Earn CEU credit Cathy Garrey, Connect with your - Health Care ...

Complying with the HIPAA Privacy Rule – What you need to know ...continued from page 63
covered entity first must obtain an individual’s
authorization before using or disclosing PHI.
Under the Privacy Rule, an authorization
must contain certain provisions, including a
description of the information to be used or
disclosed, the name of the person or entity
authorized to make the use or disclosure, the
person or entity who may receive the information,
a description of the purpose of the use or
disclosure, an expiration date, a signature, and
other provisions related to individual rights.
In addition to those provisions required by the
Privacy Rule, many state laws also have specific
requirements related to what must be included
in an authorization. Covered entities should
confirm that their authorization forms contain
all required provisions under the Privacy Rule
and under state law.
There are many purposes for which a covered
entity may use or disclose PHI, but the vast
majority of these uses and disclosures are
subject to the Privacy Rule’s minimum necessary
requirement. That is, with few exceptions
(e.g., treatment purposes), when a covered
entity uses or discloses PHI, the covered
entity must use or disclose only the minimum
amount of PHI necessary to effectuate the
purpose of the use or disclosure.
Individual rights
In addition to governing a covered entity’s
use and disclosure of PHI, the Privacy Rule
created certain individual rights with respect
to PHI. Simultaneously, the Privacy Rule
created certain obligations for covered entities
to allow individuals to exercise these rights.
Notice of privacy practices. Under the Privacy
Rule, an individual has the right to adequate
notice of a covered entity’s uses and disclosures
of PHI, his or her rights with respect to PHI,
and a covered entity’s legal obligations regarding
PHI. Accordingly, covered entities must
provide individuals with a written notice of their
privacy practices. Generally, the notice of privacy
practices must contain a description of the
covered entity’s uses and disclosures, a statement
of the individual’s rights, the covered entity’s legal
duties with respect to the PHI, a description of
the process for filing a complaint, and contact
information for purposes of asking additional
questions. In addition, health care providers
must make a good faith effort to obtain a written
acknowledgement that a patient received the
notice of privacy practices. If the health care
provider is unable to obtain the acknowledgement,
the health care provider must document
its good faith efforts and the reasons why such
acknowledgement was not obtained.
Access to PHI. The Privacy Rule provides that
individuals have a right to inspect and obtain a
copy of their PHI. This means that covered entities
have a corresponding obligation to provide
access to and copies of PHI to individuals who
make such a request. The Privacy Rule does
permit a covered entity to limit this right under
certain circumstances. In addition, a covered
entity does not have to comply immediately
upon receiving a request. That is, generally,
a covered entity has 30 days to respond to a
request for access and may have up to 60 days
under certain circumstances. Moreover, covered
entities are permitted to charge a reasonable,
cost-based fee for fulfilling these requests.
Amendment of PHI. Under the Privacy Rule,
individuals have the right to have a covered
entity amend their PHI, and covered entities
have the obligation to fulfill these requests.
As with the right to access PHI, the right to
have PHI amended is limited under certain
circumstances. For example, if the PHI is
accurate and complete, the covered entity is
not required to amend the PHI. Again, as with
the right to access, the right to amendment
is not immediate. As a general rule, a covered
entity has 60 days to respond to a request for
amendment and has up to 90 in some cases.
Accounting of disclosures. Individuals have
the right to receive an accounting of certain
disclosures made by a covered entity in the
prior six year period. Accordingly, to fulfill
their obligation, covered entities must have a
process in place, for example an accounting
log, to track information related to certain
disclosures and must have a way to provide
such information to an individual upon
request. Many disclosures do not need to be
accounted for, including disclosures made for
TPO purposes, disclosures made pursuant
to an authorization, disclosures made to the
individual, and disclosures incident to an
otherwise permitted disclosure. Examples of
disclosures that must be accounted for include
unauthorized disclosures of PHI, disclosures
required by law, those made for public health
purposes, and disclosures for health oversight.
Similar to the access and amendment rights,
the right to an accounting is not immediate.
Rather, covered entities have up to 60 days,
and up to 90 days in some cases, to respond to
the request. In addition, while a covered entity
must provide an individual with an accounting
free of charge, for any additional request
within the same 12-month period, a covered
entity may charge a reasonable cost-based fee.
Right to request restrictions. The Privacy
Rule provides individuals with the right to
request restrictions on the way a covered entity
uses or discloses PHI for purposes of TPO and
to an individual involved in the individuals care
or payment for that care. The covered entity,
however, is not obligated to comply with the
request. Therefore, this is the only individual
right under the Privacy Rule that does not have
a corresponding obligation for the covered
entity. However, if the covered entity does
agree to the request, the covered entity may not
violate the restriction (unless under emergency
treatment circumstances).
Continued on page 66
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
65
October 2008