIGHTS
ADMINISTRATIVE REQUIREMENTS
DUTIES OF COVERED ENTITIES

76
The HIPAA Privacy RuleMINIMUM RIGHTS
77
Rights Under HIPAA

Right to Inspect and Copy.
Right to an Accounting of Disclosures.
Right to Request Amendment.
Right to Request Restrictions.
Right to Request Confidential Communications.
6. Right to File a Complaint.

Right To Inspect and Copy
A CE must respond to a request for access
within 30 days (60 days if PHI is offsite) with
The requested PHI
A written explanation of the need for an
extension up to 30 days, and a date certain for
production
If denied basis for denial, a statement of
patients right to have denial reviewed and
procedure for doing so (if applicable), and
instructions on how patient can file a complaint
with the Secretary or CE or
If CE does not have the requested PHI, where
individual can direct PHI request, if known.
Note Written requests can be required, and a
reasonable cost-based fee is permitted!
164.524

Permitted Denial of Right To Inspect and Copy
WITHOUT Opportunity for Review
If PHI requested is within psychotherapy notes.
If PHI requested is in anticipation for use in a
civil, criminal, or administrative proceeding.
If CE is subject to the Clinical Laboratory
Improvements Amendments (CLIA) and CLIA prohibits
access.
If CE is under direction of correctional
institution, and PHI requested by an inmate may
jeopardize health, safety, or rehabilitation of a
person.
If PHI is requested in midst of a research
project and patient had previously agreed to wait
for such PHI until completion of project.
If requested PHI is contained in records subject
to the Privacy Act and denial is consistent with
Act.
If requested PHI was obtained from someone other
than a health care provider under a promise of
confidentiality and disclosure would reveal the
source.
164.524(a)(2)

Permitted Denial of Right To Inspect and Copy
WITH Opportunity for Review
A licensed health care provider (HCP) determines,
in the exercise of professional judgment, that it
is reasonably likely that access to requested PHI
would endanger the life or physical safety of the
individual or another person.
The requested PHI makes reference to another
person (except other HCPs), and a licensed health
care professional, in the exercise of
professional judgment, determines that providing
access is reasonably likely to cause substantial
harm to that other person.
The request is made by the individuals personal
representative, and a licensed HCP, in the
exercise of professional judgment, determines
that providing access is reasonably likely to
cause harm to the individual or another person.
164.524(a)(3)

2. Right to an Accounting of Disclosures
This is an accounting of PHI disclosures made by
the
CE, including those made to or by Business
Associates, up to a 6-year period prior to the
request,
Except for disclosures
1. To carry out TPO.
2. To the individual, as permitted/required.
3. Incidental.
4. Made per an individuals authorization.
5. Made per the Facility Directory Exception or
the Next of Kin/Caregiver
Exception.
6. Made per the Specialized Government Function
Exception for national security or intelligence
activities or to correctional institutions.
7. Made as part of a Limited Data Set.
8. That occurred prior to the compliance date
(April 14, 2003).

Accounting of Disclosures
This right extends only to disclosures (outside
of the CE) and not to uses.
The CE must respond within 60 days of the
request, but may, in writing, extend up to 30
days, to a date certain, with written
explanation, unless temporary suspension of the
individuals right is justifiably directed by the
agency receiving disclosures under the health
oversight or law enforcement exceptions, and it
is documented.
Accounting must include
Date of each disclosure.
Name and address (if known) of entity or person

who received the PHI.
Description of the PHI disclosed.
Statement of the purpose of the disclosure.
First accounting in 12-month period must be free
a reasonable cost-based fee permitted thereafter
with
prior notice to patient. 164.528

Special Accounting Provisions
When multiple required or permitted disclosures
are made to the same person or entity for a
single purpose, the CE may give full information
required for the first disclosure during the
accounting period and then give the number of
times the disclosure was made during the
accounting period and the date of the last such
disclosure during that period.
If the CE has made disclosures per the Research
Exception for 50 or more individuals, it can give
general information, as specified in the rule,
about such research-related disclosures whether
or not the PHI for the individual who requested
the accounting was actually disclosed. But if it
is reasonably likely that the PHI of an
individual was disclosed for research protocol or
activity, a CE must assist the individual in
contacting the sponsor of the research and the
researcher upon an individuals request.
164.528(a)(3) (a)(4)

Right To Request Amendment
A CE may require, in advance, that individuals
make requests for amendment in writing and
provide supporting rationale.
A CE must respond to a request for amendment
within 60 days but may, in writing, extend up to
30 days, to a date certain, with written
explanation. (This date can be extend only once!)
A CE may deny amendment of PHI or of a record in
a designated record set if the PHI or record
1. Was not created by the CE, unless the
originator is no longer available.
2. Is not part of the designated record set.
3. Would not be available under the individuals
right to inspect and copy.
4. Is accurate and complete.
164.526

Responding to a Request for Amendment
If Amendment Accepted
CE must make the amendment and inform the
individual in a timely fashion that the
amendment was accepted. The CE must provide the
amendment to entities identified by the
individual and other entities known to have
received erroneous PHI.
If Amendment Denied
CE must give the individual written notice of
the denial that includes
Basis for the denial.
The individuals right to submit a written
statement disagreeing with the denial and how to
exercise that right.
A statement that the individual can request the
CE to include the individuals request and the
denial with any future disclosures of PHI (if the
individual does not file a statement of
disagreement).
A description of how the individual can file a
complaint with the Secretary or CE.
164.526

If Individual Files a Statement of Disagreement
The CE may reasonably limit the length of an
individuals statement of disagreement.
The CE can prepare a rebuttal to the individuals
statement, but must provide a copy of the
rebuttal to the individual.
Handling Future Disclosures
With any subsequent disclosure of PHI or a record
at issue, the CE must also disclose a copy of the
request for amendment and the denial (if
individual has not filed disagreement and
requests this be done), the statement of
disagreement (if any), and rebuttal (if any), or
an accurate summary of such information.
164.526

Right To Request Restricted Uses/Disclosures
Patients have a right to request restrictions to
uses/disclosures otherwise permitted within the
following two exceptions
- TPO.
- Next of Kin/Caregiver.
The CE is not required to agree to such requested
restrictions, but if the CE enters into an
agreement to restrict, the CE must document such
agreement and abide by its terms, except in
emergency situations where such PHI is needed to
provide emergency treatment to the individual
(where CE must request that provider not further
disclose PHI).
164.522(a)(1)

How to Terminate a Prior Agreed-Upon
Restriction
The individual agrees to or requests the
termination in writing,
The individual orally agrees and the oral
agreement is documented, or
The CE informs the individual that it is
terminating the restriction, at which point the
termination becomes effective with regard to PHI
created or received after so informing the
individual.
164.522(a)(2)

5. Right To Request Confidential Communications
Individual has the right to request that PHI be
communicated by the CE to him/her by alternative
means or at alternative locations (e.g., only at
work or only by mail).
CE may require that the request be in writing but
may not require an explanation as to why.
CE must accommodate reasonable requests.
CE may condition the provision of a reasonable
accommodation on (1) the individual specifying
an alternative method of contact and, (2) the
individual providing information on how payment,
if any, will be handled.
164.522(b)