HIPAA Privacy Notes

Written By LD

Users can get access to their health info and choose who to disclose it to

WHAT IS A COVERED ENTITY?

Covered entities are those that are responsible for safeguarding patient’s information and complying with the rules of HIPAA. According to HIPAA definitions, a covered entity includes health plans, healthcare providers, and healthcare clearinghouses.

Covered Entity examples::

  • Health plan

  • Healthcare billing

  • Healthcare provider

  • Nursing homes

  • Pharmacies

WHAT IS PHI?

Protected Health Information (PHI) is info that can identify you. Some of the common/uncommon types of information includes:

Name, social security number, drivers license, IP address, photos, biometrics, serial numbers of medical devices.

Any use of PHI requires disclosure to the patient, if you are giving access to PHI to anyone outside of your organization/practice.

You must obtain authorization for disclosure and NEED TO BE SPECIFIC. You do not need to disclose using it for TPO.

TPO- Treatment, Payment and Operations

You don't need to disclose use of PHI if it’s for:

Treatment- coordination of/management of patients' health data

Payment: payment for services such as through billing or collections

Operations- administrative duties related to the business/practice

Focus on Data Minimization. Just because it's available doesn't mean that you have the right to access it- unless it's NECESSARY for your job.

NOTICE OF PRIVACY

Notice of Privacy outlines what the business will do to secure PHI

New patients must get a copy and acknowledge receipt of it.

You must post a copy publicly at business and on website

BUSINESS ASSOCIATES

A Business Associate is not a member of the organization or practice but makes use of PHI

Business associates may transmit, store, maintain, recieve or require access to PHI

A business associate must sign an agreement- Business Associate Agreement (BAA), and agree to abide by your policy. You should keep track of BA and the agreements you have with them. Also make sure to update you BAA if you update your policy.

You will be held accountable for the actions of your business associates. VET them before allowing them to have access.

LD
Previous

HIPAA Security
Next

CISSP Notes