What are HIPAA’s privacy requirements?

Covered entities, which include health plans, health care clearinghouses and most health care providers (see ¶42,460 ) with access to protected health information (PHI) are subject to numerous privacy requirements under HIPAA.

• Notices. Two types of notices are required:

  • Notice of privacy practices. Covered entities must provide individuals (patients and health plan members) with a notice of their privacy rights and the privacy practices of the covered entity. In addition, direct treatment providers must make a good faith effort to obtain patients' written acknowledgment of the notice of privacy rights and practices.

  • Notice of breaches. Beginning 30 days after publication of interim final regulations (to be issued by August 16, 2009), covered entities must notify each individual whose unsecured PHI has been (or is reasonably believed to have been) accessed, acquired or disclosed as a result of a breach. If information is disclosed to an unauthorized person who would not reasonably have been able to retain the information, it is not considered a breach. If a business associate discovers a breach, it must notify the covered entity, and identify the affected individuals. Affected individuals must be notified without unreasonably delay within 60 calendar days of discovering the breach. If the breach affects the PHI of more than 500 individuals, covered entities must notify prominent media outlets and notify HHS immediately. (If fewer than 500 individuals are affected, covered entities should maintain a log of such breaches and submit if to HHS annually.)

• Minimum necessary requirements. Covered entities must take reasonable steps to limit use, disclosure or requests of PHI, to the extent possible, to the limited data set (information that excludes certain direct identifiers of the individual or his or her relatives, employers or household members) or, if needed, to the minimum necessary to accomplish the intended purpose. They must also implement policies and procedures for minimum necessary uses and disclosures. These policies and procedures will allow covered entities to avoid making a minimum necessary determination on a case-by-case basis. (Note that the minimum necessary standard does not apply to uses and disclosures made pursuant to a written authorization obtained from an individual.)

• Special authorizations. Covered entities must usually obtain specific authorization from patients (or employees) before using or disclosing protected information in non-routine circumstances. (Routine circumstances involve treatment, payment or health care operations purposes.) Also, effective six months after final regulations are published (to be issued by August 17, 2010), covered entities and business associates may not directly or indirectly receive remuneration in exchange for an individual's PHI unless a valid authorization exists.

• Business associates. Covered entities must obtain satisfactory assurances through written agreements from their business associates who have access to PHI that the business associate will appropriately safeguard the information. Effective February 17, 2010, business associates will become directly subject to privacy requirements (and penalties) in the same manner as covered entities. Business associate contracts should be updated to reflect the changes.

• Marketing. Covered entities must get prior written authorization to use an individual's PHI for marketing purposes, except for a face-to-face encounter or a communication involving a promotional gift of nominal value. Effective February 17, 2010, a communication that encourages recipients to purchase or use a product or service will not be considered health care operations, and will therefore require individual authorization.

• Data safeguards. Covered entities must maintain physical, administrative and technical safeguards to protect PHI. Physical safeguards include locked file cabinets, separation of health information from personnel information, and password protection; administrative safeguards include employee access controls based on job functions; and technical safeguards include firewalls and system security measures.

• Employee training. Covered entities must implement employee training programs on the privacy requirements. Employees with access to PHI need to be aware of the privacy rules, and how their jobs are impacted. Training should be ongoing.

• Privacy officer. Covered entities must designate a privacy officer, who will be responsible for the implementation and development of the entity's privacy policies and procedures. There must also be a person designated to receive complaints and provide information regarding privacy. This person may or may not be the privacy officer.