HIPAA
Contents
- Overview
- Patient Protections
- Health Plans and Providers
- Outreach and Enforcement
- Introduction
- Statutory & Regulatory Background
- Who Is Covered by The Privacy Rule
- Definitions
- Business Associates
- What Information Is Protected
- General Principle for Uses and Disclosures
- Permitted Uses and Disclosures
- Authorized Uses and Disclosures
- Limiting Uses and Disclosures to the Minimum Necessary
- Notice and Other Individual Rights
- Administrative Requirements
- Organizational Options
- Other Provisions: Personal Representatives and Minors’ Personal Representatives
- State Law
- Enforcement and Penalties for Noncompliance
- Compliance Dates
- Copies of the Rule & Related Materials
- Incidental Uses and Disclosures
- Minimum Necessary
- Personal Representatives
- Business Associates
- Uses and Disclosures for Treatment, Payment, and Health Care Operations..
- Marketing
- Disclosures For Public Health Activities
- Research
- Disclosures For Workers’ Compensation Purposes
- Notice of Privacy Practice For Protected Health Information
- Restrictions on Government Access to Health Information
- Overview
- Implementation Plan
- Standards Adoption Process
- Public and Private Sector Input into the Standards Development Process
- Implementation Schedule
- Understanding CMS’s Compliance Policy
- What Is a Contingency Plan?
- Steps For Contingency Planning
- Health Plan Responsibilities
- Review Your Good Faith Efforts to Comply
- General Approach
- Specific Requirements
- Guidance on Compliance with HIPAA Transactions and Code Sets
- After the October 16, 2003 ImplementationDeadline
- Enforcement Approach
- Working Toward Compliance
- HIPAA Administrative Simplification Compliance Act (ASCA)
- Electronic Transaction Standards
- Code Set Standards
- What Is a Code Set
- What Code Sets Have Been Adopted as HIPAA Standards?
- HIPAA: In General
- Privacy Rule: General Topics
- Protected Health Information
- Preemption of State Law
- Covered Entities
- Compliance Dates
- Minimum Necessary
- Business Associates
- Treatment/Payment/Health Care Operations
- Right to Access Medical Records
- Complaints
- Right to an Accounting of Disclosures
- Incidental Uses and Disclosures
- Public Health Uses and Disclosures
- Facility Directories
- Disclosure to Family and Friends
- Disclosures Required by Law
- Disclosures for Rule Enforcement
- Disclosures for Law Enforcement Purposes
- Authorizations
- Marketing Uses and Disclosures
- Workers’ Compensation Disclosures
- Notice of Privacy Practices
- Personal Reps/Parents and Minors
- Limited Data Set
- Research Uses and Disclosures
- Transition Provision
APPENDIX A: NOTICE OF PRIVACY PRACTICES
APPENDIX B: SAMPLE BUSINESS ASSOCIATE CONTRACT
APPENDIX C: HOW TO FILE A HEALTH INFORMATION PRIVACY COMPLAINT WITH THE OFFICE FOR CIVIL RIGHTS
Learning Objectives
After completion of the course, you will be able to:
- List 5 things that the HIPAA Privacy Rule requires the average provider or health
plan to do. - Describe how the HIPAA Privacy Rule protects individuals’ medical records and
other personal health information.
- Explain which entities are covered by the Privacy Rule by following decision trees.
- Define business associate, provide several examples of business associates, and frame a business
associate contract.
- Discuss six permitted uses and disclosures of protected health information.
- Define the HIPAA Privacy Rule’s minimum necessary standard and its application in the use and
disclosure of protected health information. Right to Access Medical Records - Explain the right of access to the protected health information afforded to patients under the HIPAA
Privacy Rule.
- Explain the right to amend the protected health information afforded to patients under the HIPAA
Privacy Rule.
- Explain the right to an accounting of disclosures of protected health information afforded to patients
under the HIPAA Privacy Rule.
- Discuss various situations where incidental uses and disclosures of protected health information are
permitted under the Privacy Rule. - Provide examples of reasonable safeguards a covered entity must implement to limit incidental, and
avoid prohibited, uses and disclosures of protected health information.
- Explain how a covered entity can disclose protected health information to a public health authority
and comply with the requirement to provide individuals with an accounting for disclosures.
- Define marketing and distinguish between what is marketing and what is not marketing under the
HIPAA Privacy Rule. - Discuss situations when an authorization is required from the patient before a provider or health
plan can engage in marketing to that individual. - Distinguish between activities for treatment or health care operations versus marketing activities.
- Identify two circumstances when a patient’s prior authorization is required for the use and disclosure
of protected health information for marketing.
- Discuss how the Privacy Rule works with respect to disclosures for workers’ compensation.
- Discuss the requirement of limited data set.
- Discuss the use and disclosure of limited data set to a business associate under the HIPAA
Privacy Rule.
- Discuss the right provided by the Privacy Rule to individuals to receive a notice of privacy
practices for protected health information, and specify the content of the notice. - Identify three entities who are not required to develop a notice of privacy practices.
- Identify individuals and circumstances under which these individuals can have access to protected
health information of minors or other individuals.
- Explain the application of HIPAA Privacy Rule in research uses and disclosures of protected health information.
- Discuss the implementation of administrative simplification requirements by HHS.