What do I have to do to comply with Federal HIPAA Privacy Rules?
Any [medical] records which contain individually identifiable (PHI) Protected Health Information must be secured, so that they are not readily available to those who do not need them. (HSS Q & A) Thus, the people who can see your medical records is very limited.
What does the HIPAA Privacy Rule do?
Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information. –
- It gives patients more control over their health information. –
- It sets boundaries on the use and release of health records. –
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. –
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights. – And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
- For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used. –
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made. –
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure. –
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections. –
- It empowers individuals to control certain uses and disclosures of their health information.
Our page on how to read law – 3 times and when you think you understand it, read it again.
Office for Civil Rights – HIPAA H & HS Website – has a ton of information and links
Anti-Phishing Act of 2005 Phony Websites & Email to gather identity theft information
Jewish Thought on Gossip, Tale Bearing JewFAQ.org
Online Education Torah.org
Health Information Privacy hhs.gov/hipaa
How to comply – Solutions
Blue SHIELD Privacy Statement – Release Form
When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?
The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances: (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
Can contractors (business associates) use protected health information for its own marketing purposes?
No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes. Although, under the HIPAA statute, the Privacy Rule cannot govern contractors directly, the Rule does set clear parameters for how covered entities may contract with business associates. See 45 CFR 164.502(e) and 164.504(e), and the definition of “business associate” at 45 CFR 160.103.
Further, the Privacy Rule expressly prohibits health plans and covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list.
1st HIPAA Privacy Conviction
Defendant Richard Gibson obtained the demographic information of a cancer patient from his employer, Seattle Cancer Care Alliance. Gibson then used this data to obtain credit cards in the patient’s name, eventually incurring over $9,000 in debt for items such as video games, apparel, and jewelry. (Attorney’s Corwel & Moring)
Plain Language Instructional Video Minnesota DHS Training
Actual Text of the Law
GENERAL ADMINISTRATIVE REQUIREMENTS 45 -CFR 160GPO.Gov
SECURITY AND PRIVACY 45 CFR – 164GPO.gov
45 CFR Parts 160, 162, and 164 SUMMARY:
This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. (HIPAA).
Health Insurance Reform: Security 45 CFR Parts 160, 162, and 164 Standards; Final Rule Federal Register
§ 164.312 Technical safeguards. (iv) (c) (2)(d) (page 46) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Sample implementation 1 2 Voice Recognition
Code of Federal Regulations
Subpart C—Security Standards for the Protection of Electronic Protected Health Information
§ 164.302 Applicability.
§ 164.304 Definitions.
§ 164.306 Security standards: General rules.
§ 164.308 Administrative safeguards.
§ 164.310 Physical safeguards.
§ 164.312 Technical safeguards.
§ 164.314 Organizational requirements.
(a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or
by subpart C of part 160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies with
Sec. 164.506, to carry out treatment, payment, or health care operations;
Sec. 160.103 Individually identifiable health information PHI) is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
TITLE 45–PUBLIC WELFARE
AND HUMAN SERVICES
PART 164–SECURITY AND PRIVACY–
Table of Contents
Subpart E–Privacy of Individually Identifiable Health Information
Sec. 164.506 Consent for uses or disclosures to carry out treatment, payment, or health care operations.
(a) Standard: Consent requirement. (1) Except as provided in
paragraph (a)(2) or (a)(3) of this section, a covered health care
provider must obtain the individual’s consent, in accordance with this
section, prior to using or disclosing protected health information to
carry out treatment, payment, or health care operations.
(2) A covered health care provider may, without consent, use or
disclose protected health information to carry out treatment, payment,
or health care operations, if:
(i) The covered health care provider has an indirect treatment
relationship with the individual; or
(ii) The covered health care provider created or received the
protected health information in the course of providing health care to
an individual who is an inmate.
(3)(i) A covered health care provider may, without prior consent, use or disclose protected health information created or received under paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment, payment, or health care operations:
(A) In emergency treatment situations, if the covered health care provider attempts to obtain such consent as soon as reasonably practicable after the delivery of such treatment;
(B) If the covered health care provider is required by law to treat
the individual, and the covered health care provider attempts to obtain
such consent but is unable to obtain such consent; or
(C) If a covered health care provider attempts to obtain such consent from the individual but is unable to obtain such consent due to substantial barriers to communicating with the individual, and the covered health care provider determines, in the exercise of professional
judgment, that the individual’s consent to receive treatment is clearly inferred from the circumstances.
(ii) A covered health care provider that fails to obtain such consent in accordance with paragraph (a)(3)(i) of this section must document its attempt to obtain consent and the reason why consent was not obtained.
(4) If a covered entity is not required to obtain consent by
paragraph (a)(1) of this section, it may obtain an individual’s consent
for the covered entity’s own use or disclosure of protected health
information to carry out treatment, payment, or health care operations,
provided that such consent meets the requirements of this section.
(5) Except as provided in paragraph (f)(1) of this section, a
consent obtained by a covered entity under this section is not effective
to permit another covered entity to use or disclose protected health
(b) Implementation specifications: General requirements. (1) A
covered health care provider may condition treatment on the provision by
the individual of a consent under this section.
(2) A health plan may condition enrollment in the health plan on the
provision by the individual of a consent under this section sought in
conjunction with such enrollment.
(3) A consent under this section may not be combined in a single
document with the notice required by Sec. 164.520.
(4)(i) A consent for use or disclosure may be combined with other
types of written legal permission from the individual (e.g., an informed
consent for treatment or a consent to assignment of benefits), if the
consent under this section:
(A) Is visually and organizationally separate from such other
written legal permission; and
(B) Is separately signed by the individual and dated.
(ii) A consent for use or disclosure may be combined with a research
authorization under Sec. 164.508(f).
(5) An individual may revoke a consent under this section at any
time, except to the extent that the covered entity has taken action in
reliance thereon. Such revocation must be in writing.
(6) A covered entity must document and retain any signed consent
under this section as required by Sec. 164.530(j).
(c) Implementation specifications: Content requirements. A consent
under this section must be in plain language and:
(1) Inform the individual that protected health information may be
used and disclosed to carry out treatment, payment, or health care
(2) Refer the individual to the notice required by Sec. 164.520 for
a more complete description of such uses and disclosures and state that
the individual has the right to review the notice prior to signing the
(3) If the covered entity has reserved the right to change its
privacy practices that are described in the notice in accordance with
Sec. 164.520(b)(1)(v)(C), state that the terms of its notice may change
and describe how the individual may obtain a revised notice;
(4) State that:
(i) The individual has the right to request that the covered entity
restrict how protected health information is used or disclosed to carry
out treatment, payment, or health care operations;
(ii) The covered entity is not required to agree to requested
(iii) If the covered entity agrees to a requested restriction, the
restriction is binding on the covered entity;
(5) State that the individual has the right to revoke the consent in
writing, except to the extent that the covered entity has taken action
in reliance thereon; and
(6) Be signed by the individual and dated.
(d) Implementation specifications: Defective consents. There is no
consent under this section, if the document submitted has any of the
(1) The consent lacks an element required by paragraph (c) of this
section, as applicable; or
(2) The consent has been revoked in accordance with paragraph (b)(5)
of this section.
(e) Standard: Resolving conflicting consents and authorizations. (1)
If a covered entity has obtained a consent under this section and
receives any other authorization or written legal permission from the
individual for a disclosure of protected health information to carry out
treatment, payment, or health care operations, the covered entity may
disclose such protected health information only in accordance with the
more restrictive consent, authorization, or other written legal
permission from the individual.
(2) A covered entity may attempt to resolve a conflict between a
consent and an authorization or other written legal permission from the
individual described in paragraph (e)(1) of this section by:
(i) Obtaining a new consent from the individual under this section
for the disclosure to carry out treatment, payment, or health care
(ii) Communicating orally or in writing with the individual in order
to determine the individual’s preference in resolving the conflict. The
covered entity must document the individual’s preference and may only
disclose protected health information in accordance with the
(f)(1) Standard: Joint consents. Covered entities that participate
in an organized health care arrangement and that have a joint notice
under Sec. 164.520(d) may comply with this section by a joint consent.
(2) Implementation specifications: Requirements for joint consents.
(i) A joint consent must:
(A) Include the name or other specific identification of the covered
entities, or classes of covered entities, to which the joint consent
(B) Meet the requirements of this section, except that the
statements required by this section may be altered to reflect the fact
that the consent covers more than one covered entity.
(ii) If an individual revokes a joint consent, the covered entity
that receives the revocation must inform the other entities covered by
the joint consent of the revocation as soon as practicable.
Effective Date Note: At 67 FR 53268, Aug. 14, 2002, Sec. 164.506 was
revised, effective Oct. 15,
2002. For the convenience of the user, the revised text is set forth as
Sec. 164.506 Uses and disclosures to carry out treatment, payment, or
health care operations.
(a) Standard: Permitted uses and disclosures. Except with respect to
uses or disclosures that require an authorization under
Sec. 164.508(a)(2) and (3), a covered entity may use or disclose
protected health information for treatment, payment, or health care
operations as set forth in paragraph (c) of this section, provided that
such use or disclosure is consistent with other applicable requirements
of this subpart.
(b) Standard: Consent for uses and disclosures permitted. (1) A
covered entity may obtain consent of the individual to use or disclose
protected health information to carry out treatment, payment, or health
(2) Consent, under paragraph (b) of this section, shall not be
effective to permit a use or disclosure of protected health information
when an authorization, under Sec. 164.508, is required or when another
condition must be met for such use or disclosure to be permissible under
(c) Implementation specifications: Treatment, payment, or health
(1) A covered entity may use or disclose protected health
information for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information for
treatment activities of a health care provider.
(3) A covered entity may disclose protected health information to
another covered entity or a health care provider for the payment
activities of the entity that receives the information.
(4) A covered entity may disclose protected health information to
another covered entity for health care operations activities of the
entity that receives the information, if each entity either has or had a
relationship with the individual who is the subject of the protected
health information being requested, the protected health information
pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition
of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or compliance.
(5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
Title 45: Public Welfare
Browse Previous | Browse Next
PART 5b—PRIVACY ACT REGULATIONS
§ 5b.1 Definitions.
§ 5b.2 Purpose and scope.
§ 5b.3 Policy.
§ 5b.4 Maintenance of records.
§ 5b.5 Notification of or access to records.
§ 5b.6 Special procedures for notification of or access to medical records.
§ 5b.7 Procedures for correction or amendment of records.
§ 5b.8 Appeals of refusals to correct or amend records.
§ 5b.9 Disclosure of records.
§ 5b.10 Parents and guardians.
§ 5b.11 Exempt systems.
§ 5b.12 Contractors.
§ 5b.13 Fees.
Appendix A to Part 5b—Employee Standards of Conduct
Appendix B to Part 5b—Routine Uses Applicable to More Than One System of Records Maintained by HHS
Appendix C to Part5b—Delegations of Authority [Reserved]