Next year, we will observe the twentieth anniversary of the publication of the HIPAA Privacy Rules. The HIPAA Privacy Rule, just like the HIPAA Security Rule, and the Breach Notification Rule, has certainly been one of the larger regulatory regimes introduced over that time frame. The scope of the HIPAA Privacy Rules is very broad. So what are some of the most important points for us to ponder these days?
In this Article …
HIPAA Privacy Rules Scope
The first thing to keep in mind is . . . what do the HIPAA Privacy Rules apply to? The HIPAA vocabulary includes phrases like “individually identifiable information” and “protected health information”. Individually identifiable information includes things like demographic information as well as other identifiers like social security numbers or credit card information.
When individually identifiable information includes health information created or maintained by a HIPAA-covered entity, it becomes protected health information (PHI). And information can be in the form of written documentation as well as digital or electronic formats.
HIPAA Privacy Protections: limits on disclosure without patient consent
What types of protections are covered entities (healthcare providers, insurance companies, and healthcare clearinghouses) supposed to provide? The first type of protection is the limits on disclosure without consent from the patient.
In general, PHI can be disclosed without consent in a limited number of circumstances:
- Within covered entities and to other covered entities for treatment, payment, or healthcare operations (TPO). This is actually a very broad provision, which makes it possible to share information that is beneficial to the patient. Other treating providers the patient is visiting can receive PHI. Payors can pay claims promptly. Providers can utilize PHI in reviewing the quality of care in their organizations.
- To law enforcement officials in certain circumstances, mainly related to court orders, warrants, and subpoenas. But watch out for law enforcement officials who ask for information without this type of documentation.
- To the patient. While most providers ask for the completion of a release of information form from a patient, strictly speaking, this is not necessary. And timeliness is important for these requests. The Office for Civil Rights (OCR) of the Health and Human Services department (HHS), has fined 38 providers in the past three years for untimely responses to patients’ requests for copies of their medical records. Fines in the first six months of 2022 range from $3,500 to $240,000!
HIPAA Privacy Protections: policies and employee training
Another major category of protection under the HIPAA privacy rule includes privacy policies and employee training.
- Covered entities must have policies and procedures to address the ways they create, maintain, edit and disclose PHI.
- Covered entities must appoint a Privacy Officer, and provide training to all employees and contractors who have contact with PHI.
- Covered entities must create and enforce a sanction policy, detailing the sanctions that may be enforced for violations of the HIPAA Privacy Rules.
The Minimum Necessary Standard
The Minimum Necessary Standard (MNS) is another important part of the HIPAA Privacy Rules. Like many HIPAA rule provisions, it requires the use of judgment to successfully implement. The MNS requires covered entities to limit the uses, disclosures, and requests for disclosure of PHI to the minimum amount necessary to achieve the desired purpose of the disclosure. For instance, it is not necessary to send portions of the medical record to a payor for the purpose of processing claims for services. It does become necessary to send a portion of the medical record pertinent to a specific claim if the payor requests medical records that support the claim.
Marketing, Fundraising, and HIPAA Privacy Rules
The HIPAA Privacy Rules have very specific guidance about marketing and fundraising. Most marketing activities require prior patient authorization, but there are some exceptions.
- Covered entities may not sell PHI to third parties for marketing purposes without prior patient authorization. “Selling” includes any type of financial remuneration from the third party to the covered entity.
- Covered entities may provide refill reminders, and information about therapies or alternate treatments may be provided without prior patient authorization.
- Providers may provide information to patients in face-to-face settings, including promotional gifts of nominal value. But make sure the items are really of nominal value so you don’t run afoul of the regulations on gifts to Medicare patients that can be viewed as an inducement to receive services!
- Some fundraising activities require patient authorization, especially when detailed patient information such as name, and dates that care was provided to the patient.
- You may send general fundraising appeals to patients without authorization if no specific information on prior care or treatment is included. Be sure to always include an opt-out provision for patients – and then make sure your systems can execute the opt-out option!
What actions should I take now?
First, recognize the issues discussed above only scratch the surface of the scope of the HIPAA Privacy Rules. Download a copy of the full set of Privacy, Security, and Breach Notification rules from the OCR website. Refer to them whenever you have a question about what the rules actually say.
HIPAA Rules are NOT a “no-harm, no foul” situation.
The OCR has sanctioned many covered entities for not protecting the privacy of their PHI. Fines are levied even if no unauthorized disclosures have ever been confirmed. Lost laptops with unencrypted PHI, successful “phishing” expeditions that exposed PHI to hackers, and other similar situations happen almost continuously. The OCR has imposed fines in many of these situations, even with no confirmed unauthorized disclosures of PHI.
One easy step to take is to download a HIPAA Compliance Audit Checklist. Resources such as this can help you update your policies and practices. But do it before you have a breach with unauthorized disclosures that you have to report to the OCR!