| |
 |
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
 |
| HIPAA Privacy Rule: Records Management Implications for Health-Related Organizations |
| This document is intended as a discussion of records management implications of HIPAA, not a comprehensive list of records management compliance requirements. The following information should not be relied upon as legal advice. Please consult legal and records management experts before developing and implementing a records management program for your organization. |
Citation
Health Insurance Portability and Accountability Act of 1996 - PL 104-191 Standards for Privacy of Individually Identifiable Health Information - 45 CFR Parts 160 and 164
Background
The Final Privacy Rule promulgated under HIPAA was released by the Department of Health and Human Services on August 9, 2002 and published on August 14, 2002.
Who is Affected
The individuals and entities regulated by this Rule - referred to as Covered Entities - are health-related organizations that include, but are not limited to:
- A health plan (which may include insured and self insured plans, health care vendors and HMOs, private sector plans, most church plans, most government plans such as Medicare, Medicaid and Federal Employer's plans, medical, dental and vision plans, long-term care plans, health FSAs and certain EAPs).
- A health care clearinghouse which may include medical billing service providers
- A health care provider who transmits any healthcare information in electronic form in connection with a covered transaction (as defined in the Rule).
- Business Associates (subcontractors of Covered Entities who have access to or are processing individually identifiable health information), such as their accountants and attorneys.
What it Means
The Final Privacy Rule limits the use and disclosure of individually identifiable health information, including certain subsets of such information. This includes health information that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
All medical records and other individually identifiable information are covered regardless of format (for example, electronic, paper, or oral). Use and disclosure of such information requires consent or authorization from the patient and is subject to certain other exclusions.
Covered entities must proactively safeguard individually identifiable health and healthcare-related information. Use and disclosure of protected health information:
is permitted for treatment, payment, and healthcare operations
without explicit written permission from the individual is prohibited for all other purposes
Covered entities must implement policies and procedures related to information access to:
- identify members of the workforce who need access to protected health information to carry out their duties
- identify the categories of protected health information to which the above workforce members need access as well as the conditions for access
- limit access to only the identified workforce members and to the required information
Covered entities must implement policies and procedures related to information disclosure:
- For routine, recurring disclosures - permit only the disclosure of the "minimum necessary" protected health information reasonably needed to achieve the purpose of the disclosure
- For non-routine disclosures - develop reasonable criteria for determining - and limiting the disclosure to - only the minimum amount of protected health information necessary to accomplish the purpose of the disclosure and to establish and implement procedures for reviewing such requests on an individual basis in accordance with the criteria
Covered entities are required to obtain individual's written consent to use and disclose protected information for the following primary purposes:
Marketing
Fundraising
- Underwriting
Covered entities must implement policies and procedures related to use/disclosure of protected information to reasonably verify the identity and authority of the information requestor where the covered entity does not know the person requesting the protected health information, including taking reasonable steps to verify that the request is lawful.
The Privacy Rule of HIPAA may be pre-empted by State law if State law is more restrictive or more stringent than the Privacy Rule.
Records Management Implications
Covered entities must ensure that their records management programs support the requirements of HIPAA.
All Formats
Covered entities must ensure that all records, regardless of format, are managed as part of their official records management programs. All records—paper, micrographic, electronic or other—must be included as part of a comprehensive records management program. If a third party, such as Iron Mountain is engaged as the records management provider, then the Covered Entity is required to enter into a Business Associate's Agreement with such third-party provider.
Access
Records management programs must ensure that access to records is properly controlled for HIPAA compliance. The program must include a way to identify protected health information and for that information:
- Identify who may access that information
- Identify the conditions of access for the identified individuals
- Limit access to that information only to the identified individuals under the prescribed conditions
|
|
|
| |
|
|
| |
|
|
| |
