Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Complying <strong>with</strong> the HIPAA Privacy Rule – What you need to know ...continued from page 63<br />
covered entity first must obtain an individual’s<br />
authorization before using or disclosing PHI.<br />
Under the Privacy Rule, an authorization<br />
must contain certain provisions, including a<br />
description of the information to be used or<br />
disclosed, the name of the person or entity<br />
authorized to make the use or disclosure, the<br />
person or entity who may receive the information,<br />
a description of the purpose of the use or<br />
disclosure, an expiration date, a signature, and<br />
other provisions related to individual rights.<br />
In addition to those provisions required by the<br />
Privacy Rule, many state laws also have specific<br />
requirements related to what must be included<br />
in an authorization. Covered entities should<br />
confirm that their authorization forms contain<br />
all required provisions under the Privacy Rule<br />
and under state law.<br />
There are many purposes for which a covered<br />
entity may use or disclose PHI, but the vast<br />
majority of these uses and disclosures are<br />
subject to the Privacy Rule’s minimum necessary<br />
requirement. That is, <strong>with</strong> few exceptions<br />
(e.g., treatment purposes), when a covered<br />
entity uses or discloses PHI, the covered<br />
entity must use or disclose only the minimum<br />
amount of PHI necessary to effectuate the<br />
purpose of the use or disclosure.<br />
Individual rights<br />
In addition to governing a covered entity’s<br />
use and disclosure of PHI, the Privacy Rule<br />
created certain individual rights <strong>with</strong> respect<br />
to PHI. Simultaneously, the Privacy Rule<br />
created certain obligations for covered entities<br />
to allow individuals to exercise these rights.<br />
Notice of privacy practices. Under the Privacy<br />
Rule, an individual has the right to adequate<br />
notice of a covered entity’s uses and disclosures<br />
of PHI, his or her rights <strong>with</strong> respect to PHI,<br />
and a covered entity’s legal obligations regarding<br />
PHI. Accordingly, covered entities must<br />
provide individuals <strong>with</strong> a written notice of their<br />
privacy practices. Generally, the notice of privacy<br />
practices must contain a description of the<br />
covered entity’s uses and disclosures, a statement<br />
of the individual’s rights, the covered entity’s legal<br />
duties <strong>with</strong> respect to the PHI, a description of<br />
the process for filing a complaint, and contact<br />
information for purposes of asking additional<br />
questions. In addition, health care providers<br />
must make a good faith effort to obtain a written<br />
acknowledgement that a patient received the<br />
notice of privacy practices. If the health care<br />
provider is unable to obtain the acknowledgement,<br />
the health care provider must document<br />
its good faith efforts and the reasons why such<br />
acknowledgement was not obtained.<br />
Access to PHI. The Privacy Rule provides that<br />
individuals have a right to inspect and obtain a<br />
copy of their PHI. This means that covered entities<br />
have a corresponding obligation to provide<br />
access to and copies of PHI to individuals who<br />
make such a request. The Privacy Rule does<br />
permit a covered entity to limit this right under<br />
certain circumstances. In addition, a covered<br />
entity does not have to comply immediately<br />
upon receiving a request. That is, generally,<br />
a covered entity has 30 days to respond to a<br />
request for access and may have up to 60 days<br />
under certain circumstances. Moreover, covered<br />
entities are permitted to charge a reasonable,<br />
cost-based fee for fulfilling these requests.<br />
Amendment of PHI. Under the Privacy Rule,<br />
individuals have the right to have a covered<br />
entity amend their PHI, and covered entities<br />
have the obligation to fulfill these requests.<br />
As <strong>with</strong> the right to access PHI, the right to<br />
have PHI amended is limited under certain<br />
circumstances. For example, if the PHI is<br />
accurate and complete, the covered entity is<br />
not required to amend the PHI. Again, as <strong>with</strong><br />
the right to access, the right to amendment<br />
is not immediate. As a general rule, a covered<br />
entity has 60 days to respond to a request for<br />
amendment and has up to 90 in some cases.<br />
Accounting of disclosures. Individuals have<br />
the right to receive an accounting of certain<br />
disclosures made by a covered entity in the<br />
prior six year period. Accordingly, to fulfill<br />
their obligation, covered entities must have a<br />
process in place, for example an accounting<br />
log, to track information related to certain<br />
disclosures and must have a way to provide<br />
such information to an individual upon<br />
request. Many disclosures do not need to be<br />
accounted for, including disclosures made for<br />
TPO purposes, disclosures made pursuant<br />
to an authorization, disclosures made to the<br />
individual, and disclosures incident to an<br />
otherwise permitted disclosure. Examples of<br />
disclosures that must be accounted for include<br />
unauthorized disclosures of PHI, disclosures<br />
required by law, those made for public health<br />
purposes, and disclosures for health oversight.<br />
Similar to the access and amendment rights,<br />
the right to an accounting is not immediate.<br />
Rather, covered entities have up to 60 days,<br />
and up to 90 days in some cases, to respond to<br />
the request. In addition, while a covered entity<br />
must provide an individual <strong>with</strong> an accounting<br />
free of charge, for any additional request<br />
<strong>with</strong>in the same 12-month period, a covered<br />
entity may charge a reasonable cost-based fee.<br />
Right to request restrictions. The Privacy<br />
Rule provides individuals <strong>with</strong> the right to<br />
request restrictions on the way a covered entity<br />
uses or discloses PHI for purposes of TPO and<br />
to an individual involved in the individuals care<br />
or payment for that care. The covered entity,<br />
however, is not obligated to comply <strong>with</strong> the<br />
request. Therefore, this is the only individual<br />
right under the Privacy Rule that does not have<br />
a corresponding obligation for the covered<br />
entity. However, if the covered entity does<br />
agree to the request, the covered entity may not<br />
violate the restriction (unless under emergency<br />
treatment circumstances).<br />
Continued on page 66<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
65<br />
October 2008