What kind of information is protected under hipaa

This method states that the covered entity may only determine health information as individually un-identifiable if:. This method states that the covered entity may consider the information de-identified if the 18 identifiers associated with PHI are fully removed from the desired information.

This includes the information of relatives, household members, or employers of the individual. In order to prevent data loss in the process of de-identification, the covered entity can implement re-identification methods to re-identify PHI for future use. The re-identification process entails assigning a code or other means of identification to information being de-identified, provided that:.

Covered entities are therefore required to implement safeguards to ensure the integrity, confidentiality, and availability of PHI.

The technological, physical, and administrative methods to implement such safeguards are not specified by HIPAA and are therefore designed at the discretion of the covered entity.

RSI Security offers a wide variety of compliance validation guidance services that can help your organization meet the highest standards of cybersecurity compliance so you can focus on achieving your business goals and doing what you do best. If you are reading this blog, it is probably because your business is in the healthcare industry.

Since that is the case, you know that personal health information is of the highest priority to running a company that ensures client satisfaction and stays far away from serious financial and legal repercussions. RSI Security offers a few services that will help carry your company to the next level of company reputation and customer satisfaction through HIPAA compliance :.

The first step of HIPAA compliance is having a clear understanding of what protected health care information is and how to manage it in a secure, private way — such that you are not in violation of the HIPAA Privacy and Security Rules.

Continue reading our expert blogs at RSI Security and be sure to check out our compliance advisory services. Unsure about where to even start? Upon filling out this brief form you will receive the whitepaper via email. Compliancy Group. Each covered entity, with certain exceptions, must provide a notice of its privacy practices.

The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.

See additional guidance on Notice. Covered entities, whether direct treatment providers or indirect treatment providers such as laboratories or health plans must supply notice to anyone on request. The covered entities in an organized health care arrangement may use a joint privacy practices notice, as long as each agrees to abide by the notice content with respect to the protected health information created or received in connection with participation in the arrangement.

A health plan must distribute its privacy practices notice to each of its enrollees by its Privacy Rule compliance date. Thereafter, the health plan must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request. For information included within the right of access, covered entities may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another.

In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion. The Rule gives individuals the right to have covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete. The Rule specifies processes for requesting and responding to a request for amendment.

A covered entity must amend protected health information in its designated record set upon receipt of notice to amend from another covered entity. Disclosure Accounting.

Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities. Restriction Request. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency. Confidential Communications Requirements. Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs.

Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card. Health plans must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the protected health information could endanger the individual.

Any covered entity may condition compliance with a confidential communication request on the individual specifying an alternative address or method of contact and explaining how any payment will be handled.

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment.

Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.

Privacy Personnel. Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity whether or not they are paid by the entity.

A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.

Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.

See additional guidance on Incidental Uses and Disclosures. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS.

Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.

Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented. The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the 1 ban on retaliatory acts and waiver of individual rights, and 2 documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.

The Rule contains provisions that address a variety of organizational issues that may affect the operation of the privacy protections. Hybrid Entity. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule. Affiliated Covered Entity. Legally separate covered entities that are affiliated by common ownership or control may designate themselves including their health care components as a single covered entity for Privacy Rule compliance.

An affiliated covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions.

Organized Health Care Arrangement. A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions. Group Health Plan disclosures to Plan Sponsors. Personal Representatives. The Privacy Rule permits an exception when a covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, or that treating the person as the personal representative could otherwise endanger the individual.

Special Case: Minors. Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B. Please leave this field empty. Privacy Policy. Search for:. According to the U. Covered entities use PHI as part of their patient care. Healthcare Providers are exactly who you think of: hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.

In addition, employers and schools that handle PHI in order to enroll their employees and students in health plans fall under the definition of a Health Plan and need to be HIPAA compliant. A Healthcare Clearinghouse takes in PHI from a healthcare entity, puts the data into a standard format, and then outputs the information to another entity. A Business Associate is any person who, on behalf of a Covered Entity, performs or assists in the performance of a function or activity involving the use or disclosure of PHI.

Vendors can be data storage or document storage services it doesn't matter if they can view the PHI that they maintain , providers of data transmission services, portals or other interfaces created on behalf of Covered Entities that allow patients to share their data with the Covered Entity, and electronic health information exchanges.