Health care providers (persons and units) that (i) provide, bill for and are paid for health care and (ii) transmit Protected Health Information (defined below) in connection with certain transactions are required to comply with the privacy and security regulations established pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of 2009. The primary purpose of HIPAA’s privacy regulations (the “Privacy Rule“) and security regulations (the “Security Rule“) is to protect the confidentiality of patient health information which is generated or maintained in the course of providing health care services.
What follows is a basic overview of the main provisions of the Privacy and Security Rules.
II. THE PRIVACY RULE
A. What is PHI or Protected Health Information?
The Privacy Rule governs how individuals can use and disclose confidential patient information called “Protected Health Information” or “PHI.” PHI can be written, spoken or electronic and includes information relating to an individual’s health or condition, the provision of health care services or the payment for such services. The Privacy Rule only covers information that is individually identifiable. However, identifiers are broadly defined under the Privacy Rule and, among other things, include a patient’s name, address, social security number, fax number, email address, vehicle identifiers, date of admission / discharge, photographs and voice recordings.2 Further, in addition to identifiers that can be specifically linked to an individual, PHI also includes information which could be reasonably expected to lead to his/her identification.
* The Privacy Rule does not apply to documents or information lacking patient identifiers. However, when in doubt, assume that all information is protected by the Privacy Rule.
B. What does “use” mean?
Under the Privacy Rule, “use” means the sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such PHI. All sharing, employment, application, etc., of PHI within an entity’s designated covered components is considered to be a “use”.
C. What does “disclosure” mean?
Under the Privacy Rule, “disclosure” means the release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the PHI. Any release, transfer, etc., of PHI outside of an entity’s designated covered components is considered to be a “disclosure.”
D. What are the most important principles of the Privacy Rule?
Use or Disclose Only the Minimum Necessary Information.
Generally speaking, the Privacy Rule requires that individuals limit access to PHI, and use and disclosure of PHI, to the minimum amount of information necessary to perform their job and/or accomplish their intended purpose. (The minimum necessary rule does not apply to information used or disclosed in treating a patient (including rounds) and in certain other limited instances.3)
Until additional guidance is issued by the Secretary of Health and Human Services, a Limited Data Set should be used if practicable to accomplish the intended purpose. A Limited Data Set is PHI that does not contain certain direct identifiers of the patient.4 If use of a Limited Data Set is not practicable, the minimum necessary rule can be relied upon. Always ask, “Am I using or accessing more PHI than I need to?”
A receptionist may open an individual’s file for the purpose of scheduling an appointment but may not read the contents of the file.
A volunteer in a clinic is working on the files of four patients. The volunteer may not access any other patient’s files.
Take Steps to Protect PHI
The Privacy Rule requires that individuals working for a covered healthcare entity safeguard PHI. Some examples of common practices to help protect patient’s PHI are listed below. The Security Rule, which is discussed in detail in Part III, requires additional safeguards for electronic data.
- Keep patient records closed when not in use
- Store PHI in secure/locked locations
- Remove documents from fax machines and copiers immediately
- Place discarded documents in confidential bins for shredding
- Try to prevent others from overhearing your conversation when discussing patients.
Know What Uses and Disclosures of PHI Require Spoken Permission and the Opportunity for a Patient to Object
In the following instances, patients must be given the opportunity to object to the use or disclosure of their PHI before the information is used or disclosed:
- Inclusion in patient directories: information can include name, room number, condition and religion
- To those involved in a patient’s care: if the patient does not object, information may be shared with friends, family or others involved in the patient’s care relating to the patient’s location or general condition. (If you are a clinical student, you should confirm with your supervisor that the patient has agreed to allow, or expressed no objection to, disclosures to family members or others.)
Know What Uses and Disclosures of PHI do NOT Require Patient Permission
Many routine uses and disclosures of PHI do not require the patient’s written authorization. No permission is required for individuals to perform the everyday functions of Treatment, Payment, and Health Care Operations, collectively referred to as “TPO.”
- Treatment: patient permission is not required to use or disclose patient information when treating a patient or making arrangements to treat a patient
- Payment: patient permission is not required to use or disclose patient information when creating bills or coordinating billing with a patient’s health insurance company
- Health Care Operations: permission is not required when carrying out operational activities such as training medical or other health professionals, preventing fraud and abuse, meeting licensing and accreditation requirements and conducting quality assurance or health care peer review activities.
Health care providers and staff can also disclose a patient’s PHI without permission for certain public health activities, to authorities when required by law, and for certain employment or worker’s compensation purposes.
Know What Uses and Disclosures of PHI Require WRITTEN Permission
In general, all uses and disclosures of PHI other than those listed in subsections 3 and 4 above require written authorization from the patient. Examples of such uses and disclosures include the following:
- Most research activities
- Most marketing & fundraising activities
- Disclosure of psychotherapy notes
- Disclosures to other persons or entities (e.g. patient’s attorney)
If you use PHI for research purposes, you should take the on-line HIPAA Research Supplement. Individuals seeking to release PHI in connection with marketing and fundraising activities, relating to psychotherapy or who need to respond to miscellaneous requests for disclosure to third parties should contact his/her Privacy Officer for additional information and training if necessary.
Know Patient’s Privacy Rights
The Privacy Rule provides patients with certain rights relating to their PHI. These rights include the following:
- The right to request alternative communications: patients can ask health care providers and staff to contact them in a certain way (e.g. at home as opposed to work);
- The right to look at and obtain copies of their medical and billing records
- The right to ask for changes to medical and billing records
- The right to receive a list of certain disclosures
- The right to request restrictions on how patient information is used and disclosed: Providers and facilities are not required to agree to such requests; individuals must never agree to such restrictions without first obtaining permission from the relevant administrator
- The right to receive a notice of privacy practices (every patient must be given a copy of a Notice of Privacy Practices and you must make reasonable efforts to acknowledge receipt of such notice)
Know the Administrative Rules covered health care entities must follow
The Privacy Rule requires that covered health care entities follow several administrative rules including the following:
- Provide all personnel in its covered departments with basic HIPAA training
- Have procedures in place for complying with the Privacy Rule and the Security Rule
- Have procedures in place for accepting and processing patient privacy complaints. The Notice of Privacy Practices typically instructs patients as to how they can register their complaints
- Impose consequences for personnel who violate the Privacy Rule and the Security Rule
- Appoint one or more HIPAA Privacy Officers.
Business Associates Must Also Follow the Privacy Rule
Individuals and business that provide a service to a covered health care provider by assisting with treatment, payment or other functions (“Business Associates”) must comply with the Privacy Rule, the Security Rule and the entity’s HIPAA policies and procedures. A UWM unit or department, for example, may act as a Business Associate to an outside entity.
Know what to do in the Event of a Breach (!!!)
A key change under HITECH of 2009 is that breaches of PHI are now covered by rules detailing how that breach must be addressed.
Therefore, any individual working in or for a Covered Department or a Business Associate who suspects that there has been an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA should immediately report the circumstances of the suspected breach to the individual’s supervisor and the Privacy Officer for the Covered Department.
The Privacy Officer must then gather the facts about the incident and report the incident to certain university officials, as outlined in the HIPAA Policies and Procedures. Those officials will confer regarding the circumstances of the reported breach and determine appropriate next steps, including the extent of any required investigation and notification to those involved.
III. THE SECURITY RULE
The Security Rule provides additional procedures for safeguarding electronic protected health information (“EPHI”) and preventing access to such confidential information by unauthorized persons. These requirements are in addition to those mandated by the Privacy Rule as detailed above.
The Security Rule defines EPHI as Protected Health Information that is stored or transmitted by electronic media. EPHI includes PHI that is stored on hard drives or portable memory media (disks and CDs) as well as PHI that is transmitted via email or the internet (including faxes and voicemail transmitted in this manner). The Security Rule does not cover conventional faxes or voicemail. It also does not distinguish between data transmitted within a covered entity as opposed to data transmitted outside of it.
The Security Rule requires covered entities to:
- Ensure the confidentiality, integrity, and availability of all EPHI it creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted under the privacy rule; and
- Ensure compliance with these requirements by individuals in the Health Care Component.
A list of important points relating to the safeguarding of EPHI follows:
Know the Applicable Policy and Procedures for Safeguarding EPHI
You must be aware of, and comply with, a covered entity’s policies and procedures on protecting EPHI.
Follow Password Procedures
Individuals working within an entity’s covered departments will be required to follow certain password guidelines, which may include, but are not limited to the following:
- All access to EPHI must be password protected (including laptops and PDAs)
- Passwords should not be shared with anyone except in rare instances
- If you must write down your password to remember it, you may be required to place it in a secure location that only you can access. You should not keep it in or on the application or system that is being protected by it.
Maintain Workstation Security
You will also be required to follow procedures for maintaining work station security. Some examples follow:
- EPHI should only be stored on and transmitted to / from devices and locations that have been specifically approved by a designated individual at the covered health care entity
- No network device (e.g. desktop, laptop, printer, network hub and switches, wireless access points, PDAs and portable storage devices) may be connected to any network that provides access to EPHI without prior approval from a designated individual at the covered health care entity
- Workstations used for storage and transmission of EPHI must contain an updated virus scan, updated operating system patches, and an anti-spyware product. They must also be password protected and employ some variety of firewall capabilities or software
- When an EPHI storage device is no longer in use or has reached the end of its life-cycle, all of the data on the device must be removed and/or destroyed. To accomplish this, it is likely that the covered entity will require that the device be returned to the covered entity’s IT department where a software application will be used to ensure that the data is removed from all sectors of the hard drive. Simply deleting the EPHI from the computer is NOT sufficient to remove it completely from the hard drive.
- Steps should be taken to restrict visual access to EPHI to authorized personnel. This may be accomplished by positioning screens to restrict viewing or by using a screen filter. Further, workstations must be configured to log off or produce a password protected “screensaver” after a period of in-activity
- If a workstation is located in a private office, the office must be locked when unoccupied for an extended period of time; all workstations in unlocked locations must employ anti-theft devices.
For additional examples of procedures which may be required by a covered entity to ensure workstation security, please see the University of Wisconsin-Milwaukee HIPAA Security Guidelines: Workstation Use and Security Guideline.
Follow Guidelines on Accessing EPHI from External and/or Portable Computing Devices
Significant restrictions will likely be placed on your access to EPHI from external and/or portable computing devices due to security concerns. Before storing EPHI on an external/portable computing device, particularly a device you intend to remove from your work environment, you should consult the covered entity’s policies and procedures for guidance in this area.
Many of the guidelines applicable to workstations are also applicable to external/portable computing devices including restricting screen visibility, backing up EPHI, safeguarding the device from theft, properly disposing of equipment and using antivirus, firewall and anti-spy software to the extent possible. Encryption may also be required.
Follow Guidelines on the Use of Portable Devices and Media Containing EPHI
Portable devices include, but are not limited to the following:
- Laptop / Tablet / Handheld Computers (PDA’s)
- Portable Storage Devices
- External USB Hard Drives
- USB “Thumb” Drives
- External CD Burners, Zip Drives, Floppy Drives
Portable media include, but are not limited to the following:
- Floppy Disks
- Zip Drives
Covered entities should have guidelines on the use of portable devices and media which may include the following protections:
- Access to EPHI on portable media must be protected by a password or other authentication procedure
- All portable devices and media must be approved by a designated individual within the covered health care entity prior to the use of such device or media for storage / transmission of EPHI
- EPHI stored on a laptop, mobile device or other portable media should be encrypted
- All portable media containing EPHI must be safeguarded from theft or loss (for example, laptops should be secured with a cable whenever possible and CDs containing EPHI should be locked in a cabinet)
- All portable media containing EPHI must be marked externally, if possible, as confidential and include contact information for return if lost
- Portable media used for storage must be backed up periodically
- Disposal of portable media containing EPHI must be done in consultation with the individual designated by the covered health care entity.
For additional examples of procedures which may be required by a covered entity relating to the use of portable devices and media containing EPHI, please see the University of Wisconsin-Milwaukee HIPAA Security Guidelines: Portable Devices and Media Guideline.
Know When Emailing PHI is Permitted
PHI should only be sent via email in very limited circumstances. Patients may request that a covered health care provider communicate with them by email, provided that they provide their written permission. If you are a health care provider sending email to patients, please review the policies of your particular facility for the procedure to follow. Depending on these policies, you may be allowed to email PHI to health care providers outside of the covered entity if required for treatment purposes. In this case, it is prudent to not include the patient’s name, social security number, or other direct identifiers in the email. Include only initials, birth date, and/or medical record number. Additionally, you may be required to communicate in advance with the receiving health care provider so that he/she knows to expect the email and is able to link the minimally identifiable information to the correct patient.
Email that may contain EPHI should never be set to automatically forward to any external email provider outside of the covered entity’s domain. It is the responsibility of the sender to ensure that they do not inadvertently send EPHI to the wrong email address. You should be aware of the auto fill feature provided in most email programs and double check the address you are sending your email to prior to sending it.
If Using EPHI for Research, Know the Guidelines Governing its Use
The Security Rule applies to EPHI used for research. On-line training specific to HIPAA research issues is available through UWM. If you are using an outside entity’s PHI for research purposes, you will also need to familiarize yourself with that entity’s research policies and procedures. Use of PHI for research will likely require a patient authorization or a waiver of authorization approved by an Internal Review Board.
IV. CONTACT INFORMATION
If you have any questions on the above or about the privacy and security regulations in general, please contact your Privacy Officer or UWM’s Office of Legal Affairs.
TO PROCEED TO THE QUIZ ON THIS INFORMATION, CLICK ON THE FOLLOWING LINK: Quiz on HIPAA Basics
1This document is modeled on, and certain sections are drawn directly from, University of Wisconsin – Madison’s HIPAA training materials. We would like to thank the University of Wisconsin – Madison (in particular, Rebecca Hutton) for allowing us the use of its materials.
2Please see “University of Wisconsin–Milwaukee HIPAA Policies and Procedures: Section I-2, Requirements for De-Identification” for a list of all identifiers.
3Exceptions include release pursuant to a valid authorization or for an individual’s own review; disclosures made to the Secretary of the Department of Health and Human Services for HIPAA compliance and enforcement; and use and disclosures required by law.
4Please see “University of Wisconsin–Milwaukee HIPAA Policies and Procedures: Section J-2, Definition of ‘Limited Data Set’” for a list of all excluded identifiers.