A covered entity may use and disclose PHI for a number of different purposes and stay in compliance with HIPAA permitted uses and disclosures. It is always permitted to use and disclose PHI for treatment, payment and health care operations.
Sharing PHI for Treatment
Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.
We now see the need to share data with health care providers for purposes of care coordination. This activity didn’t exist when HIPAA was written is now required by CMS and is part of a treatment plan. A health care provider may disclose PHI to another for this treatment purposes without patient authorization.
Click on this link to see our video:
Summary of the Privacy Rule
Contact us for more information on this important topic.
Increase in Number of Breaches
The Office of Civil Rights has reported a consistent increase in the number of breaches over the last few months. There was a total of 41 breaches in April affecting a greater number of people than previous months. The breaches affected a total of 894,874 records
Unauthorized Access a Cause of Breaches
The healthcare industry continues to be a big target for hackers. Despite this the biggest cause of breaches was unauthorized access/disclosure incidents. It is likely that cyber security defenses have been effective in preventing hackers from gaining access to data.
Phishing is a Problem
One main cause of healthcare breaches in the month of April was due to phishing attacks. It appears that in April nine cases of successful phishing attack related breaches were reported. It will be important in the future to improve technology to prevent emails from being delivered to inboxes of healthcare workers.
For more OCR Breaches
The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on “HIPAA Privacy in Emergency Situations.” The stated purpose of the bulletin is to assure that covered entities and their business associates know how protected health information that may be shared during an emergency and that the privacy protections are not suspended during emergencies. The OCR has issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has developed guidance to assist covered entities in understanding how the decision by the Supreme Court in United States v. Windsor may affect certain parts of their HIPAA Privacy Rule obligations.
Spouses Often Play an Integral in A Patient’s Health.
The HIPAA Privacy Rule recognizes that family members, such as spouses, often play an integral role in a patient’s health care. For example, the Privacy Rule allows covered entities to share information about the patient’s care with family members in various circumstances.
In addition, the Privacy Rule provides protections against the use of genetic information about the individual, which includes certain information about family members of the individual, for underwriting purposes.
OCR’s guidance on HIPAA and Same-sex Marriage addresses the effect of the 2013 Supreme Court decision regarding the Defense of Marriage Act (DOMA) on these provisions, making clear that spouses include both same-sex and opposite-sex individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.
OCR’s guidance on the Windsor decision may be found at: HERE.
Anesthesia Compliance Consultants has summarized the major provisions of the HIPAA Omnibus Rule, which will be effective March 26, 2013 with a compliance date of September 23, 2013. This will affect anesthesia practices in many ways.
1. Final modifications to HIPAA
- Make business associates of covered entities directly liable for compliance with HIPAA Privacy and Security Rules’ requirements.
- Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization.
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. Continue reading “HIPAA Omnibus Bill Is Here”
The Office for Civil Rights announced a settlement of potential violations of the HIPAA and Breach Notification Rules on December 27, 2013 with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (AP Derm).
AP Derm settled potential violations with the OCR for a $150,000 payment and a corrective action plan. AP Derm is a private dermatology practice with four locations in Massachusetts and two in New Hampshire.
Continue reading “Lack of HIPAA Policies is Expensive”