Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Complying <strong>with</strong> the HIPAA Privacy Rule – What you need to know<br />
...continued from page 59<br />
demographic information) that is created or received by a health care provider,<br />
health plan, employer, or health care clearinghouse that relates to:<br />
n The past, present, or future health of an individual;<br />
n The provision of health care to an individual; or<br />
n The past, present, or future payment for health care to an individual AND<br />
that either<br />
o identifies the individual, or<br />
o there is a reasonable basis to be believe that the information could be<br />
used to identify the individual.<br />
In contrast, information that has been de-identified is not protected under<br />
the Privacy Rule. De-identification, however, is not simply removing the<br />
individual’s name from the information. In fact, in order for information<br />
to be truly “de-identified” for purposes of the Privacy Rule (and therefore<br />
outside of the Privacy Rule’s scope), either all eighteen identifiers enumerated<br />
in the Privacy Rule must be removed from the information or a person<br />
<strong>with</strong> “appropriate knowledge of and experience <strong>with</strong>” accepted principles<br />
and methods must determine that the risk is very small that the information<br />
could be used alone or in combination <strong>with</strong> other available information to<br />
identify the individual to whom the PHI relates.<br />
What uses and disclosures are permitted<br />
A covered entity may not use or disclose PHI unless that use or disclosure is<br />
permitted by the Privacy Rule. A covered entity may disclose, and in fact, is<br />
required to disclose PHI to the individual or the individual’s representative<br />
and to the Secretary of HHS for purposes of determining compliance <strong>with</strong><br />
the Privacy Rule.<br />
Uses and disclosures that are “incident to” an otherwise permitted use or<br />
disclosure are also permitted under the Privacy Rule. For example, the Privacy<br />
Rule does not prohibit a physician from discussing a patient’s medical condition<br />
<strong>with</strong> that patient in a hospital room that is shared <strong>with</strong> another patient.<br />
Any PHI that the other patient may hear is an incidental disclosure of PHI<br />
and is permissible under the Privacy Rule.<br />
Perhaps most important in terms of most day-to-day uses and disclosures of<br />
PHI, the Privacy Rule permits covered entities to use and disclose PHI for purposes<br />
of treatment, payment, and health care operations (commonly referred<br />
to as TPO). Treatment includes the provision, coordination, or management of<br />
health care, the consultation between health care providers, and the referral of<br />
patients to other health care providers. Payment includes activities undertaken<br />
by a health plan to obtain premiums or to determine or fulfill obligations<br />
related to coverage and the provision of benefits. Payment also includes activities<br />
undertaken by a health care provider or health plan to obtain or provide<br />
reimbursement for health care. In defining payment, the Privacy Rule includes<br />
October 2008<br />
62<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org