Privacy Rule Requirements
HIPAA contains detailed requirements for the use and/or disclosure of PHI. Covered Entities may only use and disclose PHI as permitted by HIPAA or more protective state laws.
Under HIPAA, an individual or business who performs a function or service on behalf of a Covered Entity that involves the creation, receipt, transmission, maintenance, use or disclosure of PHI of the Covered Entity is a Business Associate. Every Business Associate must sign a Business Associate Agreement with the contracting Covered Entity that describes the Business Associate’s compliance responsibilities under HIPAA, including using appropriate safeguards to prevent any impermissible use or disclosure of PHI and ensuring any subcontractors do so as well. Omnibus extended responsibility for HIPAA compliance to Business Associates. A Business Associate who violates HIPAA is now subject to the same civil and criminal penalties as Covered Entities. In the event a Business Associate violates HIPAA, the University may still be held responsible for the Business Associate’s actions.
The University and its Business Associates must make reasonable efforts to ensure that each use or disclose, requests only the minimum necessary PHI required to accomplish the job for which the PHI is needed. For routine disclosures, this may be achieved by creating policies and procedures that limit the PHI disclosed. For other disclosures, an individualized review will be required. When treating providers are sharing PHI for treatment purposes, this minimum necessary requirement does not apply. To ensure that only the minimum necessary PHI is used or disclosed, the University will define role-based access to PHI to ensure that the right people are handling PHI in the appropriate way.
HIPAA also addresses use of PHI for research purposes. HIPAA requires either a patient authorization or a waiver of the authorization requirement for the use, disclosure or creation of identifiable health information for research.
An authorization is not required for research using only “de-identified” data. If a researcher uses health information from which direct identifiers have been removed, then no authorization is required but the researcher must enter into a Data Use Agreement with the Covered Entity that holds the records. For further information, see HIPAA and research.
HIPAA addresses the need for Covered Entities to respect patient confidentiality when engaging in marketing or development activities. Consistent with current University practice, these activities must be conducted in accordance with HIPAA and University policies.
HIPAA defines marketing as a communication about a product or service that encourages the recipient of that communication to purchase the product or service. For most marketing activities, HIPAA requires a signed authorization from the individual to whom the marketing is directed. Marketing does not include face-to-face communications made by a Covered Entity to an individual; promotional gifts of nominal value provided to individuals by a Covered Entity; prescription refill reminders or information about a drug currently prescribed for an individual. Nor does HIPAA consider communications for care management or to recommend alternative treatments to constitute marketing, unless a provider has received payment from a third party for making the communication.
For fundraising activities, HIPAA allows the use and disclosure of only certain demographic information and other PHI without a signed patient authorization. Additionally, each fundraising solicitation must include an easy means for the recipient to opt out of receiving fundraising communications in the future.
These policies apply to all individuals in any office, department or section which seeks to use PHI for marketing and/or fundraising purposes.
Under the HIPAA Privacy Rule individuals have the following rights:
- Right to a notice of a Covered Entity’s privacy practices.
- Right to request restrictions and confidential communications concerning PHI.
- Right to request a restriction to a health plan of a health care item or service for which the individual, or someone on his/her behalf other than another health plan, has paid in full out of pocket.
- Right to obtain access to PHI for inspection and copying, including the right to an electronic copy of PHI
- Right to obtain an accounting of certain disclosures.
- Right to request amendment of PHI.
- Right to notice of a breach of his/her unsecured PHI.
The University must adhere to HIPAA’s administrative requirements, including the following:
- Designation of a privacy official responsible for development of policies and procedures for the use and disclosure of PHI.
- Implementation of an internal complaint process to handle complaints relating to HIPAA and to explain privacy procedures.
- Ongoing workforce training.
- Implementation of administrative, technical and physical safeguards to protect the confidentiality, integrity, and availability of PHI.
- Development and enforcement of sanctions for failure to comply with policies and procedures.
- Development of procedures to mitigate adverse effects of aprohibited impermissible use or disclosure of unsecured PHI.
- Enforcement of the HIPAA requirement and University policy prohibiting retaliation against a person for exercising individual rights or filing a complaint.