(Note: The information provided below is a summary and intended for general informational purposes. Mental health providers and other covered entities should not rely on this summary as a source of legal information or advice and should consult with their own attorney or HIPAA Privacy Officer for specific guidance.) Show Introduction: This document provides guidance about key elements of the requirements of the Health Insurance Portability and Accountability Act (HIPAA), federal legislation passed in 1996 which requires providers of health care (including mental health care) to ensure the privacy of patient records and health information. HIPAA required the federal Department of Health and Human Services (HHS) to develop regulations to implement these privacy requirements, called the Privacy Rule, which became effective on April 14, 2003. State statutes which provide more stringent protections of health care privacy remain in effect even after HIPAA, and therefore this document includes a few relevant references to requirements in New York State's mental health confidentiality statute (section 33.13 of the Mental Hygiene Law). General: The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the first comprehensive Federal protection for the privacy of health and mental health information. The Rule is intended to provide strong legal protections to ensure the privacy of individual health information, without interfering with patient access to treatment, health care operations, or quality of care. The Privacy Rule applies to “covered entities” which generally includes health plans and health care providers who transmit health information in electronic form. Covered entities include almost all health and mental health care providers, whether they are outpatient, residential or inpatient providers, as well as other persons or organizations that bill or are paid for health care. Basic Principles of the Privacy Rule:
(Note: One must consult not only HIPAA but also other relevant federal privacy laws (such as regulations pertaining to Medicaid and federally funded substance abuse treatment programs), as well as State privacy laws (including the Mental Hygiene Law- section 33.13, the Public Health Law, the Education Law licensing provisions, and the Civil Practice Laws and Rules), to determine whether a disclosure of medical information is permissible in a given circumstance.) Permitted Uses or Disclosures of PHI Without Authorization: Extensive provisions of the Privacy Rule describe circumstances under which covered entities are permitted to use or disclose PHI, without the authorization of the individual who is the subject of the protected information. These purposes include, but are not limited to, the following:
“Minimum Necessary” Rule: A covered entity must make reasonable efforts to use, request, or disclose to others only the minimum amount of PHI which is needed to accomplish the intended purpose of the use, request or disclosure. When the minimum necessary standard applies, a covered entity may not use, disclose, or request a person's entire medical record, unless it can specifically justify that the entire record is reasonably needed. The minimum necessary standard does not apply under the following circumstances:
Penalties for Violation of HIPAA:
To view the entire Privacy Rule, or for other information about how it applies, visit the website of the HHS, Office of Civil Rights at: http://www.hhs.gov/ocr/hipaa/ .Read more about HIPAA. Which of the following is not an example of protected health information PHI )?PHI only relates to information on patients or health plan members. It does not include information contained in educational and employment records, that includes health information maintained by a HIPAA covered entity in its capacity as an employer.
What is not protected health information PHI under HIPAA quizlet?PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records.
Which of the following is not a requirement of the HIPAA privacy standards?Question 2 - The requirements of HIPAA Privacy include all of the following EXCEPT: Answer: Putting firewalls on all internet connections.
Which of the following is not considered a HIPAA covered entity quizlet?Who would NOT be considered a covered entity under HIPAA? E (Rationale: Covered entities in relation to HIPAA include Health Care Providers, Health Plans, and Health Care Clearinghouses. The patient is not considered a covered entity although it is the patient's data that is protected.)
|