|
HIPAA
Privacy Policy & Procedures |
Updated:
March 19, 2002 |
General Overview
In enacting the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Congress mandated the
establishment of standards for the privacy of individually identifiable health
information. The Privacy Rule
establishes a federal floor of safeguards to protect the confidentiality of
protected health information (PHI). The
Privacy Rule became effective on
By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today's health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these "business associates," the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the purposes for which they were engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with the covered entity to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate.
In relationship with PPC users, PPC is defined in the Privacy Rule as a
“business associate”, which is defined as:
· A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI.
· A business associate is not a member of the health care provider, health plan, or other covered entity's workforce.
· A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.
· The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives the HHS authority to directly regulate health care providers, health plans, and health care clearinghouses. It also grants the Department explicit authority to regulate the uses and disclosures of PHI maintained and transmitted by covered entities. Therefore, HHS has the authority to condition the disclosure of PHI by a covered entity to a business associate on the covered entity's having a contract with that business associate.
Although, the Privacy Rule does not "pass through" its requirements to business associates or otherwise cause business associates to comply with the terms of the rule. The assurances that covered entities must obtain prior to disclosing PHI to business associates create a set of contractual obligations far narrower than the provisions of the rule, to protect information generally and help the covered entity comply with its obligations under the rule. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of PHI.
A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.
Moreover, a business associate's violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by the covered entity. The contract must obligate the business associate to advise the covered entity when violations have occurred.
If the covered entity becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, the covered entity must take "reasonable steps" to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship.
If such steps are not successful, the covered entity must terminate the contract if feasible. The rule also provides for circumstances, in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity. In such circumstances where termination is not feasible, the covered entity must report the problem to the Department. Only if the covered entity fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.
PPC
Privacy Policy and Procedures
Even though PPC is not required to comply with the terms of the rule, to protect PHI generally and help PPC users (the covered entity) comply with its obligations under the rule, PPC has adopted the following Privacy Procedures and appropriate safeguards to prevent and report unauthorized use or disclosure of PHI:
1.
PPC has designated a Privacy Officer: Thom Wilcox,
Director of Programming/Product Development.
2. PPC will train their employees in their privacy procedures, and provide each member of the workforce with a copy of this privacy policy and documenting that each member has reviewed the policies.
3. PPC use of PHI is limited to the support, testing, and maintenance of the covered entity (user). Access to PHI will be limited to only those assigned to complete the work. PHI will only be used within PPC to expedite the work. PHI will be deleted or destroyed after completion of the work. Any wrongful disclosure of PHI will be reported to the user and employee will be subject to discipline and/or expulsion from employment.
4. PPC will prohibit the use or disclosure of PHI except as permitted by user or required by law. PHI may never be disclosed to anyone other than the PPC user (covered entity) of which the PHI was obtained.
5. PPC will ensure restrictions and conditions apply to agents and subcontractors, if used.
PROTECTED HEALTH INFORMATION (PHI) - The term ‘protected health information’ or 'individually identifiable health information' means any information, including demographic information collected from an individual, that--
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and--
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(a) OFFENSE.--A person who knowingly and in violation of this part--
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).
(b) PENALTIES.--A person described in subsection (a) shall--
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.