HIPAA REFERENCE GUIDE


1. What is HIPAA? Health Insurance Portability and Accountability Act of 1996

  • Gives patients more control over their health information.
  • Sets boundaries on the use and disclosure of health information.
  • Establishes appropriate safeguards to protect the privacy of health information.
  • Holds violators accountable with civil and criminal penalties that can be imposed if they violate a member’s privacy rights.

 

 2. The Privacy Rule establishes a set of national standards for protecting certain health information. The U.S. Department of Health and Human Services issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996.

The Privacy Rule  addresses the use and disclosure of individuals’ health information, called “protected health information,” by organizations subject to the Privacy Rule,  called “covered entities,” and establishes standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights  is responsible for implementing and enforcing the Privacy Rule concerning voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to ensure that an individual’s health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and protect the public's health and well-being. This is a summary of key elements of the Privacy Rule and not a complete or comprehensive guide to compliance, highlighting the gravity of your responsibility in protecting individuals' health information.

 

3. The Security Rule focuses explicitly on safeguarding electronic protected health information. All covered entities under HIPAA must comply with the HIPAA Security Rule, which establishes stringent security standards for securing certain health information. It's not just a rule; it's a necessity for the protection of electronic health information.

  • Administrative safeguards are defined as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce about the protection of that information.”
  • Physical safeguards are “security measures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.”
  • Technical safeguards are defined as the “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

These categories of safeguards encompass the continuum of security for electronic health care information for covered entities under HIPAA. The security process begins with the policies and procedures that establish personnel behavior and provide a framework for acceptable access to and use of protected health information. These administrative controls are the foundation for the HIPAA Security Rule. The physical safeguards support limitations to restricted spaces and equipment, including materials that contain electronic protected health information. Technical safeguards apply specifically to information systems and are measures of protection associated with the actual hardware, software and networks for these systems.

 

4. What is HITECH? The Health Information Technology for Economic and Clinical Health Act is part of the American Recovery and Reinvestment Act of 2009. The ARRA contains incentives related to health care information technology in general (e.g., the creation of a national health care infrastructure) and specific incentives designed to accelerate the adoption of electronic health record systems among providers.

 

5. Covered entities are defined in the HIPAA rules as:

  • health plans
  • health care clearinghouses
  • health care providers who electronically transmit health information concerning transactions for which HHS has adopted standards.

 

6. What is protected health information?

Protected health information is individually identifiable health information held or maintained by Benefits Administration or our business associates who act on our behalf that is transmitted or maintained in any form or medium.

PHI is health information:   

  • Received by a provider, plan or certain other entities; 
  • Relates to an individual’s past, present or future physical or medical condition or health care or payment for health care; and
  • Identifies or could reasonably be used to identify an individual.

 

7. Electronic PHI is protected health information that is computer-based, e.g., created, received, stored, maintained, processed and transmitted in electronic media.    

 

8. What information must YOU protect? Seventeen most common identifiers related to individuals, relatives, employers or household members: name, health plan beneficiary number, postal address, all elements of dates except year, telephone number, email addresses, URL address, IP address, Social Security number, account numbers, license numbers, medical record number, device identifiers and their serial numbers, vehicle identifiers and serial number, biometric identifiers (finger and voice prints), full face photos and other comparable images and any other unique identifying number, code or characteristic.  

 

9. Our plan members have certain rights regarding the privacy of their PHI. The Privacy Notice explains those rights and obligations to the member.

Plan members have a right to:

  • Access and receive a copy of their paper or electronic medical record.
  • Request amendments to their health information.
  • Request restriction of, or limitations on, how to use and disclosure of their PHI.
  • Restrict disclosure to health plans for services self‐paid in full (“self‐pay restriction”).
  • Request confidential communication.
  • Receive an accounting of the disclosures of their PHI.
  • File a complaint.
  • Choose someone to act on their behalf.

 

10. What is a business associate? A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

  • Benefits Administration Business Associate Agreement requires specified written safeguards for PHI.
  • ARRA requires business associates to comply with all the same regulations as Benefits Administration.
  • Benefits Administration business associates have the same penalties for violations as Benefits Administration.
  • A Business Associate Agreement must be included in the contract.

 

11. Privacy Rule is designed to protect individual's health information and allows individuals to:

  • Get a copy of their medical records.
  • Ask for changes to their medical records.
  • Find out how their PHI may be used and limit how it may be used.
  • Know who has received their PHI.
  • Have communications sent to an alternate location or by an alternate means.
  • File complaints and participate in investigations.

 

12. You may disclose information without a member’s authorization to the appropriate authorities:  

  • If required by law or court order.
  • To public health officials, the FDA.
  • For abuse or domestic violence.
  • To help law enforcement officials.
  • To notify of a suspicious death.
  • To provide information for workers’ compensation.
  • To assist government actions.
  • To help in disaster-relief efforts.
  • To avert a serious threat to health or safety.
  • For health oversight activities.

 

13. The Minimum Necessary Standard- a vital protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in everyday use today. It is based on sound current practice that protected health information should not be used or disclosed when it is unnecessary to satisfy a particular purpose or perform a function.

 

 14. When can you access, use, or disclose ePHI? HIPAA allows you to access, use or disclose ePHI for three purposes without consent from our members.  

  • For treatment – the provision, coordination or management of health care by one or more health care providers, including consultation between health care providers.
  • For Payment – activities to obtain payment or reimbursement for services or premiums.
  • For health care operations- administrative, financial, legal and quality assessment and improvement activities, as well as fraud and abuse detection.  

Other uses and disclosures require the patient’s specific authorization (and signature) using the Release of Protected Health Information Form.

 

15. A valid authorization must contain at least the following elements:

  • A specific/meaningful description of the information to be used or disclosed;
  • The name/entity who is authorized to release PHI;
  • The name/entity who is authorized to receive PHI;
  • If a personal representative signs the authorization, legal documentation must be presented along with the approval;
  • A description of each purpose of the use or disclosure;
  • An individual’s right to revoke and how they may revoke;
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization;
  • A statement regarding the potential for re-disclosure by the recipient of the information;
  • The individual's signature and the date and an expiration date or event.

 

16. When a HIPAA release form is completed, does the ABC need to send it to Benefits Administration and keep one on file? If the HIPAA release form authorizes Benefits Administration to release an employee’s PHI, you should send the release to the Benefits Administration’s HIPAA Privacy and Security Office at benefits.privacy@tn.gov. Benefits Administration will scan the authorization into Edison under the employee’s record. You should retain a copy for your records. 

 

17. Can the HIPAA release form be open-ended? No, there must be a specified end date or expiration event. The expiration event can state “upon my termination,” “upon my death” or any other similar statement.

 

18. Security Rule is designed to secure the transfer and storage of electronic protected health information by enforcing: 

  • Administrative Safeguards: These measures manage the selection, development, implementation and maintenance of security measures and include workforce security, security training, policies and procedures.
  • Technical Safeguards: The technology that protects ePHI and controls access and transmission security.
  • Physical Safeguards: Physical measures to protect the electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

 

 19. Fax Security  

  • Avoid faxing confidential information. If you send a fax to an incorrect number, report the incident immediately to your supervisor.
  • Verify fax numbers before transmission to ensure the fax will go to the correct person.
  • ALWAYS use a fax cover sheet.
  • The fax cover sheet should contain a confidentiality notice requesting notification if the fax went to the wrong person.  

 

20. A breach is defined as the acquisition, access, use or disclosure of unsecured PHI that is not permitted by the HIPAA Privacy Rule and compromises the security or privacy of the PHI.

 

21. Email

  • Emails about members should only be shared with those who need to know this information concerning their specific job function(s).
  • Emails sent externally should be encrypted.
  • Certain issues should never be discussed via email. For example, members’ HIV status, mental health treatment or treatment for drug or alcohol abuse should not be addressed via email due to their extremely sensitive nature and the potential risk to the member should the information be inadvertently disclosed. 
  • Verify the identity of the recipient before replying.