Smaller Providers and Businesses

Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.

For the average health care provider or health plan, the Privacy Rule requires activities

As required by Congress in HIPAA, the Privacy Rule covers health plans, health care providers and health care clearinghouses.

As Congress required in HIPAA, most covered entities had until April 14, 2003 to come into compliance with these standards, as modified by the August, 2002 final Rule. Small health plans had an additional year – until April 14, 2004 – to come into compliance.

Under HIPAA, HHS has the authority to modify the privacy standards as the Secretary may deem appropriate. However, a standard can be modified only once in a 12-month period.

Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients.

The Privacy Rule does not require these types of structural changes be made to facilities.

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care.

Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited.

No. The HIPAA Privacy Rule does not prohibit covered entities from engaging in common and important health care practices; nor does it specify the specific measures that must be applied to protect an individual’s privacy while engaging in these practices.

Yes, the Privacy Rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patient’s privacy.

Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization.

The Privacy Rule includes a specific exception from the accounting standard for incidental disclosures permitted by the Rule. See 45 CFR 164.528(a)(1).

The provisions apply universally to incidental uses and disclosures that result from any use or disclosure permitted under the Privacy Rule, and not just to incidental uses and disclosures resulting from treatment communications, or only to communications among health care providers or other medical staff.

The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards.

The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose.

Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements.

The definition of “health care operations” in the Privacy Rule provides for “conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.”

No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements.

No. These disclosures must be authorized by an individual and, therefore, are exempt from the HIPAA Privacy Rule’s minimum necessary requirements.

Because the Privacy Rule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of the transactions standards, including disclosures of all data elements that are required or situationally required in those transactions.

No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record; and a covered entity may use, disclose, or request an entire medical record without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes.

Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.

No. The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to protected health information to those in the workforce that need access based on their roles in the covered entity.

Covered entities are required to apply the minimum necessary standard to their own requests for protected health information.

No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions.

Yes, an individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524. However, when a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual.

The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524.

The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care.

Generally, no. The Rule defers to State and other laws that address the fitness of a person to act on an individual’s behalf.

No. Except with respect to decedents, a covered entity must treat a personal representative as the individual only when that person has authority under other law to act on the individual’s behalf on matters related to health care.

State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified.

Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law.

Generally, yes. Even though the parent did not consent to the treatment in this situation, the parent would be the child’s personal representative under the HIPAA Privacy Rule.

No. The Privacy Rule does not address consent to treatment, nor does it preempt or change State or other laws that address consent to treatment.

The HIPAA Privacy Rule would defer to State or other applicable law that addresses the disclosure of health information to a parent about a minor child.

The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates which protect the privacy of protected health information; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract.

No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e).

No. Disclosures from a covered entity to a researcher for research purposes do not require a business associate contract, even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf.

The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1).

Yes. If the HIPAA Privacy Rule permits a covered entity to share protected health information with another covered entity, the covered entity is permitted to make the disclosure directly to a business associate acting on behalf of that other covered entity.

No. Covered entities that participate in an OHCA are permitted to share protected health information for the joint health care activities of the OHCA without entering into business associate contracts with each other. Of course, each such entity is independently required to observe its obligations under the HIPAA Privacy Rule with respect to protected health information.

A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information.

The Privacy Rule regulates covered entities, not business associates. he Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates.

No. The hospital and such physicians participate in what the HIPAA Privacy Rule defines as an organized health care arrangement (OHCA).

Yes. A data use agreement can be combined with a business associate agreement into a single agreement that meets the requirements of both provisions of the HIPAA Privacy Rule.

No. Where a covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function, the covered entity satisfies the Rule’s requirements that it obtain satisfactory assurances from its business associate with the data use agreement.

A covered entity’s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity.

Generally, providers are not business associates of payers. For example, if a provider is a member of a health plan network and the only relationship between the health plan (payer) and the provider is one where the provider submits claims for payment to the plan, then the provider is not a business associate of the health plan.

Generally, no. A reinsurer does not become a business associate of a health plan simply by selling a reinsurance policy to a health plan and paying claims under the reinsurance policy.

The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity.

The Privacy Rule relates to uses and disclosures of protected health information, not to whether a patient consents to the health care itself. As such, the Privacy Rule does not affect informed consent for treatment, which is addressed by State law.

The pharmacist is using the protected health information for treatment purposes, and the HIPAA Privacy Rule does not require covered entities to obtain an individual’s consent prior to using or disclosing protected health information about him or her for treatment, payment, or health care operations.

Yes. The HIPAA Privacy Rule does not require covered entities to obtain an individual’s consent prior to using or disclosing protected health information about him or her for treatment, payment, or health care operations.

Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible.

A pharmacist may provide advice to customers about over-the-counter medicines.

A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription.

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations.

The HIPAA Privacy Rule permits a provider to disclose protected health information to a health plan for the quality-related health care operations of the health plan, provided that the health plan has or had a relationship with the individual who is the subject of the information, and the protected health information requested pertains to the relationship.

Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made.

No. The Privacy Rule’s definition of “payment” includes disclosures to consumer reporting agencies.

The Privacy Rule permits covered entities to continue to use the services of debt collection agencies.

The disclosure of protected health information by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is a treatment disclosure, and is permitted under the Privacy Rule at 45 CFR 164.506.

The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.

The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity.

Yes. The HIPAA Privacy Rule permits an ambulance service or other health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider, such as a hospital, for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.

The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances:

The overlap among common usages of the terms “treatment,” “healthcare operations,” and “marketing” is unavoidable.

Generally, no. To the extent the disease management or wellness program is operated by the covered entity directly or by a business associate, communications about such programs are not marketing because they are about the covered entity’s own health-related services.

No. The HIPAA Privacy Rule excludes from the definition of “marketing” communications made to describe a covered entity’s health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication.

The HIPAA Privacy Rule excludes from the definition of “marketing,” communications by a covered entity to describe the entities participating in a health care provider network or a health plan network.

No. The HIPAA Privacy Rule excludes from the definition of “marketing,” communications about replacements of, or enhancements to, a health plan.

The provision of value-added items or services (VAIS) is a common practice, particularly for managed care organizations.

Yes. It is not marketing for a doctor to make a prescription refill reminder even if a third party pays for the communication.

Yes, appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization.

Alternative treatments are treatments that are within the range of treatment options available to an individual.

No. In a specific exception, the HIPAA Privacy Rule allows covered entities to distribute items commonly known as promotional gifts of nominal value without prior authorization, even if such items are distributed with the intent of encouraging the receiver to buy the products or services.

In face-to-face encounters, the HIPAA Privacy Rule allows covered entities to give or discuss products or services, even when not health-related, to patients without a prior authorization. This exception prevents unnecessary intrusion into the doctor-patient relationship.

No. In the specific case of face-to-face encounters, the HIPAA Privacy Rule allows health plans and their business associates to market both health and non-health insurance products to individuals.

The Privacy Rule makes it clear that nothing in the marketing provisions of the Privacy Rule are to be construed as amending, modifying, or changing any rule or requirement related to any other Federal or State statutes or regulations, including specifically anti-kickback, fraud and abuse, or self-referral statutes or regulations, or to authorize or permit any activity or transaction currently proscribed by such statutes and regulations.

Yes, if the communication is for the individual’s treatment or for case management, care coordination, or the recommendation of alternative therapies.

No. Communications about government and government-sponsored programs do not fall within the definition of “marketing.”

No. All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law.

No. The Privacy Rule’s public health provision permits, but does not require, covered entities to make such disclosures. This provision is intended to allow covered entities to continue current voluntary reporting practices that are critically important to public health and safety. The Rule also permits covered entities to disclose protected health information when State or other law requires covered entities to make disclosures for public health purposes.

Yes. The HIPAA Privacy Rule permits covered entities to disclose the amount and type of protected health information that is needed for public health purposes.

The definition of a “public health authority” requires that an agency’s official mandate include the responsibility for public health matters.

Covered entities may identify persons responsible for an FDA-regulated product by using the product label, the literature that accompanies the product, or other sources of labeling, such as the Physician’s Desk Reference.

Yes. In most instances when a covered entity makes an adverse event report to a person responsible for an FDA-regulated product, the covered entity will suspect, but not know, the product is the cause of the event.

No. The public health provision is intended to facilitate the flow of information that is essential to the FDA’s public health mission.

The public health provision permits covered health care providers to disclose an individual's protected health information to the individual’s employer without authorization in very limited circumstances.

Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).

Individuals do not have a right under the Privacy Rule at 45 CFR 164.522(a) to request that a covered entity restrict a disclosure of protected health information about them for workers’ compensation purposes when that disclosure is required by law or authorized by, and necessary to comply with, a workers’ compensation or similar law.

Privacy of Health Information/HIPAA Workers' Compensation Disclosures

The HIPAA Privacy Rule permits a covered entity to disclose protected health information as necessary to comply with State law.

A covered entity is permitted to disclose an individual’s protected health information as necessary to comply with and to the full extent authorized by workers’ compensation law.

A covered entity may disclose protected health information where the individual’s written authorization has been obtained, consistent with the Privacy Rule’s requirements at 45 CFR 164.508.

Hospitals and other covered health care providers with a direct treatment relationship with individuals are not required to provide their notices to patients at the time they are providing emergency treatment.

Yes. The HIPAA Privacy Rule requires that a covered health care provider with a direct treatment relationship with individuals make a good faith effort to obtain written acknowledgments from those individuals that they have received the provider’s notice, regardless of whether the provider also chooses to obtain the individuals’ consent.

Yes. The HIPAA Privacy Rule provides covered entities with discretion in this area; no special or separate mailings or distributions are required to satisfy the Privacy Rule’s notice distribution requirements.

No. A covered health care provider with a direct treatment relationship with individuals is required to make a good faith effort to obtain an individual's acknowledgement of receipt of the notice only at the time the provider first gives the notice to the individual -- that is, at first service delivery. See 45 CFR 164.520(c)(2).

For notice delivered electrically, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice.

Covered entities may use a “layered” notice to implement the HIPAA Privacy Rule’s requirements, so long as the elements required by 45 CFR 164.520(b) are included in the document that is provided to the individual.

Under the HIPAA Privacy Rule, only covered health care providers that have a direct treatment relationship with individuals are required to make a good faith effort to obtain the individual's acknowledgment of receipt of the notice.

The HIPAA Privacy Rule is intended to be flexible enough to address the various types of relationships that covered health care providers may have with the individuals they treat, including those treatment situations that are not face-to-face.

Health care providers and other covered entities that participate in an organized health care arrangement (OHCA) may use a single, joint notice that covers all of the participating covered entities (provided that the conditions at 45 CFR 164.520(d) are met), or may each maintain separate notices.

A health plan satisfies the HIPAA Privacy Rule’s requirements for providing the notice by distributing its notice only to the named insured of a policy under which coverage is provided both to the named insured and his or her dependents. See 45 CFR 164.520(c)(1)(iii).

The HIPAA Privacy Rule requires a health plan to distribute its notice to each individual covered by the plan.

The HIPAA Privacy Rule requires a covered health care provider with a direct treatment relationship with the individual to provide the notice to the individual receiving treatment no later than the date of first service delivery. In cases where the individual has a personal representative, as is generally the case when a parent brings a child in for treatment, the provider satisfies the notice distribution requirements by providing the notice to the personal representative (e.g., the child’s parent), and making a good faith effort to obtain the personal representative’s acknowledgment of the notice.

Covered health care providers that maintain an office or other physical site where they provide health care directly to individuals are required to post their entire notice at the facility in a clear and prominent location.

A covered entity’s notice is not a substitute for an individual’s authorization.

The HIPAA Privacy Rule does not require a covered health care provider to mail out its revised notice or otherwise notify patients by mail of changes to the notice.

The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals to give the notice to every individual no later than the date of first service delivery to the individual and to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice.

The Privacy Rule does not prohibit this practice.

Yes. Provided that the individual is clearly informed on the log book of what they are acknowledging and the acknowledgment is not also used as a waiver or permission for something else that also appears on the log book (such as a waiver to consult with the pharmacist).

By law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, “covered entities”) have until April 14, 2003, to comply with the HIPAA Privacy Rule.

The Privacy Rule permits the covered entity to impose reasonable, cost-based fees. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed.

Genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse. See 45 C.F.R 160.103 and 164.501.

The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means.

The Privacy Rule does not prohibit a covered entity from obtaining an individual's consent to use or disclose his or her health information and, therefore, presents no barrier to the entity's ability to comply with State law requirements.

No. The listed types of policies are not health plans. The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1).

 

 

Date Created: 12/20/2002

Providing services to or acting on behalf of a health plan does not transform a third party administrator (TPA) into a covered entity.

The compliance dates for the Privacy Rule is April 14, 2003, or, for small health plans, April 14, 2004.

The Privacy Rule requires covered entities to provide individuals with access to protected health information about themselves that is contained in their “designated record sets.”

The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations.

However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of protected health information and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice.

A "group health plan" is a covered entity under the Privacy Rule and the other HIPAA, Title II, Administrative Simplification standards.

The Privacy Rule permits a health plan to disclose protected health information, such as prescription numbers, to a pharmaceutical manufacturer for purposes of adjudicating claims submitted under a drug rebate contract.

The Privacy Rule requires the Notice of Privacy Practices (Notice) to identify, among other things, what uses and disclosures the covered entity may make of protected health information.

The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization.

Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.

There are two deadlines for compliance with the HIPAA Privacy Rule on April 14, 2004:

No. Certain plans are specifically excluded from having to comply with the HIPAA Administrative Simplification requirements, including the Privacy Rule.

The Privacy Rule recognizes that certain fully insured group health plans may not need to satisfy all of the requirements of the Privacy Rule since these responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members.

Covered entities under HIPAA are health care clearinghouses, certain health care providers, and health plans.

Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?

A covered entity may disclose protected health information to comply with a court order, including an order of an administrative tribunal.

A covered entity may use or disclose protected health information as permitted or required by the Privacy Rule, see 45 CFR 164.502(a); and, subject to certain conditions the Rule typically permits uses and disclosures for litigation, whether for judicial or administrative proceedings, under particular provisions for judicial and administrative proceedings set forth at 45 CFR 164.512(e), or as part of the covered entity’s health care operations, 45 CFR 164.506(a).

Yes. Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations.

Under 45 CFR 164.512(e)(1)(ii) of the Privacy Rule, a covered entity that is not a party to the litigation may disclose protected health information in response to a subpoena, discovery request, or other lawful process if the covered entity receives certain satisfactory assurances from the party seeking the information.

Yes. A covered entity that is not a party to litigation must obtain or receive the satisfactory assurances required by 45 CFR 164.512(e) before making a disclosure for a judicial or administrative proceeding.

A copy of the subpoena (or other request pursuant to lawful process) is sufficient when, on its face, it meets the requirements of 45 CFR 164.512(e)(1)(iii), such as by demonstrating that the individual whose protected health information is requested is a party to the litigation, notice of the request has been provided to the individual or his or her attorney, and the time for the individual to raise objections has elapsed and no objections were filed or all objections filed have been resolved. When the above requirements are evident on the face of the subpoena (or other request), no additional documentation is required.

It depends on who the recipient is.

Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions.

Yes, if certain conditions are met. A covered entity that is not a party to litigation, such as where the covered entity is neither a plaintiff nor a defendant, may disclose protected health information in response to a subpoena, discovery request, or other lawful process, that is not accompanied by a court order, provided that the covered entity: ...