2. “Health Insurance Portability and
Accountability Act”
• Passed in 1996
• Resulted in the “Privacy Rule”
• Outlines specific requirements for
protecting and safeguarding personally
identifiable information
3. Covered Entities
• Health Care Providers
• Health Plans
• Health Care Clearing Houses
• Business Associates
4. Protected Health Information
• AKA “PHI”
• Reasonably used to identify
• Oral, electronic, written
• Relates to past, present or future medical
or mental health treatment or payment
6. Permitted Disclosures
• Treatment
– Providers involved in patient care
– Who has a “right to know”?
– Who does NOT have a “right to know”?
7. • Payment
– Disclosures may be made to agency billing
departments, insurers, Medicare/Medicaid, and
financially responsible individuals for billing
and payment purposes
• Operations
– QA/QI
– Materials used for training should have PHI
removed
– Internal investigations
8. Incidental Disclosures
• Results from an otherwise permitted disclosure
• Restrict disclosures to “minimum amount
necessary”
• Use most secure medium
• Do not leave PCR unattended in the open
– Locked cabinet, locked station
– Includes notes (and your glove), dispatch information,
etc.
• Password protect workstations, networks
9. Other Permitted Disclosures
• Required by law • Decedents
• Public health activities • Cadaveric Organ, Eye, or
• Victims of abuse, neglect, Tissue Donation
or family violence • Research
• Health oversight activities • Serious threat to health or
• Judicial and safety
administrative • Essential government
proceedings functions
• Law enforcement • Workers’ Compensation
purposes
10. A note on the “minimum”…
• “minimum necessary” does not apply
– Disclosure is related to treatment
– Full disclosure has been authorized by the
individual
– Investigation of Privacy Rule Complaint
11. Notice of Privacy Practices
• AKA “NPP”
How are you affected?
- Should be posted in a prominent place
- Obligated to furnish a copy to patient
- Patient must sign acknowledgment (non-
emergency)
- Includes refusals, also
12. Privacy Officer
• Every agency must appoint a Privacy
Officer
• PO handles all requests for information
containing PHI and ensures compliance
When in doubt, refer the requestor to the
Privacy Officer
13. In Texas
• Texas Health and Safety Code, Chapter
181: Medical Records Privacy
• Investigated by Attorney General
• Fines up to $250,000
• Possible revocation of provider licesnse
14. Federal
• HHS civil fine
– $100 per violation up to $25,000/year
• Department of Justice
– Up to $250,000 and ten years federal prison
– Investigated by the FBI