Documente Academic
Documente Profesional
Documente Cultură
This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.
Introduction
The imperative to protect the privacy of health information has many sources. In the
U.S., state statutes and regulations, as well as the federal Health Insurance
Portability and Accountability Act (HIPAA), impose requirements.
https://www.citiprogram.org/members/index.cfm?pageID=125 1/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
And, last but not least, the ethics codes of many professional associations stress
privacy obligations, such as those of the American Medical Association and the
American Nurses Association. These requirements converge into a set of obligations
that apply to anyone handling identi able health information. It is important to learn
the rules for such access and follow those rules.
Even basic health privacy can be complex, given the many laws and regulations.
Moreover, all healthcare organizations (even the smallest clinics) are required to
have local resources, notably in the form of an institutional Privacy O cer, to answer
questions and provide guidance for handling "non-routine" events.
Learning Objectives
Describe the basic privacy protections for health information provided by HIPAA,
and other legal-regulatory and non-government sources.
Identify the duties imposed on persons with access to protected health
information (PHI) in order to ful ll those privacy requirements.
Privacy in Practice
https://www.citiprogram.org/members/index.cfm?pageID=125 2/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Privacy has many meanings in everyday conversation, but in this context it refers to
rules about who can access health information and under what circumstances.
Strictly speaking, this is "con dentiality;" but we use the more general term "privacy"
here. This module concentrates on HIPAA’s obligations, speci cally its Privacy Rule
(HHS 2013a; HHS 2013b).
Many of the HIPAA protections for health information depend on the purpose for
which it is collected, used, or disclosed. You may also need to refresh your
knowledge of rules that apply to the speci c kinds of work you do (such as clinical
care, fundraising, marketing, research, or participation in a training program).
You probably will also need a refresher on basic information security practices -- that
is, the techniques for safe use of information systems and devices. Without good
security, the privacy rules are just empty promises. HIPAA’s Security Rule mandates
such training.
The U.S. health sector was slow to adopt electronic records, when compared to
sectors like banking and nance. Even now, paper records remain common in some
healthcare facilities. Systems for electronic health records are improving, but still
somewhat un-standardized (in other words, they have trouble “talking” to each
other). This creates ine ciencies and security issues.
https://www.citiprogram.org/members/index.cfm?pageID=125 3/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
HIPAA provides standards, both for privacy and technical requirements for data
interchange and security; therefore, adding a oor of safeguards to augment state
privacy laws and regulations.
Losing a batch of paper records does not compare to the risks if a computer or
network is compromised. Thousands of persons' records can be put at risk by a
single electronic breach (see examples). That is why HIPAA also includes information
security regulations.
Almost every U.S. organization that provides or pays for health services, or
exchanges health data of any kind, is considered a “covered entity” under HIPAA and
subject to its requirements.
https://www.citiprogram.org/members/index.cfm?pageID=125 4/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
HIPAA also extends rights to every patient whose information is collected, used, or
disclosed by such covered entities. It imposes duties on covered entities and, by
extension, on all persons who work in or for covered entities, in order to secure
those rights. It reaches even to the business associates that handle health data on a
covered entity's behalf.
Any health information generated or held by a covered entity that could be linked to
an individual is protected health information (PHI). HIPAA (HHS 2013a) de nes PHI as
"any information" related to the "past, present or future physical or mental health
condition" of a person. Only fully de-identi ed information is excluded, where every
explicit identi er has been removed, as well as data that could potentially establish
identity via statistical techniques.
HIPAA's security rules are triggered when a covered entity engages in any electronic
transactions, but the privacy rules apply to PHI in "any form or medium." That
includes paper records, as well as electronic records, faxes, emails, exchanges in
https://www.citiprogram.org/members/index.cfm?pageID=125 5/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
phone conversations, and even just talking face-to-face. If it is health data, and it is
identi able, assume it is covered.
For most persons, HIPAA's most visible indicator is the privacy notice -- formally, the
Notice of Privacy Practices (NPP). This notice describes, in general terms, how a
covered entity will protect the patient's health information. Additionally, it speci es
the patient's rights both from HIPAA and any stricter state protections.
A copy of the privacy notice must be provided the rst time a patient sees a direct
treatment provider (any provider that directly interacts with the patient) and any time
thereafter when requested by the patient or when the notice changes. Health plans
and insurers must also provide periodic notices to their customers.
By now, most adults in the U.S. have had the opportunity to see a notice, although
probably few have bothered to read one. Take a look the next time you are stuck in a
healthcare facility waiting room. The notice you read will cover the same territory as
this module.
Direct treatment providers must make a good faith e ort to obtain a signed
acknowledgment con rming that a copy of the notice was received. The signature
does not a rm that the patient understands what is in the notice, or even that the
person has read it, just that it was received. In emergencies, an acknowledgment can
be deferred.
The notice process aims to make patients aware of their rights, albeit in a pro forma
manner. It is also designed to provide an opportunity for discussion of patients'
privacy questions and concerns. Covered entities are obligated to have persons on
sta knowledgeable enough to provide answers (that might include you).
https://www.citiprogram.org/members/index.cfm?pageID=125 6/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Patient Rights
Patients have a set of speci c rights with respect to their health records (listed
below). Beyond those, patients have a general right to appropriate privacy and
information security practices by any covered entity that possesses data about them,
and by any business associate of the covered entity.
If patients believe that their HIPAA rights have been violated, they may le a
complaint with the covered entity's Privacy O cer. If unsatis ed with a local
response, patients can also take their complaints to the U.S. Department of Health
and Human Services' O ce of Civil Rights. Complaints may also be directed to state-
level agencies.
Access
https://www.citiprogram.org/members/index.cfm?pageID=125 7/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
A right to gain access to and obtain a copy of all of one's health records. This is
subject to some exceptions (such as the details of psychotherapy notes).
Amendment
Disclosure Accounting
A right to receive an accounting of how one's health information has been used --
that is, a list of the persons and organizations to whom/which it has been disclosed.
https://www.citiprogram.org/members/index.cfm?pageID=125 8/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Rights to access and potentially amend health records already existed in many states
before HIPAA, but patients were rarely well informed about these. Under the Health
Information Technology for Economic and Clinical Health (HITECH) Act’s amendments
to HIPAA, patients now have a right to request electronic copies of records where the
covered entity has an electronic records system. In general, whether in paper for
electronic form, covered entities must respond to such requests within 30 days,
although there are provisions for extensions if records cannot be easily accessed.
Disclosure accounting generally excludes the very large category of disclosures made
for treatment, payment, or healthcare operations. This very large exception may
someday be eliminated for treatment-related disclosures by covered entities with
electronic systems, but this has not happened yet. A log of disclosures, going back at
least three years, must be provided to patients on request. Disclosures by business
associates must also be in this accounting (either provided by the covered entity or
business associate directly).
https://www.citiprogram.org/members/index.cfm?pageID=125 9/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Permission for additional uses related to research, marketing, and fundraising also
has exceptions. Not all activities of these types require authorization.
With all these records rights, it is important to learn about any additional rules that
apply to the jurisdiction in which your organization operates, particularly as
conditioned by the state's laws. Your organization's policies and its Privacy O cer
should be your guides.
Understanding the three major categories of health information uses and disclosures
helps to clarify HIPAA’s protections.
No Permission Required
This category is the largest and includes uses and disclosures that can occur without
any speci c permission from patients once they have consented to treatment. Those
include information related to the treatment, payment for treatment, and a broad
range of other core healthcare operations (commonly referred to as "TPO"). Note:
https://www.citiprogram.org/members/index.cfm?pageID=125 10/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Many organizations still choose to get the patient to sign something about these
matters, notably if required by state law.
Beyond TPO, there are other broad categories for which HIPAA does not require
speci c permission for uses and disclosures, if those are required by federal or state
laws. Those exempted categories are highlighted below.
This category includes uses and disclosures that are allowed simply on the basis of
an oral assent. This category includes two:
Inclusion or exclusion from facility directories that list patients' names and general
conditions
Uses and disclosures to friends and family members involved in a person's care
https://www.citiprogram.org/members/index.cfm?pageID=125 11/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Note: Many organizations still choose to have the patient sign something about
these matters as well.
This category includes those uses and disclosures that require speci c written
permission, known under HIPAA as an "authorization." HIPAA requires a signed
authorization for many, but decidedly not all, PHI uses or disclosures for research,
marketing, and fundraising. In general, healthcare organizations cannot condition
treatment or payment for healthcare services on receiving a patient's authorization
for these activities.
https://www.citiprogram.org/members/index.cfm?pageID=125 12/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
On this, as in other matters, it is important to consult a local expert for the details in
your jurisdiction. We cannot stress enough the importance of understanding these
additional state, local, and organizational requirements.
For those circumstances where the patient does retain control of their information,
HIPAA's general rule is a simple one: if a person has a right to make a healthcare
decision, then that person has a right to control information associated with that
decision.
Minor children and incompetent adults may have their health information decisions
made by a personal representative. Typically, that will be a parent in the case of a
child. However, states' rules for minors are particularly complex, and so consultation
with a local expert is essential if you have questions about a minor's health
information rights.
As you have just read, the patient remains in control of relatively few information
uses and disclosures once they have entered the healthcare system. Consent to be
treated in a healthcare facility is e ectively also permission for a broad range of
information sharing without any additional permission.
That is why a patient's most important protection is responsible, safe use of health
information by the healthcare professionals who have access to it.
Organizational Duties
https://www.citiprogram.org/members/index.cfm?pageID=125 13/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
If you work in a covered entity -- or are, as a healthcare provider, one yourself -- then
you have personal obligations under the law. The “big three” are discussed below.
https://www.citiprogram.org/members/index.cfm?pageID=125 14/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Fixing a privacy problem can be as simple as gently reminding a colleague about the
rules. If that is not e ective, you should escalate the matter to a supervisor or to the
organization's Privacy O cer directly. You are always obligated to report privacy
problems that you cannot reasonably x by yourself.
https://www.citiprogram.org/members/index.cfm?pageID=125 15/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Summary
Access
Amendment
Disclosure accounting
Restriction/con dential communications requests
Permission (authorization) for some supplemental uses
Access to local and federal "complaint" resources
HIPAA imposes a parallel set of "information duties" on covered entities and the
persons who work in/for them. Everyone who handles health data is obligated to
understand the speci c rules that apply to their setting, and follow them in daily
practice.
https://www.citiprogram.org/members/index.cfm?pageID=125 16/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
Amidst all the complexities, the time-honored Golden Rule applies here: Try to give
the health information under your control the same respect for privacy that you
would like for your own.
Acknowledgements
Content for the CITI Program’s Information Privacy and Security (IPS) series was
originally developed with support from the University of Miami Ethics Programs.
Many CITI Program sta and external reviewers have contributed to its
improvement.
References
Additional Resource
U.S. Department of Health and Human Service (HHS). 2017. “HIPAA for
Professionals.” Accessed May 16.
https://www.citiprogram.org/members/index.cfm?pageID=125 17/18
2/5/2020 CITI - Collaborative Institutional Training Initiative
SUPPORT LEGAL
https://www.citiprogram.org/members/index.cfm?pageID=125 18/18