The U.S. Department of Health and Human Services issued the Privacy Rule to put into practice the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.

A main goal of the Privacy Rule is to assure that individuals’ health information is suitably protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. An appropriate balance is maintained by the rule that permits important uses of information, while protecting the privacy of people who seek care and healing.

The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. Also covered entities are required to notify individuals of uses of their PHI. A track of disclosures of PHI and document privacy policies and procedures need to be maintained by the covered entities. A Privacy Official and a contact person responsible for receiving complaints must be appointed and all the members of their workforce in procedures regarding PHI must be trained properly to avoid any kind of divergence.

HIPAA’s Privacy Rule requires that a covered entity must develop comprehensive HIPAA Privacy policies with respect to PHI. It is essential that the policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance.

“Essentially, a covered entity is required to develop and implement policies and procedures appropriate to the entity’s business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested;” – HIPAA Privacy Rule 45 CFR Part 160

To jump start your HIPAA Security policy creation, it is recommend to use templates. HIPAA Privacy Policies templates can be used by Healthcare entities like Hospitals, Insurers, Long Term Care/Skilled Nursing Facilities, Ambulatory Surgery Centers, Assisted Living/Intermediate Care Facilities, Clinical Laboratories, Clinics, Dialysis Providers, Employer Plans, HMOs, Home Health Agencies, Hospices, Pharmacies, Physicians, PPOs, Rehabilitation Facilities, other payees & providers and business associates of healthcare organizations

We recommend these Privacy Policies templates to achieve your HIPAA Privacy Compliancewhere all 51 policies are available in MS Word format and can be easily customized as per your requirements.

Financial records. The federal Gramm-Leach-Bliley Act (GLB) allows financial companies such as banks, brokerage houses, and insurance companies to operate as a single entity. GLB gives you the right to be notified about the information-sharing practices of financial institutions. And you must be given an opportunity to opt-out of third-party information sharing. But GLB does not keep information from being shared among affiliated companies.

Your credit card account and checking transactions are likely to include information about where you go for health care. Insurance applications and medical claims also contain health-related information. So it is possible for such medical information to be shared among affiliates of financial institutions. Such information is not protected by HIPAA.

Some financial companies promise extra protection for medical information. And insurance companies may be prohibited from giving information to an affiliated bank by state insurance laws. It pays to examine the privacy notices of financial institutions carefully. (Read PRC Fact Sheet 24: Protecting Financial Privacy.)

In addition, the Fair Credit Reporting Act (FCRA) now limits the way financial companies can use medical information when you apply for credit. For example, if you apply for a car loan, the lender can consider debts for unpaid medical bills just like any other debt. However, the lender cannot ask about your medical condition and must treat medical bills like any other debt in deciding whether to give you a loan. Another section of this law now says that credit bureaus cannot report the name, address or telephone number of any medical creditor, unless the information is reported in code.

For more on your medical information, lenders and the credit bureaus, see PRCFact Sheet 6b: FACTA, The Fair and Accurate Credit Transactions Act.

Education records maintained by your child’s school contain vaccination histories, information about physical examination for sports, counseling for behavioral problems, and records of visits to the school nurse. Privacy of education records is under the control of the U.S. Department of Education and the Family Educational Rights and Privacy Act (FERPA). These records are not covered by HIPAA.

For more information about FERPA, visit the Department of Education’s website on FERPA.

Also see guidance on education records and HIPAA issued jointly by the Department of Education and the Department of Health and Human Services.

Employment records and medical information may be mingled in situations not covered by HIPAA. Your employer may be covered by the Occupational Safety and Health Act (OSHA). If so, you have the right to access your medical records gathered for your employer’s OSHA responsibilities. (See the U.S. Department of Labor website on employee’s rights under OSHA)

In addition, the federal Family and Medical Leave Act (FMLA) gives most workers the right to 12 weeks of unpaid leave a year for personal and family health. If FMLA leave is because of a serious illness, your employer may request a doctor’s certification of the illness. But the employer cannot make you produce medical records. See the U.S. Department of Labor website for more information on FMLA.

Employers, in an effort to control rising healthcare costs, now offer a variety of health and fitness programs. Many programs, often called Employee Health Programs or EHPs, are offered by outside contractors that service multiple employers.

EHPs may be as simple as a lunchtime exercise class or include a highly-structured weight loss plan with personal trainers, individualized diets, exercise plans and close monitoring of weight, blood pressure, or body mass index. Employees, in some case, may also receive counseling for personal and family problems or substance abuse through programs established by their employer. Such programs are generally not covered by HIPAA. As such, there is no universal privacy standard that applies to all programs.

If your employer is self-insured for employees’ medical benefits, its handling of insurance claims and other health-related information is covered by HIPAA. In this capacity, the employer would be considered a “hybrid” entity. For more information on HIPAA involving employer group health plans and self-insurance situations, read PRC Fact Sheet 8a: HIPAA Basics.

Federal and state privacy laws such as HIPAA are designed to protect both paper and electronic health records. Systems must be designed to meet these stringent requirements. Any certified electronic system must be password protected, and all files need to be encrypted.

Unlike with paper health records, a log is created every time someone views an electronic health record. In addition, access to certain parts of health records can be regulated by password and system design.

Just like paper records, EHR must comply with the federal Health Insurance Portability and Accountability Act (HIPAA) as well as other state and federal laws on privacy. Patient privacy security is built into all systems. Unlike paper records, electronic health records can be encoded so that only authorized individuals can view them.

System developers and governmental agencies are working to protect patient security. EHR systems use state-of-the-art computer programs to block hackers and those who might want access to private information without permission. Patients can rest assured their records are secure.

Privacy and Security Principles

Federal and state privacy laws, such as HIPAA, are designed to protect both paper and electronic health records. Systems must be designed to meet these stringent requirements:

• Individuals should know how their personally identifiable health information may be used and who has access to it.
• Individuals should have control over whether and how their personally identifiable health information is shared.
• Systems must protect the integrity, privacy, security and confidentiality of an individual’s information.
• The governance and administration of electronic health information exchanges and networks should be transparent and publicly accountable.

Contact:

Patricia Ruddick, Project Director of West Virginia Health Information Security and Privacy Collaboration (HISPC)

Phone: 304-346-9864, ext. 4211
Toll Free: 800-642-8686, ext. 4211
Fax: 304-342-5527

Source: http://www.ehealthwv.org/