2/5/2020 CITI - Collaborative Institutional Training Initiative

Vanessa Zuleta Quintero

ID 9011046

Basics of Health Privacy

Universidad de Antioquia - Researchers - IPS

Basics of Health Privacy

Content Author

Reid Cushman, PhD

CITI Program

This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.

Introduction

The imperative to protect the privacy of health information has many sources. In the
U.S., state statutes and regulations, as well as the federal Health Insurance
Portability and Accountability Act (HIPAA), impose requirements.

Constraints ow from non-government sources as well, such as certi cation

organizations like The Joint Commission (formerly known as JCAHO).

https://www.citiprogram.org/members/index.cfm?pageID=125 1/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

And, last but not least, the ethics codes of many professional associations stress
privacy obligations, such as those of the American Medical Association and the
American Nurses Association. These requirements converge into a set of obligations
that apply to anyone handling identi able health information. It is important to learn
the rules for such access and follow those rules.

As a part of that, many of these authorities specify that a healthcare organization

must provide its workforce with appropriate basic training in privacy requirements.
You may have had such training before. If so, this module aims to refresh your
knowledge. If not, the foundation here, and in other CITI Program modules, will get
you started.

Even basic health privacy can be complex, given the many laws and regulations.
Moreover, all healthcare organizations (even the smallest clinics) are required to
have local resources, notably in the form of an institutional Privacy O cer, to answer
questions and provide guidance for handling "non-routine" events.

Learning Objectives

By the end of this module, you should be able to:

Describe the basic privacy protections for health information provided by HIPAA,
and other legal-regulatory and non-government sources.
Identify the duties imposed on persons with access to protected health
information (PHI) in order to ful ll those privacy requirements.

Privacy in Practice

https://www.citiprogram.org/members/index.cfm?pageID=125 2/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Privacy has many meanings in everyday conversation, but in this context it refers to
rules about who can access health information and under what circumstances.
Strictly speaking, this is "con dentiality;" but we use the more general term "privacy"
here. This module concentrates on HIPAA’s obligations, speci cally its Privacy Rule
(HHS 2013a; HHS 2013b).

Many of the HIPAA protections for health information depend on the purpose for
which it is collected, used, or disclosed. You may also need to refresh your
knowledge of rules that apply to the speci c kinds of work you do (such as clinical
care, fundraising, marketing, research, or participation in a training program).

You probably will also need a refresher on basic information security practices -- that
is, the techniques for safe use of information systems and devices. Without good
security, the privacy rules are just empty promises. HIPAA’s Security Rule mandates
such training.

Why privacy protections under HIPAA?

The U.S. health sector was slow to adopt electronic records, when compared to
sectors like banking and nance. Even now, paper records remain common in some
healthcare facilities. Systems for electronic health records are improving, but still
somewhat un-standardized (in other words, they have trouble “talking” to each
other). This creates ine ciencies and security issues.

https://www.citiprogram.org/members/index.cfm?pageID=125 3/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

HIPAA provides standards, both for privacy and technical requirements for data
interchange and security; therefore, adding a oor of safeguards to augment state
privacy laws and regulations.

Increased use of standardized electronic information may make things more

e cient, but it is also cause for more privacy concerns. Computers allow faster,
easier access to health records both for good purposes and bad ones; hence the
need for better privacy protections and information security practices.

Losing a batch of paper records does not compare to the risks if a computer or
network is compromised. Thousands of persons' records can be put at risk by a
single electronic breach (see examples). That is why HIPAA also includes information
security regulations.

Who is covered by HIPAA?

Almost every U.S. organization that provides or pays for health services, or
exchanges health data of any kind, is considered a “covered entity” under HIPAA and
subject to its requirements.

https://www.citiprogram.org/members/index.cfm?pageID=125 4/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

HIPAA also extends rights to every patient whose information is collected, used, or
disclosed by such covered entities. It imposes duties on covered entities and, by
extension, on all persons who work in or for covered entities, in order to secure
those rights. It reaches even to the business associates that handle health data on a
covered entity's behalf.

What is covered by HIPAA?

Any health information generated or held by a covered entity that could be linked to
an individual is protected health information (PHI). HIPAA (HHS 2013a) de nes PHI as
"any information" related to the "past, present or future physical or mental health
condition" of a person. Only fully de-identi ed information is excluded, where every
explicit identi er has been removed, as well as data that could potentially establish
identity via statistical techniques.

HIPAA's security rules are triggered when a covered entity engages in any electronic
transactions, but the privacy rules apply to PHI in "any form or medium." That
includes paper records, as well as electronic records, faxes, emails, exchanges in
https://www.citiprogram.org/members/index.cfm?pageID=125 5/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

phone conversations, and even just talking face-to-face. If it is health data, and it is
identi able, assume it is covered.

Notification of Privacy Practices

For most persons, HIPAA's most visible indicator is the privacy notice -- formally, the
Notice of Privacy Practices (NPP). This notice describes, in general terms, how a
covered entity will protect the patient's health information. Additionally, it speci es
the patient's rights both from HIPAA and any stricter state protections.

A copy of the privacy notice must be provided the rst time a patient sees a direct
treatment provider (any provider that directly interacts with the patient) and any time
thereafter when requested by the patient or when the notice changes. Health plans
and insurers must also provide periodic notices to their customers.

By now, most adults in the U.S. have had the opportunity to see a notice, although
probably few have bothered to read one. Take a look the next time you are stuck in a
healthcare facility waiting room. The notice you read will cover the same territory as
this module.

Acknowledgment of the Privacy Notice

Direct treatment providers must make a good faith e ort to obtain a signed
acknowledgment con rming that a copy of the notice was received. The signature
does not a rm that the patient understands what is in the notice, or even that the
person has read it, just that it was received. In emergencies, an acknowledgment can
be deferred.

The notice process aims to make patients aware of their rights, albeit in a pro forma
manner. It is also designed to provide an opportunity for discussion of patients'
privacy questions and concerns. Covered entities are obligated to have persons on
sta knowledgeable enough to provide answers (that might include you).
https://www.citiprogram.org/members/index.cfm?pageID=125 6/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Patient Rights

Patients have a set of speci c rights with respect to their health records (listed
below). Beyond those, patients have a general right to appropriate privacy and
information security practices by any covered entity that possesses data about them,
and by any business associate of the covered entity.

If patients believe that their HIPAA rights have been violated, they may le a
complaint with the covered entity's Privacy O cer. If unsatis ed with a local
response, patients can also take their complaints to the U.S. Department of Health
and Human Services' O ce of Civil Rights. Complaints may also be directed to state-
level agencies.

HIPAA’s “Big Five” Health Records Rights

Access

https://www.citiprogram.org/members/index.cfm?pageID=125 7/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

A right to gain access to and obtain a copy of all of one's health records. This is
subject to some exceptions (such as the details of psychotherapy notes).

Amendment

A right to request amendment of errors found in those records, or to include a

statement of disagreement if the covered entity maintains that the information is
correct.

Disclosure Accounting

A right to receive an accounting of how one's health information has been used --
that is, a list of the persons and organizations to whom/which it has been disclosed.

Restriction/Confidential Communications Requests

A right to request restrictions on access to, and additional protections for,

particularly sensitive data. That includes a right to request con dential
communications of information, by alternative means or at alternative locations, and
to limit disclosures on self-pay transactions.

Limits on Additional Uses

A right to prevent certain "additional" types of use and disclosure (such as

fundraising, marketing, or research, unless speci cally authorized).

Qualifications on Records Rights

https://www.citiprogram.org/members/index.cfm?pageID=125 8/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Rights to access and potentially amend health records already existed in many states
before HIPAA, but patients were rarely well informed about these. Under the Health
Information Technology for Economic and Clinical Health (HITECH) Act’s amendments
to HIPAA, patients now have a right to request electronic copies of records where the
covered entity has an electronic records system. In general, whether in paper for
electronic form, covered entities must respond to such requests within 30 days,
although there are provisions for extensions if records cannot be easily accessed.

Disclosure accounting generally excludes the very large category of disclosures made
for treatment, payment, or healthcare operations. This very large exception may
someday be eliminated for treatment-related disclosures by covered entities with
electronic systems, but this has not happened yet. A log of disclosures, going back at
least three years, must be provided to patients on request. Disclosures by business
associates must also be in this accounting (either provided by the covered entity or
business associate directly).

Additional protections and con dential communications is largely a right to ask.

Covered entities are not required to honor all requests for additional
restrictions/protections, but must abide by any extra provisions to which they agree.
In general, they are bound to honor "reasonable requests" for con dential
communications. HIPAA also now provides a right for patients to limit disclosures to
insurers and health plans about things for which they have self-paid.

https://www.citiprogram.org/members/index.cfm?pageID=125 9/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Permission for additional uses related to research, marketing, and fundraising also
has exceptions. Not all activities of these types require authorization.

With all these records rights, it is important to learn about any additional rules that
apply to the jurisdiction in which your organization operates, particularly as
conditioned by the state's laws. Your organization's policies and its Privacy O cer
should be your guides.

HIPAA Information Categories

Understanding the three major categories of health information uses and disclosures
helps to clarify HIPAA’s protections.

No Permission Required

This category is the largest and includes uses and disclosures that can occur without
any speci c permission from patients once they have consented to treatment. Those
include information related to the treatment, payment for treatment, and a broad
range of other core healthcare operations (commonly referred to as "TPO"). Note:
https://www.citiprogram.org/members/index.cfm?pageID=125 10/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Many organizations still choose to get the patient to sign something about these
matters, notably if required by state law.

Beyond TPO, there are other broad categories for which HIPAA does not require
speci c permission for uses and disclosures, if those are required by federal or state
laws. Those exempted categories are highlighted below.

Oral Permission Required

This category includes uses and disclosures that are allowed simply on the basis of
an oral assent. This category includes two:

Inclusion or exclusion from facility directories that list patients' names and general
conditions
Uses and disclosures to friends and family members involved in a person's care

https://www.citiprogram.org/members/index.cfm?pageID=125 11/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Note: Many organizations still choose to have the patient sign something about
these matters as well.

Written Permission Required

This category includes those uses and disclosures that require speci c written
permission, known under HIPAA as an "authorization." HIPAA requires a signed
authorization for many, but decidedly not all, PHI uses or disclosures for research,
marketing, and fundraising. In general, healthcare organizations cannot condition
treatment or payment for healthcare services on receiving a patient's authorization
for these activities.

Some Qualifications of These Categories

HIPAA's restrictions on access to health information depend primarily on the

purposes for that access, but the kind of information itself can be relevant. In
addition to information for which the patient makes a special con dentiality request,
HIPAA extends extra protection to psychotherapy notes. Separate authorization for
release of this information is usually required, and patients' access to it may
sometimes be restricted.

By contrast, state laws commonly go further, extending special protection to many

types of information (including, data related to mental health treatment, HIV, sexually
transmitted infections (STIs), genetic tests, and substance abuse). In such cases,
separate authorization is usually required. Many state laws also require an explicit
general consent for uses or disclosures where HIPAA does not.

In general, "more stringent" state health privacy requirements remain in force,

complementing HIPAA's foundation of protections, provided there is no direct
con ict in requirements. However, the complexity and variability with which state
and federal law interact, and when state law is preempted, preclude any summary
here.

https://www.citiprogram.org/members/index.cfm?pageID=125 12/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

On this, as in other matters, it is important to consult a local expert for the details in
your jurisdiction. We cannot stress enough the importance of understanding these
additional state, local, and organizational requirements.

Who controls information decisions?

For those circumstances where the patient does retain control of their information,
HIPAA's general rule is a simple one: if a person has a right to make a healthcare
decision, then that person has a right to control information associated with that
decision.

Minor children and incompetent adults may have their health information decisions
made by a personal representative. Typically, that will be a parent in the case of a
child. However, states' rules for minors are particularly complex, and so consultation
with a local expert is essential if you have questions about a minor's health
information rights.

As you have just read, the patient remains in control of relatively few information
uses and disclosures once they have entered the healthcare system. Consent to be
treated in a healthcare facility is e ectively also permission for a broad range of
information sharing without any additional permission.

That is why a patient's most important protection is responsible, safe use of health
information by the healthcare professionals who have access to it.

Organizational Duties

The privacy obligations of covered entities are, unsurprisingly, a mirror of patient

rights:

Privacy notices must be created and distributed.

https://www.citiprogram.org/members/index.cfm?pageID=125 13/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Direct treatment providers must attempt to obtain a signed acknowledgment of

receipt of the notice.
One or more privacy o cials must be appointed to answer questions, handle
complaints, and administer all the paperwork associated with access, correction,
accounting, and so on.
Most fundamentally, it is the covered entity's responsibility to have a full set of
policies in place that comply with HIPAA's rules and any stricter state or local
requirements, and to make sure its workforce understands and follows those
policies.

Duties of Healthcare Workers

If you work in a covered entity -- or are, as a healthcare provider, one yourself -- then
you have personal obligations under the law. The “big three” are discussed below.

https://www.citiprogram.org/members/index.cfm?pageID=125 14/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

What to Do If You Find a Problem

Fixing a privacy problem can be as simple as gently reminding a colleague about the
rules. If that is not e ective, you should escalate the matter to a supervisor or to the
organization's Privacy O cer directly. You are always obligated to report privacy
problems that you cannot reasonably x by yourself.

https://www.citiprogram.org/members/index.cfm?pageID=125 15/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

HIPAA forbids intimidation or retaliation against anyone (patient or worker) for

reporting a problem or ling a complaint. However, if you lack con dence in your
organization's ability or inclination to prevent harm to you, report your concerns
anonymously either to your local privacy o cial, or an appropriate state or federal
government agency.

Summary

HIPAA provides a set of national "health information rights,” as well as a requirement

for notice of these rights, to all patients. These rights include:

Access
Amendment
Disclosure accounting
Restriction/con dential communications requests
Permission (authorization) for some supplemental uses
Access to local and federal "complaint" resources

HIPAA imposes a parallel set of "information duties" on covered entities and the
persons who work in/for them. Everyone who handles health data is obligated to
understand the speci c rules that apply to their setting, and follow them in daily
practice.

Three basic rules will take you a long way:

Use or disclose health information only for legitimate, work-related purposes

Limit your uses and disclosures to the minimum necessary to achieve those
purposes
Exercise reasonable caution, at all times, to protect the health information under
your control

https://www.citiprogram.org/members/index.cfm?pageID=125 16/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Exercising reasonable caution requires at least some knowledge of reasonable

information security practices (see the CITI Program’s Information Security course for
more information).

Amidst all the complexities, the time-honored Golden Rule applies here: Try to give
the health information under your control the same respect for privacy that you
would like for your own.

Acknowledgements

Content for the CITI Program’s Information Privacy and Security (IPS) series was
originally developed with support from the University of Miami Ethics Programs.
Many CITI Program sta and external reviewers have contributed to its
improvement.

References

U.S. Department of Health and Human Services (HHS). 2013a. “Combined

Regulation Text of All Rules.” Accessed May 2, 2017.
U.S. Department of Health and Human Services (HHS). 2013b. "Modifications to
the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under
the Health Information Technology for Economic and Clinical Health Act and
the Genetic Information Nondiscrimination Act; Other Modifications to the
HIPAA Rules; Final Rule." Federal Register 78(17):5566-702.

Additional Resource

U.S. Department of Health and Human Service (HHS). 2017. “HIPAA for
Professionals.” Accessed May 16.

https://www.citiprogram.org/members/index.cfm?pageID=125 17/18
2/5/2020 CITI - Collaborative Institutional Training Initiative

Original Release: May 2006

Last Updated: December 2017

Este módulo tiene un cuestionario.

Volver al libro de calificaciones Tomar la prueba

SUPPORT LEGAL

888.529.5929 Accesibilidad del Sitio

8:30 a.m. – 7:30 p.m. ET Derechos Autorales

Lunes – Viernes Política de Privacidad y Cookies

Contáctenos Condiciones de Uso

https://www.citiprogram.org/members/index.cfm?pageID=125 18/18