HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

Transcription

1 2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc.

2 Disclaimer We share this information with our clients and friends for general informational purposes only. It does not necessarily address all of your specific issues. It should not be construed as, nor is it intended to provide, legal advice. Questions regarding specific issues and application of these rules to your plans should be addressed by your legal counsel. This set of FAQs is intended to be used in conjunction with the HIPAA: Privacy and Security Executive Summary. It is intended to cover and/or is focused on HIPAA as it applies to our clients not as it applies to GBS as a Business Associate. Please refer to BOSS standards is you have questions regarding GBS responsibilities as a Business Associate.

3 General Does HIPAA protect all personal information or only personal health information? Who must comply with HIPAA? Who is a covered entity? Who are business associates?... 2 Covered Entity Since business associates are governed by HIPAA is it necessary for a covered entity to have a contract with its business associates? Is a covered entity liable for, or required to monitor, the actions of its business associates? If a covered entity has a compliant business associate agreement with a business associate that is a business associate agent, is the covered entity permitted to rely solely on the business associate agreement for the business associate s compliance? Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Are all health plans considered covered entities and therefore subject to HIPAA? Is a health care flexible spending account a covered entity for purposes of the Privacy Rule? Are group health plans required to create and maintain specific documents in order to access, use and disclose PHI? Is a group health plan sponsor a covered entity under HIPAA? If an employer that offers a fully insured group health plan is the fully insured group health plan subject to all of the Privacy Rule provisions?... 6 Business Associates Is an entity that is acting as a third party administrator to a group health plan a covered entity? May a covered entity share PHI directly with another covered entity's business associate? Is a health insurance company, service organization such as Blue Cross or HMO that provides health insurance to a group health plan a business associate of the group health plan? Is a physician or other health care provider a business associate of a health plan or other payer? Is a reinsurer or stop loss carrier a business associate of a health plan? Is a software vendor a business associate of a covered entity? Is a business associate agreement required with organizations or persons where inadvertent contact with PHI may result - such as in the case of janitorial services?... 7

4 21. Would business associate agreements in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate agreement requirements? Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? If the only PHI a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?... 8 Permitted and Required Disclosures of PHI When does the Privacy Rule require a covered entity such as a group health plan to disclose PHI? When is a covered entity such as a group health plan permitted to disclose PHI? What actions must a plan sponsor take regarding permitted uses and disclosures? Assuming a use or disclosure is authorized, required or permitted, are there any limitations on the use or disclosure of PHI under these circumstance?... 9 Minimum Necessary Standard Does the minimum necessary standard apply to all uses and disclosures? Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary? How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of PHI it makes to another covered entity? Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual? Individual rights with respect to their own PHI Does the HIPAA Privacy Rule require a covered entity or business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI? Does the right to access PHI provide an individual with unlimited ability to access his or her PHI? Does the individual have the right to request that his or her PHI be amended? Must a group health plan agree to an individual s request to restrict uses and disclosure of the individual s PHI? Does the right to an accounting mean that group health plans must provide an individual with a complete accounting of all disclosures of that individual s PHI from the very first disclosure through the date of the request?... 13

5 38. Must a group health plan accommodate all requests to communicate with an individual in a confidential manner? Authorization to use and access PHI May a covered entity disclose PHI specified in an authorization, even if that information was created after the authorization was signed? Must an authorization include an expiration date? Personal representative and minors Must the authorization to use, access or disclose PHI, when required, come from the individual whose PHI is sought to be used, accessed or disclosed, or can the authorization come from the employee or the individual s personal representative? Can the personal representative of an adult or emancipated minor obtain access to the individual's PHI? Does the HIPAA Privacy Rule allow parents the right to see their children s PHI? When an individual reaches the age of majority or becomes emancipated, who controls the PHI concerning health care services rendered while the individual was an unemancipated minor? Incidental Disclosures Are covered entities required to document incidental disclosures permitted by the HIPAA Privacy Rule, in an accounting of disclosures provided to an individual? Is a covered entity required to prevent all incidental uses or disclosures of PHI? Workers Compensation If a State law says that a covered entity may disclose records, relating to the treatment provided to an injured worker, to a workers' compensation insurer for purposes of determining the amount of or entitlement to payment under the workers' compensation system is the covered entity permitted to disclose this information under the HIPAA Privacy Rule? Notice of Privacy Practices Is it sufficient to provide a new enrollee with a notice of privacy practices only upon enrollment? Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? Are covered entities permitted to give individuals a layered notice? Are group health plans required to make a good faith effort to obtain from their enrollees a written acknowledgement of receipt of the notice? Does a group health plan have to provide a copy of its notice to each dependent receiving coverage under a policy?... 16

6 53. Is a group health plan required to periodically notify enrollees about the availability, and how to obtain a copy, of its Notice of Privacy Practices? Security Rule Why is the purpose of the HIPAA Security Rule? Who is required to comply with the Security Rule? Does the Security Rule apply to written and oral communications? Do the standards of the Security Rule require use of specific technologies? What is a security standard? What is an implementation specification? What is the difference between addressable and required implementation specifications in the Security Rule? What does the Security Rule mean by administrative safeguards? What does the Security Rule mean by physical safeguards? What does the Security Rule mean by technical safeguards? Is the use of encryption mandatory in the Security Rule? What is encryption? Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-phi)? Does the Security Rule allow for sending electronic PHI (e-phi) in an or over the Internet? If so, what protections must be applied? Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of detail is required? Are we required to certify our organization s compliance with the standards of the Security Rule? How does a covered entity know if it is compliant with the Security Rule s requirements? Does the Security Rule allow a covered entity to network computers - i.e., connect two computer systems, either within the covered entity, or between two covered entities or between a covered entity and its business associate(s) so that they can exchange information directly? Disposal of PHI and Media Containing PHI What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of PHI?... 20

7 73. May a covered entity dispose of PHI in dumpsters accessible by unauthorized individuals or by the public? May a covered entity hire a business associate to dispose of PHI? May a covered entity reuse or dispose of computers or other electronic media that store electronic PHI? Breaches Do all impermissible uses and disclosures of PHI constitute a breach? In the event of an impermissible use or disclosure of PHI, what should I, as a covered entity do to make the appropriate determination of whether a breach did in fact occur? How can PHI be secured? If a covered entity experiences a breach of unsecured PHI, who must be notified? If a covered entity does experience a breach, when will it be required to notify affected individuals and what information must be contained in the notification? Other than notifying affected individuals that their PHI may have been involved in a breach, does a covered entity need to notify governmental authorities or local media outlets? Preemption of State Law When is a State law "contrary" to the HIPAA Privacy or Security Rule? When is a State law "more stringent" than the HIPAA Privacy or Security Rule? A State law provides greater privacy protections on patients HIV information than the HIPAA Privacy Rule. Is this more protective State law preempted by the Privacy Rule? Penalties for HIPAA violations Compliance for all these requirements appears daunting, what could happen if a covered entity does not make a good faith effort to comply?... 25

8 General 1. Does HIPAA protect all personal information or only personal health information? Actually, neither. HIPAA only covers protected health information (PHI). PHI is all "individually identifiable health information" in any form or media, electronic or non-electronic that is held or transmitted by a covered entity such as a group health plan, including oral communication. PHI includes electronic PHI (ephi), which is PHI that is transmitted or maintained in electronic media. The Security Rule specifically relates to ephi. The Privacy Rule and Breach Notification requirements apply to all PHI. "Individually identifiable health information" is information, including demographic data, created or received by a health care provider, health plan, or health care clearinghouse, that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for health care to an individual, and that identifies an individual (or could reasonably be used to identify an individual). If information is "de-identified," then it is not PHI and not covered by the HIPAA Privacy and Security Rules. De-identified information is that which does not identify any individual and for which there is no reasonable basis to believe that the information can be used to identify an individual. In order to be deidentified the following specific data elements must be removed: Names All geographic information relating to subdivisions smaller than a state, except for the initial three digits of zip codes as long as all zip codes with the same initial three digits that have fewer than 20,000 are grouped into a single 000 zip code All elements of dates except year for dates directly related to an individual e.g., birth date or admission date and information indicative of age Telephone numbers Fax numbers addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) addresses Biometric identifiers, including finger and voice prints Full-face photographic images and any comparable images Any other unique identifying number, characteristic, or code. 2. Who must comply with HIPAA? HIPAA Rules apply to covered entities and business associates. 1

9 3. Who is a covered entity? Covered entities are: Health plans; Health care clearinghouses; Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Department of Health and Human Services (HHS) under HIPAA, such as electronic billing and fund transfers. Health plans includes group health plans regardless of the type of employer sponsoring the plan private, governmental or church. It also includes insurance companies, service organizations such as Blue Cross and HMOs when they are providing health insurance. Covered entities are bound by the privacy standards even if they contract with others (called business associates ) to perform some of their essential functions. 4. Who are business associates? Business associates are persons that perform, or assist a covered entity in performing, an activity that involves the use or disclosure of PHI or who provide certain services to or for a covered entity. Key to this definition, though, is that the service in question must involve the use of PHI. Business associates of a group health plan may include TPAs; independent medical reviewers and UR entities; PBMs; vendors performing payroll services or data processing; vendors who administer COBRA, flexible benefit plans, dental or vision plans or certain disease management programs, and health insurance brokers and agents. Employees of a covered entity are not business associates. Employers and other plan sponsors (such as a board of trustees) are not business associates either, nor is the union that represents workers covered under the group health plan. Insurance companies are a covered entity under an insured health plan. Under a self-funded health plan where the insurance company functions as the TPA by providing claims and other services, the insurance company is a business associate not a covered entity. Covered Entity 5. Since business associates are governed by HIPAA is it necessary for a covered entity to have a contract with its business associates? Yes, even though both entities are directly covered by the Privacy Rule, the covered entity still needs to create an agreement to govern the activities that involve the use of the PHI. This agreement is called a business associate agreement. All business associate agreements must include: Provisions requiring the business associate to not use or disclosure PHI except as required or permitted by the Privacy Rule. Provisions requiring business associates to comply with the HIPAA Security Rule. Provisions requiring business associates to report any impermissible use or disclosure of PHI, including any incident involving unsecured PHI that may constitute a breach to covered entities. 2

10 Provisions requiring business associates to obtain satisfactory assurances that subcontractors agree to comply with the underlying business associate agreement conditions and restrictions as applied to PHI. Make available PHI in a designated record set to the covered entity so that the covered entity can comply with its Privacy Rule obligations. Make any amendments to PHI in a designated record set as directed or agreed to by the covered entity. Make its internal practices, books and records available to the HHS for the purpose of determining compliance with HIPAA rules. HIPAA's business associate provisions also apply to a business associate s subcontractors (persons or entities that provide services to a business associates which involves PHI to fulfill its contractual duties) if the subcontractors create, receive, maintain, or transmit PHI on behalf of business associates. Subcontractors need only have the ability to access to PHI to become business associates; they do not need to access the information. Regulations include an example of a document shredding company hired by a TPA. The document shredding company is a business associate because it has the ability to access the PHI even if it does not access the information. Sample business associate agreement provisions are available on the Department of Health and Human Services website. 6. Is a covered entity liable for, or required to monitor, the actions of its business associates? Maybe. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates which protect the privacy of PHI; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates. Business associates will be directly liable for civil money penalties for their violations of the HIPAA Rules. However, if a covered entity is aware of an activity or practice that constitutes a material breach or violation, the covered entity is required to take steps to cure the breach or end the violation and if those steps are not successful, terminate the contract. However, covered entities must be cognizant of the actions of their business associates that are also its agents. 7. If a covered entity has a compliant business associate agreement with a business associate that is a business associate agent, is the covered entity permitted to rely solely on the business associate agreement for the business associate s compliance? No. Covered entities and business associates will be liable for the acts of their business associate agents (in this context, agent is not the same as insurance agency. See next paragraph for definition of agent ), regardless of whether the covered entity has a compliant business associate agreement in place. This is to ensure that where a covered entity or a business associate has delegated out an obligation under the HIPAA Rules, the covered entity or business associate remains liable for penalties associated with the failures of its business associate agent to perform the obligations on the covered entity or business associate s behalf. 3

11 The determination of whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) will be made under Federal common law principles. The essential factor in this determining is the right or authority of a covered entity to control the business associate s conduct in the course of performing a service on behalf of the covered entity. 8. Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements of the Privacy Rule. 9. Are all health plans considered covered entities and therefore subject to HIPAA? No. Health plans covered by the HIPAA Rules include group health plans, health insurers, service organizations such as Blue Cross, HMOs, insurers of long-term care policies (other than nursing home fixed indemnity policies), multiemployer health plans, multiple employer health plans, and any other individual and/or group plans providing or paying for the cost of medical care. The HIPAA requirements also apply to most government plans such as Medicare, Medicaid, Tricare and State Children s Health Insurance Plans. Unlike the HIPAA Portability rules and PPACA, this definition includes medical, dental, vision, hearing, prescription drug, medical flexible spending account plans, health reimbursement accounts, many wellness programs and employee assistance plans (except those that provide referral services only). It also includes on-site clinics. Health savings accounts are generally not health plans and are not subject to HIPAA. A group health plan that has less than 50 participants and is administered solely by the employer that established and maintains the plan is not subject to the HIPAA Privacy and Security Rules. For this definition participant includes all employees or former employees of the employer who are or may become eligible to receive a benefit or whose beneficiaries may be eligible to receive benefits. As a result, if an employer maintains a health care flexible spending account ( FSA ) or health reimbursement arrangement ( HRA ) that is administered by a third party or has 50 or more participants, then that FSA or HRA plan must comply with HIPAA Privacy and Security Rules even if only 25 employees are actually participating in the plan. 10. Is a health care flexible spending account a covered entity for purposes of the Privacy Rule? Yes, unless it has fewer than 50 participants and is self-administered. Employee welfare benefit plans with fewer than 50 participants and that are self-administered are not subject to the HIPAA Privacy and Security Rules. Dependent day care flexible spending accounts are not health plans. 11. Are group health plans required to create and maintain specific documents in order to access, use and disclose PHI? Yes. In order for a group health plan to use and disclose PHI as permitted by the Privacy Rule, the group health plan must have a privacy policy that includes the following provisions: a) An explanation of how the plan may use or disclose PHI including what uses and disclosures are required, which are permitted and which will require an authorization. b) A statement of the individual s rights such as the opportunity to inspect and copy and inspect their own PHI, the opportunity to request an amendment to their PHI (although the plan is 4

12 generally not required to agree), the opportunity to request a restriction on the disclosure of their PHI (although the plan is not required to agree), and the right to an accounting of disclosures not made as part of treatment, payment or health care operations or in response to an authorization. c) The identity of the privacy official (title), contact information and procedures for complaints, and a statement concerning sanctions for violations of the privacy policy, d) A statement that the group health plan will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against individuals for exercising their HIPPA rights. e) A statement that the plan will mitigate, to the extent possible, any harmful affects that become known to the plan from a use or disclosure that violates the privacy rules and a statement that affected individuals will be notified in the event of a breach of unsecured PHI. f) A statement that the group health plan will make the plan's internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Resources for compliance purposes. g) A statement that the group health plan will ensure that adequate separation exists between employees who are authorized to use PHI and those who are not; describe those employees or classes of employees to be given access to the PHI; restrict the access to and use of PHI to these employees; and provide an effective mechanism for resolving any issues of noncompliance by persons who have access to PHI. In addition, in order for the group health plan to disclose PHI to the plan sponsor the group health plan must obtain a written certification from the plan sponsor that the plan sponsor agrees to: a) Not use or further disclose PHI other than as permitted or required by the plan documents or as required by law; b) Ensure that any agents, to whom it provides PHI agree to the same restrictions and conditions that apply to the plan sponsor; c) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit plan of the plan sponsor; d) Report to the group health plan any use or disclosure of PHI that is inconsistent with the permitted or required uses or disclosures. 12. Is a group health plan sponsor a covered entity under HIPAA? No. Employers are not covered entities. Covered entities under HIPAA are health care clearinghouses, most health care providers, and health plans. A group health plan is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 eligible participants). The group 5

13 health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. However, the Privacy Rule does control the conditions under which the group health plan may share PHI with the employer (or plan sponsor if not the employer) when the information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan. Among these conditions is receipt of a certification from the employer or plan sponsor that the health information will be protected as required by the Privacy Rule, will not be used for other benefit plans without authorization from the individual who is the subject of the PHI, and will not be used for employment-related actions. 13. If an employer that offers a fully insured group health plan is the fully insured group health plan subject to all of the Privacy Rule provisions? The Privacy Rule recognizes that certain fully insured group health plans may not need to satisfy all of the requirements of the Privacy Rule since these responsibilities will be carried out by the health insurer, service organization or HMO with which the group health plan has contracted for coverage. For example, a fully insured group health plan that does not create or receive PHI, but only receives summary health information and enrollment or disenrollment information, is not required to provide a notice of privacy practices. Fully insured group health plans are exempt from most of the administrative responsibilities under the Privacy Rule. These health plans are still required to refrain from intimidating or retaliatory acts and from requiring an individual to waive their privacy rights. However, if these plans want to assist employees with claims questions, the plan administrator will need to obtain a written authorization from the individual who is the subject of the PHI since resolving claims questions will virtually always involve disclosure of PHI. Business Associates 14. Is an entity that is acting as a third party administrator to a group health plan a covered entity? No, providing services to or acting on behalf of a health plan does not transform a third party administrator (TPA) into a covered entity. Generally, a TPA of a group health plan would be acting as a business associate of the group health plan. An insurance company that is acting as a TPA to a self-funded group health plan is a business associate with respect to that particular health plan. The same insurance company will be a covered entity to a group health plan where it provides health insurance. 15. May a covered entity share PHI directly with another covered entity's business associate? Yes. If the HIPAA Privacy Rule permits a covered entity to share PHI with another covered entity, the covered entity is permitted to make the disclosure directly to a business associate acting on behalf of that other covered entity. 16. Is a health insurance company, service organization such as Blue Cross or HMO that provides health insurance to a group health plan a business associate of the group health plan? A health insurance service organization such as Blue Cross that is providing health insurance to a group health plan is a covered entity with respect to that group health plan. The relationship between the group health plan and the health insurer, service organization or HMO is defined by the Privacy Rule as an organized health care arrangement (OHCA), with respect to the individuals they jointly serve or have 6

14 served. Thus, these covered entities are permitted to share PHI that relates to the joint health care activities (operations) of the OHCA. However, where a group health plan contracts with a health insurance insurer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the joint activity of providing insurance, the health insurance insurer or HMO may be a business associate with respect to those additional functions, activities, or services. 17. Is a physician or other health care provider a business associate of a health plan or other payer? Generally, providers are covered entities not business associates. However, a business associate relationship could arise if the health care provider is performing another function on behalf of the group health plan such as providing claims review or case management services. 18. Is a reinsurer or stop loss carrier a business associate of a health plan? Generally, no. A reinsurer or stop loss carrier does not become a business associate of a health plan simply by selling a reinsurance policy to a health plan and paying claims under the reinsurance policy. If the reinsurance or stop loss contract is not a health insurance contract, then the reinsurer or stop loss carrier is not a covered entity. However, a business associate relationship could arise if the reinsurer is performing a function on behalf of, or providing services to, the health plan that do not directly relate to the provision of the reinsurance benefits. 19. Is a software vendor a business associate of a covered entity? The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the PHI of the covered entity. If the vendor needs access to the PHI of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity. For example, a software company that hosts the software containing PHI on its own server or accesses PHI when troubleshooting the software function is a business associate of a covered entity. In these situations, a covered entity would be required to enter into a business associate agreement before allowing the software company access to PHI. 20. Is a business associate agreement required with organizations or persons where inadvertent contact with PHI may result - such as in the case of janitorial services? A business associate agreement is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of PHI, and any disclosure of PHI to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. If a service is hired to do work for a covered entity where disclosure of PHI is not limited in nature (such as routine handling of records or shredding of documents containing PHI), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on 7

15 the covered entity s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate agreement with the service. 21. Would business associate agreements in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate agreement requirements? Yes, assuming that the electronic contract satisfies the applicable requirements of State contract law. The Privacy Rule generally allows for electronic documents, including business associate agreement, to qualify as written documents for purposes of meeting the Privacy Rule s requirements. 22. Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of PHI and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals. 23. If the only PHI a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate? No. Where a covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function, the covered entity satisfies the Privacy Rule s requirements that it obtain satisfactory assurances from its business associate with the data use agreement. The covered entity must obtain a data use agreement from the business associate which must: (1) describe how the business associate is permitted to use and/or disclose the information which must be consistent with the Privacy rules; (2) establish who is permitted to use or receive the data set; (3) provide that the business associate will not further use or disclose the data set except as permitted by the agreement or required by law; (4) that is will notify the covered entity of any impermissible use or disclosure of which is becomes aware; and (5) it will not contact the individuals involved. A limited data set is data is deidentified information which may also contain certain zip code and/or date information. Permitted and Required Disclosures of PHI 24. When does the Privacy Rule require a covered entity such as a group health plan to disclose PHI? The Privacy Rule requires group health plans to disclose PHI only in two instances: 1. to the individual who is the subject of the PHI when the individual requests it, and 2. to the Secretary of the Department of Health and Human Services when the Secretary is undertaking a compliance investigation or review or enforcement action. 25. When is a covered entity such as a group health plan permitted to disclose PHI? A group health plans is prohibited from "using" or "disclosing" PHI except: With written authorization from the individual who is the subject of the PHI (this may not be the employee); or As explicitly permitted by the Privacy Rule; or 8

16 As required by the Privacy Rule. Health information is "used" when shared within the entity that holds the information (internal), while health information is "disclosed" when it is shared outside the entity (external). However, with the exception of psychotherapy notes and HIV antibody and antigen testing and treatment information, a group health plan with proper plan language in its documents does not need to obtain an individual's consent for the use and disclosure of PHI for payment or health care operations (or treatment for on-site clinics.) A group health plan may not use or disclose genetic information for underwriting purposes even if the individual signs an authorization for such purposes. This prohibition applies regardless of when or where the genetic information originated. 26. What actions must a plan sponsor take regarding permitted uses and disclosures? The plan sponsor will need to limit the employees who may access or use PHI to only those employees performing group health plan administrative functions (i.e., payments and health care operations). The plan sponsor may designate a class of employees (e.g., all employees assigned to a particular department) or individual employees. The plan sponsor may identify these employees in whatever way best reflects the plan sponsor's business needs as long as participants can reasonably identify who will have access. For example, persons may be identified by naming individuals' job titles (e.g., Director of Human Resources), functions (e.g., employees with oversight responsibility for the TPA), divisions of the company (e.g., Employee Benefits Department) or other entities related to the plan sponsor. 27. Assuming a use or disclosure is authorized, required or permitted, are there any limitations on the use or disclosure of PHI under these circumstance? Even when the group health plan may use or disclose PHI in accordance with the Privacy Rule, the group health plan must make reasonable efforts to limit PHI to the "minimum necessary" to accomplish the intended purpose of use, disclosure, or the request for PHI. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. The group health plan must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. For routine uses of information, the Privacy Rule permits a group health plan to adopt general procedures for determining what the minimum necessary information is, then applying the general procedures. For example, a group health plan may take two steps: 1) identify persons or classes of persons in its workforce who need access to PHI to carry out their duties and job responsibilities; and 2) for each person or classes of persons, identify the category or categories of PHI to which access is needed and any conditions appropriate to that access. For example, a group health plan could develop procedures that allow certain employees or classes of employees unrestricted access to aggregate claims information for rating/accounting/budgeting purposes. However, the procedures could require approval from the departmental manager to obtain an individual's specific identifiable claims records to determine the cause of the claims that can influence the rates/accounting/budgeting decisions. 9

17 HIPAA also requires a covered entity to limit the use, disclosure, or request of PHI, to the extent practicable, to the limited data set or, if the covered entity needs additional information, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. A limited data set excludes 16 types of identifiers such as name, social security number, address, address, and telephone number, but may include certain zip code and/or date information. Minimum Necessary Standard 28. Does the minimum necessary standard apply to all uses and disclosures? The minimum necessary standards of the Privacy Rule do not apply to the following: a) Disclosures to or requests by a heath care provider for treatment purposes. b) Disclosures to the individual who is the subject of the information. c) Uses or disclosures made pursuant to an authorization. d) Disclosures to the HHS when disclosure is required under the rule for investigation, compliance review or enforcement purposes. e) Uses or disclosures that are required to comply with the Privacy Rule or by other federal law. 29. Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary? A business associate agreement must limit the business associate s uses and disclosures of, as well as requests for, PHI to be consistent with the covered entity s minimum necessary policies and procedures. A covered entity is permitted to reasonably rely on such requests from a business associate as the minimum necessary. 30. How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Privacy Rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the reasonable practices to limit the unnecessary sharing of health information. 10

18 31. Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of PHI it makes to another covered entity? Covered entities are required to apply the minimum necessary standard to their own requests for PHI. One covered entity may reasonably rely on another covered entity s request as the minimum necessary; it does not need to engage in a separate minimum necessary determination. However, if a covered entity does not agree that the amount of information requested by another covered entity is reasonably necessary for the purpose, it is up to both covered entities to negotiate a resolution of the dispute as to the amount of information needed. 32. Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual? No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. For example, if a covered health care provider receives an individual s authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. However, the authorization must meet all statutory requirements. Individual rights with respect to their own PHI 33. Does the HIPAA Privacy Rule require a covered entity or business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI? The Privacy Rule generally requires covered entities, not business associates to provide individuals with access to their PHI, an opportunity to request an amendment to or restrict disclosures of PHI, and an accounting of PHI that is disclosed other than for treatment, payment or health care operations or in response to a written authorization... This may include information in a designated record set held by a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Privacy Rule requires covered entities to specify in the business associate agreement that the business associate must make such PHI available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate agreement that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof. If a covered entity is amend PHI about an individual in a designated record set, it must amend the PHI in all designated record sets it maintains that contain that PHI and any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate agreement that the business associate must amend PHI in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity. The Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. This accounting does not need to include disclosures for treatment, payment or health care operations. The business associate agreement must provide that the business associate will make such information available to the covered entity in order 11

19 for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate agreement that the business associate will provide the accounting to individuals, as may be appropriate given the PHI held by, and the functions of, the business associate. 34. Does the right to access PHI provide an individual with unlimited ability to access his or her PHI? In general, no. Covered entities such as group health plans must give individuals the opportunity to inspect and/or obtain copies of their PHI. Only information held in the group health plan's "designated record set" must be made available. A designated record set includes information such as medical records, billing records, enrollment, payment, claims adjudication, case or medical management record systems or records used to make decisions about individuals. There are exceptions to this requirement, however, including information maintained in psychotherapy notes and information compiled for use in a civil, criminal, or administrative action. In the case of the exceptions, group health plans may deny individual's access to their PHI without providing the individual with an opportunity for review. If the individual indicates in writing, to direct the covered entity to transmit a copy of his or her PHI (or ephi) directly to a specific entity or person named by the individual, the covered entity must transmit the information to that individual. The request to send PHI to another individual must be clear and specify to whom the PHI is to be transmitted. A covered entity that uses or maintains PHI in an electronic format must allow the covered individual to obtain a copy of his or her PHI in an electronic format. The information must be provided in the electronic format requested by the individual if it is readily producible in the requested format. If it is not readily producible in the requested format, it may be provided in another mutually agreeable electronic format. Electronic formats could include Word, Excel, PDF or similar. The information must be provided within 30 days; however, the covered entity may under certain circumstances have an additional 30 days. The covered entity may impose a fee for providing the individual with a copy of his or her information (or a summary or explanation of the information) if the copy (or summary or explanation) is in an electronic form. The fee may not exceed the covered entity's labor costs to respond to the request for the copy (or summary or explanation). It may, however, include the cost of certain electronic media such as flash drives or CDs if the information is provided on those media. 35. Does the individual have the right to request that his or her PHI be amended? Yes. A group health plan must permit individuals to request an amendment to their PHI held in the group health plan's designated record set for as long as the group health plan maintains the PHI. A group health plan may, however, deny an individual's request for amendment or correction if the information is accurate and complete or if the group health plan determines that the PHI was (a) not created by the group health plan, (b) is not part of the designated record set, or (c) not available for the individual's inspection. Since PHI such as medical records is not created by group health plans but, rather, is created by health care providers, the amendment process should not have a significant effect on group health plans (the same would generally apply to records such as claims files maintained by a health insurance insurer or TPA). 36. Must a group health plan agree to an individual s request to restrict uses and disclosure of the individual s PHI? No. Group health plans must permit individuals to request restrictions on: (a) the uses and disclosures of their PHI for treatment, payment or health care operations and (b) certain disclosures to family members, other relatives, close personal friends or others identified by the individual. For instance, an individual 12

20 may request a restriction regarding disclosures to family members. Group health plans are not required to agree to the requested restrictions, however, and may deny the request for any reason. If the group health plan agrees to a requested restriction, the group health plan may not use or disclose PHI in violation of the restriction, except in the case of emergency treatment where the restricted PHI is needed to provide the emergency treatment. If the restricted PHI is disclosed to a health care provider for emergency treatment, the group health plan must request that such health care provider not further use or disclose the information. Health care providers (but not other covered entities) must comply with a requested restriction if: (a) the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment) unless otherwise required by law; and (b) the PHI relates solely to a health care item or service for which the health care provider involved has been paid out-of-pocket and in full. For example, if a covered individual pays a healthcare provider for a service out-of-pocket and in full, the healthcare provider may not release the information to the group health plan if the covered individual has asked that the information be restricted. 37. Does the right to an accounting mean that group health plans must provide an individual with a complete accounting of all disclosures of that individual s PHI from the very first disclosure through the date of the request? No. Upon request, individuals have a right to receive an accounting of instances where their PHI is disclosed by the group health plan or by one of the plan's business associates (such as the TPA). The Privacy Rule does not require accounting for certain disclosures, the more common of which are disclosures: (a) for carrying out treatment, payment or healthcare operations, (b) to the individual or the individual's personal representative, (c) pursuant to an authorization, and (d) for notification of or to persons involved in an individual's care. This right applies to disclosures made in the six years prior to the date on which the accounting of the disclosure is requested (three years under proposed regulations.) Group health plans must have procedures to give individuals an accurate accounting of the disclosures. Such accounting must include the following: (a) the date of each disclosure; (b) the name and address of the organization or person who received the PHI; (c) a brief description of the information disclosed; and (d) for disclosures other than those made at the request of the individual, the purpose for which the information was disclosed. The accounting must be provided as soon as possible, but no later than 60 days after receipt of the request. If the information is maintained offsite, the group health plan may have a one-time extension of 30 days providing the individual is notified of the delayed and date PHI will be provided within the initial 60-day period. (Proposed regulations would decrease the 60-day period to 30 days.) 38. Must a group health plan accommodate all requests to communicate with an individual in a confidential manner? No. Individuals have the right to request that a group health plan communicate to them regarding their PHI either by an alternative means or at an alternative location, if such requests are reasonable. "Reasonableness" is based upon the administrative difficulty in accommodating the request, not on the perceived merits of the request. A group health plan must accommodate such reasonable requests only if the individual clearly states that disclosing all or part of the information could put him or her in danger. 13

21 Health plans may require that the confidentiality request be in writing and may condition its accommodation on the individual specifying an alternative address or method of contact an individual wants to use. A group health plan can also require an explanation of how disclosure of all or part of the PHI could endanger the individual, but the group health plan cannot question the individual's explanation of the potential danger. Authorization to use and access PHI 39. May a covered entity disclose PHI specified in an authorization, even if that information was created after the authorization was signed? Yes, provided that the authorization encompasses the category of information that was later created, and that the authorization has not expired or been revoked by the individual. Unless otherwise expressly limited by the authorization, a covered entity may use or disclose the PHI identified on the authorization regardless of when the information was created. 40. Must an authorization include an expiration date? The Privacy Rule requires that an authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an authorization may expire "one year from the date the authorization is signed," "upon the minor s age of majority," or "upon termination of enrollment in the health plan." An authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. Personal representative and minors 41. Must the authorization to use, access or disclose PHI, when required, come from the individual whose PHI is sought to be used, accessed or disclosed, or can the authorization come from the employee or the individual s personal representative? The authorization must come from the individual who is the subject of the PHI, not the employee unless the individual has designated the employee as his/her personal representative in writing. There is an exception for minor children. The Privacy Rule requires a covered entity such as a group health plan to treat a properly designated personal representative as if the personal representative is the individual for purposes of HIPAA's Privacy Rule. 42. Can the personal representative of an adult or emancipated minor obtain access to the individual's PHI? The HIPAA Privacy Rule treats an adult or emancipated minor s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access. The scope of access will depend on the authority granted to the personal representative by other law. 43. Does the HIPAA Privacy Rule allow parents the right to see their children s PHI? Yes, the Privacy Rule generally allows a parent to have access to the PHI about his or her minor child, as his or her minor child s personal representative when such access is not inconsistent with State or other law. 14

22 44. When an individual reaches the age of majority or becomes emancipated, who controls the PHI concerning health care services rendered while the individual was an unemancipated minor? The individual who is the subject of the PHI can exercise all rights granted by the HIPAA Privacy Rule with respect to all PHI about him or her, including information obtained while the individual was an unemancipated minor consistent with State or other law. Generally, the parent would no longer be the personal representative of his or her child once the child reaches the age of majority or becomes emancipated, and therefore, would no longer control the health information about his or her child. Of course, any individual can have a personal representative which may include a parent who can exercise rights on his or her behalf. Incidental Disclosures 45. Are covered entities required to document incidental disclosures permitted by the HIPAA Privacy Rule, in an accounting of disclosures provided to an individual? No. The Privacy Rule includes a specific exception from the accounting standard for incidental disclosures permitted by the Rule. 46. Is a covered entity required to prevent all incidental uses or disclosures of PHI? No. The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities implement reasonable safeguards to limit incidental uses or disclosures. Workers Compensation 47. If a State law says that a covered entity may disclose records, relating to the treatment provided to an injured worker, to a workers' compensation insurer for purposes of determining the amount of or entitlement to payment under the workers' compensation system is the covered entity permitted to disclose this information under the HIPAA Privacy Rule? Yes. A covered entity is permitted to disclose an individual s PHI as necessary to comply with and to the full extent authorized by workers compensation law. Notice of Privacy Practices 48. Is it sufficient to provide a new enrollee with a notice of privacy practices only upon enrollment? No. The notice of privacy practices must be provided to new enrollees at the time of enrollment and within 60 days of a material revision to the notice to the individuals currently covered under the group health plan. In addition, at least once every three years, the plan must notify employees covered by the plan of the availability of the notice of privacy practices and how to obtain a copy. If the plan sponsor maintains a website that provides information about the group health plan, then the plan sponsor may post, in a prominent location, a copy of the notice of privacy practices with the group health plan information. 15

23 49. Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of PHI and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. 50. Are covered entities permitted to give individuals a layered notice? Yes. Covered entities may use a layered notice to implement the HIPAA Privacy Rule s requirements. For example, a covered entity may satisfy the notice requirements by providing the individual with both a short notice that briefly summarizes the individual s rights, as well as other information; and a longer notice, layered beneath the short notice, that contains all of the elements required by the Privacy Rule. 51. Are group health plans required to make a good faith effort to obtain from their enrollees a written acknowledgement of receipt of the notice? No. Under the HIPAA Privacy Rule, only covered health care providers that have a direct treatment relationship with individuals are required to make a good faith effort to obtain the individual's acknowledgment of receipt of the notice. 52. Does a group health plan have to provide a copy of its notice to each dependent receiving coverage under a policy? No. A health plan satisfies the HIPAA Privacy Rule s requirements for providing the notice by distributing its notice to employees covered under the plan. However, the group plan must also provide a copy of the notice to COBRA qualified beneficiaries covered under the plan and anyone who requests a copy. 53. Is a group health plan required to periodically notify enrollees about the availability, and how to obtain a copy, of its Notice of Privacy Practices? Yes. The Privacy Rule requires a group health plan to remind enrollees of the availability of its Notice of Privacy Practices, as well as how to obtain a copy at least once every 3 years. Health plans may satisfy this requirement in a number of ways, including by: Sending a copy of their Notice of Privacy Practices. Mailing only a reminder concerning the availability of the Notice of Privacy Practices and information on how to obtain a copy. Including in a plan-produced newsletter, as part of annual open enrollment communications, or other publication information about the availability of the Notice of Privacy Practices and how to obtain a copy. Security Rule 54. Why is the purpose of the HIPAA Security Rule? The purpose of the Security Rule is to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ephi). Standards for security were added in response to the increase in the exchange of PHI between covered entities as well as non-covered entities. The Security Rule establishes a Federal floor of standards to ensure the availability, confidentiality and integrity of e-phi. State laws which provide more stringent standards will continue to apply. 16

24 55. Who is required to comply with the Security Rule? Both covered entities and business associates are required to comply with the Security Rule with respect to electronic PHI (e-phi). 56. Does the Security Rule apply to written and oral communications? No. The standards and specifications of the Security Rule are specific to electronic PHI (e-phi). It should be noted however that e-phi also includes telephone voice response and fax back systems because they can be used as input and output devices for electronic information systems. E-PHI does not include paperto-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission. In contrast, the requirements of the Privacy Rule and breach notification requirements apply to all forms of PHI, including written and oral. 57. Do the standards of the Security Rule require use of specific technologies? No. The Security standards were designed to be "technology neutral" in order to facilitate use of varied technologies that meet the needs of different organizations and to accommodate changes in technology over time. 58. What is a security standard? Standards are generally how a covered entity (or business associate) will protect the integrity, confidentiality, and availability of ephi. There are three types of security standards: (1) administrative safeguards such as risk management and workforce security; (2) physical safeguards such as facility access limitations and device and media control; and technical safeguards such as encryption and virus protection. 59. What is an implementation specification? Implementation specifications are generally the methods a covered entity (and business associate) will use to satisfy the security standards. Implementation specifications are either required or addressable. 60. What is the difference between addressable and required implementation specifications in the Security Rule? If an implementation specification is described as required, the specification must be implemented. The purpose of "addressable implementation specifications" is to provide covered entities some flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; or (c) where not reasonable and appropriate not implement either an addressable implementation specification or an alternative. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as the entity's risk analysis, risk mitigation strategy, and what security measures are already in place. The covered entity s decisions regarding addressable specifications must be documented in writing and should include the factors considered as well as the results of the risk assessment on which the decision was based. 61. What does the Security Rule mean by administrative safeguards? Administrative safeguards are the administrative actions, policies and procedures to protect covered entity s e-phi. Administrative safeguards also manage the conduct of the entity s workforce with respect 17

25 to protecting ephi. Administrative safeguards include the security management process such as risk analysis, risk management, workforce security, information management access, security awareness and training, security incident procedures and contingency planning. There are nine administrative standards and 21 implementation specifications. 62. What does the Security Rule mean by physical safeguards? Physical safeguards are physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized access. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity s premises or at another location. There are four physical standards and eight implementation specifications. 63. What does the Security Rule mean by technical safeguards? Technical safeguards are the policies and procedures for the use of technology and the technology used to protect the confidentiality, integrity and availability of ephi. The Security Rule does not mandate the use of specific technology. Covered entities are required to determine what security measures would be reasonable and appropriate to protect ephi as required by the Security Rule. The Security Rule has five technical standards and seven implementation specifications. 64. Is the use of encryption mandatory in the Security Rule? No. The final Security Rule made the use of encryption an addressable implementation specification. The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-phi. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. However, under the breach notification regulations only information that is either encrypted or destroyed is deemed to be secured. If there is a breach of unsecured PHI (all PHI, not just ephi), the covered entity is required to provide a notice of the breach to affected individuals, the Department of Health and Human Services ( HHS ) and in some cases the media. 65. What is encryption? Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. E-PHI must be encrypted using National Institute of Standards and Technology ( NIST ) standards in order to be considered secured. 18

26 66. Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-phi)? Covered entities that allow employees to telecommute or work out of home-based offices, and have access to e-phi, must implement appropriate safeguards to protect the ephi. The automatic logoff implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its environment. If the entity decides that the automatic logoff implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. The information access management and access control standards, however, require the covered entity to implement policies and procedures for authorizing access to e-phi and technical policies and procedures to allow access only to those persons or software programs that have been appropriately granted access rights. 67. Does the Security Rule allow for sending electronic PHI (e-phi) in an or over the Internet? If so, what protections must be applied? The Security Rule does not expressly prohibit the use of for sending e-phi. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-phi. The standard for transmission security also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-phi as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-phi to be sent over an electronic open network as long as it is adequately protected. 68. Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of detail is required? Although a plan sponsor may not be a HIPAA covered entity subject to the Security Rule, it would nevertheless be obligated, through its plan documents, to report security incidents to the group health plan. Specifically, a required implementation specification requires the plan documents of the group health plan to require the plan sponsor to report to the group health plan any security incident of which it becomes aware. The group health plan and its plan sponsor must document the specifics of the reporting, including the frequency, level of detail, format and other relevant considerations (e.g., in aggregate or per incident, weekly or monthly). In addressing this required implementation specification, a group health plan may consider some of the following questions: what specific actions would be considered security incidents; how will incidents be documented and reported; what information should be contained in the documentation; how often and to whom within the covered entity should incidents be reported; what are the appropriate responses to certain incidents; and whether identifying patterns of attempted security incidents is reasonable and appropriate. 69. Are we required to certify our organization s compliance with the standards of the Security Rule? No, there is no standard or implementation specification that requires a covered entity to certify compliance. The evaluation standard requires covered entities to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity s security policies and procedures satisfies the security standards and implementation specifications. The evaluation can be performed 19

27 internally by the covered entity or by an external organization that provides evaluation services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations certifications regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a certification by an external organization does not preclude HHS from subsequently finding a security violation. 70. How does a covered entity know if it is compliant with the Security Rule s requirements? The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic PHI (e-phi) that is collected, maintained, used or transmitted by a covered entity. Compliance is different for each organization and no single strategy will serve all covered entities. Compliance is not a one-time goal, but an ongoing process. Meeting the requirements set out in the standards and implementation specifications will assist covered entities in maintaining substantive compliance. By performing periodic technical and non-technical evaluations of the information security environment, a covered entity will be able to better ensure the security of e-phi. 71. Does the Security Rule allow a covered entity to network computers - i.e., connect two computer systems, either within the covered entity, or between two covered entities or between a covered entity and its business associate(s) so that they can exchange information directly? With regard to networking computers, there is nothing in the Security Rule that prohibits the networking of computers, whether inside the same covered entity, or between two unrelated covered entities who conduct business together. However, the covered entity must demonstrate that it has evaluated the risks associated with a network connection, and document that it has established all of the safeguards (technical, physical and administrative) that would serve to reasonably protect the information that is exchanged along the network. That will include an assessment of everything from the firewall to the designation and training of the individuals who have access to the data. Disposal of PHI and Media Containing PHI 72. What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of PHI? Covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI. The rules also apply to ephi that may be stored on other devices such as fax machines and photocopiers. To the extent that these machines retain information in memory, the covered entity must have procedures for removal of the ephi before the equipment is returned (if leased), sold, recycled or otherwise disposed of. Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. 20

28 However, HIPAA does not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual s reputation. In general, examples of proper disposal methods may include, but are not limited to: For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding). 73. May a covered entity dispose of PHI in dumpsters accessible by unauthorized individuals or by the public? No, unless the PHI has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster. In general, a covered entity may not dispose of PHI in paper records, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons. HIPAA requires that covered entities apply appropriate safeguards to protect the privacy of PHI, in any form, including in connection with the disposal of such information. 74. May a covered entity hire a business associate to dispose of PHI? Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of PHI on its behalf. In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through the disposal process. Thus, for example, a covered entity may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area. 75. May a covered entity reuse or dispose of computers or other electronic media that store electronic PHI? Yes, but only if certain steps have been taken to remove the ephi stored on the computers or other media before its disposal or reuse, or if the media itself is destroyed before its disposal. The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ephi and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ephi from electronic media before the media are made available for reuse. Depending on the circumstances, appropriate methods for removing ephi from electronic media prior to reuse or disposal 21

29 may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Covered entities may contract with business associates to perform these services for them. Breaches 76. Do all impermissible uses and disclosures of PHI constitute a breach? No. HIPAA defines breach to generally mean the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI with a significant risk of financial, reputational, or other harm. To determine whether an impermissible use or disclosure of PHI constitutes a breach under this standard, covered entities and business associates were required to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. The final rule HIPAA Rule issued in January 2013 modified the definition of breach to clarify that an impermissible use or disclosure of unsecured PHI is presumed to be a breach, unless the covered entity demonstrates that there is a low probability that the PHI has been compromised. The final rule removed the harm standard and also modified the risk assessment to focus more objectively on the risk that the PHI has been compromised. Under the final rule a breach notification is not required if the PHI is secured in accordance with HHS specified standards or a covered entity demonstrates through a risk assessment that there is a low probability that the PHI has been compromised. The new standard goes into affect on September 23, In the event of an impermissible use or disclosure of PHI, what should I, as a covered entity do to make the appropriate determination of whether a breach did in fact occur? In conducting a risk assessment to assess whether the PHI has been compromised the covered entity must look at the following factors: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person(s) who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated. In addition, given the circumstances of the impermissible use or disclosure, additional factors may need to be considered to appropriately assess the risk that the unsecured PHI has been compromised. In explaining the new rules, HHS emphasized, Covered entities and business associates must then evaluate the overall probability that the PHI has been compromised by considering all the factors in combination, and we expect these risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. If an evaluation of the factors fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required. However, a covered entity or business 22

30 associate still has the discretion to provide the required breach notifications following an impermissible use or disclosure of PHI without performing a risk assessment. 78. How can PHI be secured? With respect to PHI in paper form, you can secure it by either shredding or destroying PHI so that it is no longer useable or readable and cannot be reconstructed. HHS has stated that redacting does not resulting in the PHI being secure it is not enough. With respect to electronic PHI, it can be secured by encrypting the PHI in accordance with the National Institute of Standards and Technology ( NIST ) Standards. In the alternative, the covered entity can destroy ephi - PHI that is stored on hard drives, CD-ROMs, DVDs, tapes, a flash drive or other electronic media devices; but this must be done in accordance with the NIST standards. There is a publication NIST Special Publications that discusses these standards in greater detail and the covered entity should work with its IT department regarding how to properly secure electronic PHI. 79. If a covered entity experiences a breach of unsecured PHI, who must be notified? In the event of a breach of unsecured PHI, the covered entity must provide a notice to affected individuals and the Department of Health and Human Services. In some cases the covered entity must also notify the media. The breach notification requirement is not restricted to ephi; notification is required following the discovery of a breach in PHI in any form. 80. If a covered entity does experience a breach, when will it be required to notify affected individuals and what information must be contained in the notification? Following the discovery of a breach of unsecured PHI, the covered entity is required to notify individuals whose PHI may have been breached without unreasonable delay, but in no case later than 60 calendar days from the discovery of the breach, except in circumstances where law enforcement has requested a delay. A breach is treated as discovered by a covered entity on the first day the breach is known, or by exercising reasonable diligence would have been known, to any person other than the person committing the breach, who is a workforce member or agent of the covered entity. The breach notification to affected individuals should include the following information: (1) a brief description of what happened, including the date of the breach (if known) and the date of the discovery of the breach ; (2) a description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or receive additional information, which must include a toll-free telephone number, an address, Web site, or postal address. 81. Other than notifying affected individuals that their PHI may have been involved in a breach, does a covered entity need to notify governmental authorities or local media outlets? It depends on the number of people affected. In the event of a breach, the covered entity will need to notify the Department of Health and Human Services. For breaches affecting fewer than 500 individuals, covered entities must send the notification to the affected individuals and must maintain a log of all such breaches and annually submit the log to the Department. The final breach notification rule clarifies that 23

31 covered entities are required to notify the Department of all breaches of unsecured PHI affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were discovered, not the calendar year in which the breaches occurred. Notification must be made via the Office of Civil Rights ( OCR ) web page; OCR is the agency within the Department of Health and Human Services that is responsible for enforcement of the HIPAA Privacy and Security Rules. Covered entities are required to report breaches affecting 500 or more individuals to the Secretary using the same time frame as required for providing notification to affected individuals. In addition, if the breach affected more than 500 individuals in a particular State, then the covered entity must also provide the notification to the local media. Breaches involving more than 500 individuals who are residents in multiple States do not require notice to the media (assuming 500 or more affected individuals do not reside in a single State). Preemption of State Law 82. When is a State law "contrary" to the HIPAA Privacy or Security Rule? A State law is "contrary" to the HIPAA Privacy or Security Rules if it would be impossible for a covered entity to comply with both the State law and the Federal Privacy Rule requirements, or if the State law is an obstacle to accomplishing the full purposes and objectives of the HIPAA Privacy and Security Rules. For example, a State law that prohibits the disclosure of PHI to an individual who is the subject of the information may be contrary to the Privacy Rule, which requires the disclosure of PHI to an individual in certain circumstances. With certain exceptions, the Privacy Rule preempts "contrary" State laws. 83. When is a State law "more stringent" than the HIPAA Privacy or Security Rule? In general, a State law is "more stringent" than the HIPAA Privacy or Security Rules if it relates to the privacy or security of PHI and provides greater protections for individuals' PHI, or greater rights to individuals with respect to that information, than the Privacy and Security Rules. For example, a State law that provides individuals with a right to inspect and obtain a copy of their PHI using a shorter time frame than permitted by the HIPAA Privacy Rule is "more stringent" than the Privacy Rule. If a more stringent provision of State law is contrary to a provision of the Privacy Rule (or Security Rule), the Privacy and Security Rules provides that the more stringent State law applies. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws. 84. A State law provides greater privacy protections on patients HIV information than the HIPAA Privacy Rule. Is this more protective State law preempted by the Privacy Rule? No. The Privacy Rule establishes a floor of Federal privacy protections and rights for individuals. If a provision of State law provides greater privacy protection than a provision of the Privacy Rule, and it is possible to comply with both the State law and the Privacy Rule (e.g., where a State law prohibits the disclosure of HIV status while the Privacy Rule permits such disclosure), there is no conflict between the State law and the Privacy Rule, and no preemption. If a more stringent provision of State law protects HIV patient information and is contrary to the Privacy Rule, the "more stringent" State law would prevail. 24

32 Penalties for HIPAA violations 85. Compliance for all these requirements appears daunting, what could happen if a covered entity does not make a good faith effort to comply? Potential penalties for HIPAA violations are substantial and tiered. Tier A penalties apply to violations where the covered entity did not realize it violated HIPAA and would have handled the matter differently if it had. Fines range from $100 to $50,000 for each violation, with a maximum penalty for all violations of identical provisions of $25,000 (if $100 penalty) up to $1,500,000 (if $50,000 penalty) for the calendar year. If the covered entity establishes that the violation was not due to willful neglect and was corrected within 30 days, then HHS may not impose a penalty. The 30-day period runs on the first date that the covered entity or business associate knew, or, by exercising reasonable due diligence, would have known that the violation occurred. Tier B penalties apply to violations due to reasonable cause, but not willful neglect. Fines range from $1,000 to $50,000 for each violation, with a maximum penalty for all violations of identical provisions of $100,000 (if $1,000 penalty) up to $1,500,000 (if $50,000 penalty) for the calendar year. If the covered entity establishes that the violation was not due to willful neglect and was corrected within 30 days, then HHS may not impose a penalty. The 30-day period runs on the first date that the covered entity or business associate knew, or, by exercising reasonable due diligence, would have known that the violation occurred. Tier C penalties apply to violations due to willful neglect that the organization corrected within 30 days. Fines range from $10,000 to $50,000 for each violation, with a max penalty for all violations of identical provisions of $250,000 (if $10,000 penalty) up to $1,500,000 (if $50,000 penalty) for the calendar year. The 30-day period runs on the first date that the covered entity or business associate knew, or, by exercising reasonable due diligence, would have known that the violation occurred. Tier D penalties apply to violations due to willful neglect that the organization did not correct within 30 days. Fines start at $50,000, at least, for each violation, with a max penalty up to $1,500,000 for the calendar year. The 30-day period runs on the first date that the covered entity or business associate knew, or, by exercising reasonable due diligence, would have known that the violation occurred. In addition to the penalties that HHS can impose, States attorneys general may also levy fines and seek attorneys fees from covered entities on behalf of victims; and, Courts now have the ability to award costs, which they were previously unable to do. 25