HIPAA Privacy Rule
HIPAA Privacy Rule
Note to Members: This notice is not the same as your health plan’s Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Notice of Privacy Practices, which describes in detail how your health plan uses and discloses your individually identifiable health information. Your health plan has a Notice of Privacy Practices, which includes policies for use and disclosure of your information, including information that you provide to Papa. This is managed by your health plan, not by Papa, so we aren’t able to let you know of changes or updates. If you would like to read a copy of your health plan’s Notice of Privacy Practices, please ask your plan for a copy.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. The following is a summary of key elements of the Privacy Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Rule are obligated to comply with all of its applicable requirements and should not rely on this summary as a source of legal information or advice.
What Information is Protected
The Privacy Rule protects all “individually identifiable health information” held or transmitted by Papa or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that Papa maintains in its capacity as an employer.
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by Papa. Papa MUST not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Papa must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation, compliance review, or an enforcement action.
Permitted Uses and Disclosures
Papa is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.
Example HIPAA Violations
- Accessing health information of coworkers, family members, politicians and celebrities
- Throwing PHI into the trash – All PHI material MUST be placed in a secure shredder
- Leaving doors that lead to PHI material open or unlocked
- Sharing patient information with unauthorized persons’
- Telling friends or relatives about patients who use Papa services
- Sending or receiving PHI unsecured, discussing PHI in the elevator, the break room, and lobbies
- Failing to log off computer systems containing patient or confidential information
Non-Compliance with HIPAA Regulations Can Result in
Penalties for civil violations:
- HIPAA violation: Unknowing
- Penalty range: $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations
- HIPAA violation: Reasonable Cause
- Penalty range: $1,000 – $50,000 per violation, with an annual maximum of $100,000 for repeat violations
- HIPAA violation: Willful neglect but if the violation is corrected within the required time period
- Penalty range: $10,000 – $50,000 per violation, with an annual maximum of $250,000 for repeat violations
- Penalty range: $50,000 per violation, with an annual maximum of $1.5 million
- HIPAA violation: Willful neglect and is not corrected within the required time period
- The DOJ handles criminal violations of HIPAA. As with the HIPAA civil penalties, there are different levels of severity for criminal violations
- Covered entities (Papa) and specified individuals, as explained below, who “knowingly” obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year
- Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison
- Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment up to 10 years
If an employee(s) sees another staff member misusing PHI, the incident MUST be reported to Papa’s Compliance Dept. or use Papa’s Ethics and Conduct Reporting platform.
Two Main Principles Govern the HIPAA Regulations
1-Need-to-Know – What information do you need to know to do your job?
Example: A Papa employee wants to send a birthday card to a coworker but is not sure of the exact date. The worker knows the coworker has used the Papa service because he/or she has mentioned it in a previous conversation. The coworker has access to the Papa Admin Platform containing member information and wants to look up the coworker’s birthdate via the Papa Admin Platform. The employee does NOT have an official or professional need to know the birthdate of the employee’s friend and MUST not get the birthdate from the system.
2-Minimum Necessary – Individuals should only access, use, or disclose the health information that is minimally necessary to accomplish a given task or purpose. Are you using, requesting, or sharing too much PHI to complete the job? Example: To submit a claim for reimbursement, a billing person needs to view the patient’s current consultation information but does not need the entire patient history. Therefore, the patient’s current consultation information only would be the minimum (amount of PHI) necessary for the billing person to complete the task.
Things to Remember
- There are consequences for non-compliant behavior
- Only access or share the Minimum Amount Necessary
- Immediately report a privacy issue, fraud or breach to Papa’s compliance department or use the Ethics and Conduct Reporting platform
- Know the names of the individuals in Papa’s compliance department and how to contact them
- All generated healthcare documentation MUST be factual and accurate
HIPAA regulations also include a Security Rule. Effective on April 21, 2005, the Security Rule set the standard to ensure the privacy of electronic protected health information. Papa has implemented the requirements of the Rule and continually monitors and manages the required security controls.