All nursing facilities that conduct electronic transactions governed by HIPAA are required to comply with HIPAA’s privacy laws and the OIG has identified this as a risk area in its 2008 Supplemental Guidance for nursing facilities. In this section of our compliance guidance, we focus primarily on the protection of “protected health information” or “PHI” by nursing facilities. We provide a general overview of the applicable HIPAA privacy requirements first, followed by a discussion of the new HITECH Act requirements which were enacted by Congress in February 2009. At the conclusion of this section, we provide links to a body of HIPAA work, including sample policies and procedures and related privacy tools, developed by a committee of providers established by the American Health Care Association.
HIPAA PRIVACY RULE REQUIREMENTS
General Principle for Uses and Disclosures: to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities.
Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
To the Individual. A covered entity may disclose protected health information (“PHI”) to the individual who is the subject of the information.
Treatment, Payment, Health Care Operations. A covered entity may use and disclose PHI for its own treatment, payment, and health care operations activities.
Uses and Disclosures with Opportunity to Agree or Object. Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may professional judgment to determine if the use or disclosure would be in the best interests of the individual.
Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes, including:
Required by Law. Covered entities may use and disclose PHI without individual authorization as required by law (including by statute, regulation, or court orders).
Public Health Activities. Covered entities may disclose PHI to public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect.
Victims of Abuse, Neglect or Domestic Violence. In certain circumstances, covered entities may disclose PHI to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.
Judicial and Administrative Proceedings. Covered entities may disclose PHI in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal, or in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.
Also: Health Oversight Activities, Law Enforcement Purposes, Decedents, Cadaveric Organ, Eye, or Tissue Donation, Research, Serious Threat to Health or Safety, Essential Government Functions, and Workers’ Compensation.
Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. A covered entity also must designate a privacy official and a contact for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
Workforce Training and Management. A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions.
Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect caused by wrongful use or disclosure of PHI by its workforce or its business associates.
Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule.
Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.
Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Authorized Uses and Disclosures
Authorization. A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
Psychotherapy Notes. A covered entity must obtain an individual’s authorization to use or disclose psychotherapy notes with the following exceptions:
- The covered entity who originated the notes may use them for treatment.
- A covered entity may use or disclose, without an individual’s authorization, the psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner or as required by law.
Notice and Other Individual Rights
- Privacy Practices Notice. Each covered entity, with certain exceptions, must provide a notice of its privacy practices. A covered health care provider with a direct treatment relationship with individuals must make a good faith effort to obtain written acknowledgement from patients of receipt of the privacy notice.
- Access. Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a covered entity’s designated record set. Covered entities may impose reasonable, cost-based fees for the cost of copying and postage.
- Amendment. The Rule gives individuals the right to have covered entities amend their PHI in a designated record set when that information is inaccurate or incomplete.
- Disclosure Accounting. Individuals have a right to an accounting of the disclosures of their PHI by a covered entity or the covered entity’s business associates. The Privacy Rule does not require accounting for disclosures under certain circumstances, including: (a) for treatment, payment, or health care operations; (b) to the individual or the individual’s personal representative; and (c) pursuant to an authorization.
- Restriction Request. Individuals have the right to request that a covered entity restrict use or disclosure of PHI for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death.
Business Associate Defined. A person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information.
Business Associate Contract. The Privacy Rule requires that the covered entity include certain protections for the information in a business associate agreement.
HIPAA SECURITY RULE REQUIREMENTS
General Principle: The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to protect the confidentiality of electronic PHI. The standards are delineated into either required or addressable implementation specifications.
Required Specifications. The covered entity must implement policies and/or procedures that meet the requirements of these implementation specifications.
Addressable Specifications. The covered entity must assess whether the addressable specification is a reasonable and appropriate safeguard in the entity’s environment. If the entity chooses not to implement an addressable requirement, its analysis and reasoning must be documented.
Overview of the Compliance Process. In order to comply with the Security Rule, the following analytical approach may be useful.
Assess: The entity should assess its current data security features and potentials for unauthorized access and disclosure of electronic PHI.
Evaluate: The entity should evaluate potential security measures that could be added to address the risks identified in its assessment. The evaluation should consider the nature and size of the organization to determine if an addressable specification is reasonable and appropriate for the organization. Cost is an important, but not necessarily determinative, factor.
Implement: The entity must implement security measures and solutions that are reasonable and appropriate for the organization.
Document: The entity must document its analysis, decisions, and rationale.
Review: The entity should regularly review its security measures to determine whether any updates are necessary.
Enforcement. As of August 2009, the Security Rule is being enforced by the Office of Civil Rights, which also enforces the Privacy Rule.