The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.
The Privacy Rule requires Public Health to apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve confirming the fax number with the intended recipient. Similarly, you may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his/her voice.
It is an acronym for electronic protected health information. Electronic Protected Health Information (ePHI) is either transmitted by electronic media or maintained in electronic media.
It is an acronym for protected health information. Protected Health Information is personal and sensitive medical information related to an individual’s health care.
No. All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness.
The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices. See the fact sheet and frequently asked questions on this web site about the public health provision for more information.
Yes. The HIPAA Privacy Rule permits Public Health to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit Public Health from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, you should take care to limit the amount of information disclosed on the answering machine. For example, you might want to consider leaving only your name and number and other information necessary to confirm an appointment, or ask the individual to call back.
You may also leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits Public Health to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, you need to use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed.
In situations where a patient has requested that you communicate with him in a confidential manner, such as by alternative means or at an alternative location, you must accommodate that request, if reasonable.
The Security Rule requires Public Health to implement physical safeguard standards for our electronic information systems. The Division of Public is now required to implement policies and procedures to protect all information systems including our facilities that store electronic protected health information, from natural and environmental hazards, and unauthorized intrusion. DPH standards include facility access controls, workstation use, workstation security, and device and media controls.
If a state law is more restrictive than HIPAA, then the state law prevails. Otherwise, if state law contradicts HIPAA, you must follow HIPAA.
You must have business associate agreements with any entity that performs a business function for you and that you share PHI with. This can include software vendors, medical reviewers, lawyers, auditors, a clearinghouse or payers. Any of these would be considered business associates.
Yes, you can report vital health statistics if your state or local law requires such reporting and you report this information to a public health authority authorized by law to collect or receive it.
You do not need prior authorization to report this information to a public health authority. However, you must get consent before you report this information to newspapers or other media outlets.
Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients/clients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures.
For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:
In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing protected health information. However, in an emergency situation, in a loud emergency room, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective and high quality health care.
Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text.
The HIPAA Security Rule does not expressly prohibit the use of email for sending electronic protected health information (ePHI). However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to ePHI. The standard for transmission security also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect ePHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for ePHI to be sent over an electronic open network as long as it is adequately protected.
No. The Security Rule is specific to electronic protected health information (ePHI). It should be noted however that ePHI also includes telephone voice response and faxback systems because they are used as input and output devices for computers. EPHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission. HIPAA Privacy Rule addresses all mediums of PHI, including written and oral. Information on the Privacy Rule can be found online at: http://www.hhs.gov/ocr/hipaa.
When you receive a subpoena for protected health information, it is necessary to determine whether the subpoena was issued pursuant to a judicial or administrative order.
When the subpoena is issued through or pursuant to a court or administrative tribunal order, you may disclose the requested information without authorization. Note that a covered entity may disclose; it does not have to disclose.
Go to Section 164.512(e) Disclosures for Judicial and Administrative Proceedings for more information.
If the patient is present and has the capacity to make healthcare decisions, you may use or disclose the patient's PHI if you
Go to Section 164.510(b) Uses and Disclosures for Involvement in the Individual's Care and Notification Purposes for more information.
No authorization is required as long as the information is disclosed to a public health authority or other appropriate government agency authorized by law to receive reports of child abuse or neglect.
The regulations define a "public health authority" as
Go to Section 164.512(b) Uses and Disclosures for Public Health Activities for more information.
Direct treatment providers that are covered entities (CEs) are only required to give out their privacy notices one time to each patient, assuming that the privacy notice contains a statement reserving the right to make changes.
You must post your privacy notice prominently in your facility. If you change the notice, you must update the posted notice and all copies and make sure each shows the effective date. Keep in mind that you must update the notice and make it available prior to the change taking effect.
The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed", "upon the minor's age of majority" or "upon termination of enrollment in the health plan". An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.
Yes. The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid Authorization, or where the Authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself.
The Privacy Rule requires that the Authorization must clearly state the individual’s right to revoke; and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it, since the revocation is not effective until a covered entity which had previously been authorized to make the disclosure receives it.
No. The Privacy Rule does not address consent to treatment, nor does it preempt or change State or other laws that address consent to treatment. The Rule addresses access to, and disclosure of, health information, not the underlying treatment.
Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor
child’s personal representative when such access is not inconsistent with State or other law.
There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are:
However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment
when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law
prohibits such access. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health
care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the
minor’s medical information.
Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.
Please note: Some of the files available on this page are in Adobe PDF format which requires Adobe Acrobat Reader. A free copy of Adobe Acrobat Reader can be downloaded directly from Adobe . If you are using an assistive technology unable to read Adobe PDF, please either view the corresponding text only version (if available) or visit Adobe's Accessibility Tools page.