HIPAA’s Privacy Rule: The Health Insurance Portability and Accountability Act (HIPAA)
Pay close attention to the areas in italics, and come back for a question related to this topic on Friday!
a. Covered Entities: HIPAA regulations apply to “covered entities,” which include health care providers, health plans, and health care clearinghouses. As defined in HIPAA, “health care” includes counseling for mental conditions and a “health care provider” is any person who furnishes, bills, or is paid for health care in the regular course of their business.
b. Authorization: The Privacy Rule states that a written authorization from the patient is required before a provider discloses PHI except when the information is being disclosed for routine purposes related to treatment, payment, or health care operations (“TPO”) or in other legally defined situations (e.g., when disclosure is necessary to avert a serious threat to the health or safety of the patient or other person). The authorization must include a description of the information to be disclosed; indicate the name and function of the person/entity authorized to use the information; indicate the expiration date of the authorization; and include a statement informing the patient of his/her right to receive a copy of the authorization and to revoke it.
c. Patient Rights: The Privacy Rule grants patients the following rights:
• The Right to Inspect and Receive a Copy of Their PHI: For the most part, HIPAA regulations regarding a patient’s right to inspect and receive a copy of his or her health information are similar to the requirements of California law. One difference is that HIPAA regulations for denying access generally preempt California law because HIPAA provides more stringent standards – i.e., HIPAA provides patients with greater access to and control over their health information. HIPAA also distinguishes between circumstances in which a patient does and does not have the right to request a review of a denial of access. For example, a patient has the right to request a review when the provider denied access because he/she believes that providing the information “is reasonably likely to endanger the life or physical safety” of the patient or other person. In contrast, a patient does not have the right to request a review when the PHI was obtained from someone other than the provider under a promise of confidentiality.
• The Right to Amend Their PHI: Under HIPAA, patients have the right to request an amendment of their PHI if they believe it is incorrect, but a provider may deny a patient’s request for reasons specified in the Privacy Rule. If the request is denied, the patient must be given a written statement that explains the reason for the denial, informs the patient of his/her right to file a statement of disagreement, and describes the procedures for filing a complaint with the provider or the Department of Health and Human Services. If the provider accepts the requested amendment, he or she must add it to the patient’s record, inform the patient that the amendment has been made and, as appropriate, provide the amendment to people who have previously received the information covered by amendment.
• The Right to Receive an Accounting of Disclosures of Their PHI: The Privacy Rule grants patients the right to request an accounting of disclosures to third parties made during the six-year period prior to the request. This requirement applies to only certain types of disclosures, however. For example, it does not apply to uses of PHI for the purposes of TPO but does apply to disclosures to public health authorities, health oversight agencies, and researchers.
• The Right to Request Restrictions on Disclosures of Their PHI: Patients also have the right to request restrictions on how their PHI will be used or disclosed (e.g., they may request that specific information not be provided to a particular third party). However, the health care provider may choose whether or not to agree with the request.
• The Right to Request Confidential Communications: The Privacy Rule grants patients the right to request that a provider communicate with them about their health care in a certain way or in certain locations – e.g., to call the patient at home only or to send mail to a post office box rather than a street address.
• The Right to Receive a Notice of Privacy Practices: Therapists are required to provide patients with a written Notice of Privacy Practices (NPP) on or before the beginning of treatment that informs patients of their rights and indicates how health information may be used and disclosed. The NPP must also be posted in a prominent place in the therapist’s office, and the therapist must make a “good faith effort” to obtain the patient’s written acknowledgement of receipt of the notice. Note that the NPP is not a substitute for an informed consent.