Here’s the Federal HIPAA Privacy Rules
and we believe we are in compliance
Any [medical] records which contain individually identifiable (PHI) Protected Health Information must be secured, so that they are not readily available to those who do not need them. (HSS Q & A) Thus, the people who can see your medical records is very limited.
What does the HIPAA Privacy Rule do?
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information. –
- It gives patients more control over their health information.
- It sets boundaries on the use and release of health records.
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights. – And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
- For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
- It empowers individuals to control certain uses and disclosures of their health information.
PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.
So, we don’t share this with ANYONE, unless we need to, to get you the Insurance Coverage you requested!
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data HipaaJournal.com *
Sec. 160.103 Individually identifiable health information PHI) is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
No extra charge for complementary assistance
- Appoint us as your broker
- VIDEO on ARPA Stimulus and more Covered CA Subsidies
- Set Consultation Meeting via Phone, Skype or Zoom
- Get Instant Health Quotes, Subsidy Calculation & Enroll
Videos on how great agents are
When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?
The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances: (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
Can contractors (business associates) use protected health information for its own marketing purposes?
No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes. Although, under the HIPAA statute, the Privacy Rule cannot govern contractors directly, the Rule does set clear parameters for how covered entities may contract with business associates. See 45 CFR 164.502(e) and 164.504(e), and the definition of “business associate” at 45 CFR 160.103.
Further, the Privacy Rule expressly prohibits health plans and covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list.
Who was the 1st HIPAA Privacy Conviction?
Defendant Richard Gibson obtained the demographic information of a cancer patient from his employer, Seattle Cancer Care Alliance. Gibson then used this data to obtain credit cards in the patient’s name, eventually incurring over $9,000 in debt for items such as video games, apparel, and jewelry. (Attorney’s Corwel & Moring)
Actual Text of the Law
- Subpart A – General Provisions (§§ 164.102 – 164.106)
- Subpart B [Reserved]
- Subpart C – Security Standards for the Protection of Electronic Protected Health Information (§§ 164.302 – 164.318)
- Subpart D – Notification in the Case of Breach of Unsecured Protected Health Information (§§ 164.400 – 164.414)
- Subpart E – Privacy of Individually Identifiable Health Information (§§ 164.500 – 164.534)
Our page on how to read law – 3 times and when you think you understand it, read it again.
Office for Civil Rights – HIPAA H & HS Website – has a ton of information and links
Anti-Phishing Act of 2005 Phony Websites & Email to gather identity theft information
Jewish Thought on Gossip, Tale Bearing JewFAQ.org
Online Education Torah.org
Health Information Privacy hhs.gov/hipaa