Technology related Healthcare Privacy
Health Insurance Portability and Accountability Act (HIPAA) mandates privacy protection for personal individual identifiable health information. Later on, Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted to create new and expand certain privacy provisions under HIPAA, while using information technology for any health service. The statutes have given regulatory rule-making authority to Department of Health and Human Services (HHS) for providing supplemental guidance. We cover areas where there is an intersection privacy law and technology.
Below is the very basic outline of Healthcare Privacy. Please contact us by email or phone to set-up an appointment to discuss further about your need in this area.
HIPAA Privacy rule
This privacy rule provides the minimum threshold requirement under the federal law. The states can always require more in terms of privacy for Protected Health Information (PHI) under the state law. There are three types of Covered Entities (CE) that come under the HIPAA Privacy rule. They are
“(1) A health plan: [Individual or group plan that provides, or pays the cost of, medical care.]
(2) A health care clearinghouse: [A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information…
(2) Receives a standard transaction…]
(3) A health care provider who transmits any health information in electronic form in connection with a transaction….” 45 C.F.R. § 160.103.
Business Associate (BA): “[It] means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity …creates, receives, maintains, or transmits protected health information for a function…, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation…, management, administrative, accreditation, or financial services to or for such covered entity….” 45 C.F.R. § 160.103.
Therefore, HIPAA privacy is also applicable to Business Associate, who provide certain services to Covered Entities (CE). The third party contractors of a Business Associate (BA) who provide services to BA, and handle Protected Health Information (PHI) also come under this rule.
Business Associate Agreement (BAA): Covered Entities (CE) make an agreement with Business Associate requiring the nature and boundaries of use of PHI. Covered Entity is not responsible for Business Associate hiring third party contractor to complete its services. Business Associate need to have a contract with third party contractors reflecting the guidelines of the agreement stated with CE.
Consent for use or disclosure: “A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.” 45 CFR § 164.506(b)(1). “A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.” 45 CFR § 164.506(c)(1).