Read to learn the basics of acceptable uses and disclosures of patient data.
This post contains the text from the White Paper: HIPAA Uses and Disclosures.
In the SecurityMetrics HIPAA Security Rule Report, 84% of organizations believe that they are 80-100% compliant with the HIPAA Privacy Rule. While most healthcare oranizations think they are completely compliant with the HIPAA Privacy Rule, organizations don’t always know or follow permitted usage and disclosure practices.
If protected health information (PHI) is used or disclosed improperly, your organization faces severe financial and possible legal consequences. To avoid these consequences, you must understand and establish adequate organizational policies for proper use and disclosure of patient data.
In this white paper, you will learn the basics of acceptable uses and disclosures of patient data, what policies you need to have in place for unique situations, and best practices when using or disclosing PHI.
Before using or disclosing patient data, make sure you understand what information you are allowed to use or disclose as part of normal business practices. You’ll want to first identify what type of healthcare entity you are, then know the difference between various healthcare record sets.
To know how patient information can be used or disclosed, first understand where your organization fits in with HIPAA requirements.
A covered entity (CE) is a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information (e.g., physicians, dentists, pharmacies, health insurance companies, company health plans).
A business associate (BA) is a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., CPA, IT provider, billing services, coding services, laboratories). Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations.
There are two basic types of patient records: designated records and legal health records. While these two record sets are fairly similar and are often comprised of identical data, there are slight differences you need to know.
Designated records are medical and/or billing records that are maintained by or for a covered entity. These records are often used in part or whole to make patient care decisions.
Designated records:
Designated record sets also include information about amendments, restrictions, and authorized access to patient data.
Legal health records act as an organization’s official business and legal record, and they contain information about services provided by a healthcare provider to a patient.
While legal health records often contain PHI similar to designated record sets, legal health records are used for different purposes. Specifically, legal health records are used to document and defend an organization’s care decisions.
Legal health records are often used for the following additional purposes:
Legal health records typically contain less patient information than designated record sets.
Before using or sharing patient data, you need to learn exactly how you are allowed do so, and then you should establish detailed policies and procedures surrounding acceptable use and disclosure.
For example, you are required to disclose PHI in the following instances: if individuals (or their representatives) request this information or if the Department of Health and Human Services (HHS) undertakes a compliance investigation or review.
You are allowed (though not required) to use and disclose PHI without an individual’s authorization under the following situations:
However, there are several exceptions to this rule. For example, organizations can use or disclose patient data for research purposes without patient authoirzation if organizations follow approved research procedures. Also, you typically must receive patient authorization to use and disclose PHI for marketing purposes, unless it fits within HIPAA-allowed use and disclosure exceptions.
There are also likely other exceptions based upon what type of organization you are, specifically for business associates and subcontractors.
Types of disclosures that require patient authorization are:
Although an individual can authorize release of PHI for any reason, organizations should not establish normal business practices that require an individual’s authorization. Organizations may not require a patient to sign authorizations as a condition of:
Individuals can revoke authorizations in writing at any time. However, if a covered entity has already released information based on the original authorization, the revocation wouldn’t apply. Also, if the original authorization was obtained as a condition of gaining insurance, revocation wouldn’t be possible because the insurer has a right to use this information to contest a claim or the policy.
An authorization to release PHI must contain the following information:
Organizations aren’t allowed to use or disclose patient data outside of what is permitted or required. However, there are also specific instances where you are not allowed to use or disclose patient data.
First, you aren’t allowed to sell patient data, unless complying with requirement §164.508(a)(4). Sale of patient data means PHI disclosure by a covered entity or business associate, where they directly or indirectly receive compensation from or on behalf of whoever received the PHI.
Selling PHI does not include disclosure when used under the following example circumstances:
Next, you aren’t allowed to use or disclose genetic information for underwriting purposes (regarding a health plan). Exceptions to this restriction are if this information will help determine:
In this section, we’ll discuss several common situations with specific use and disclosure requirements. However, there are many more exceptions and situations that can affect how your organization uses and discloses patient data. Make sure to receive professional assistance to help you with your specific environment.
Unlike other purposes for patient data usage, patient data can be used or disclosed without patient authorization if it’s for research purposes.
However, if you do disclose patient data without authorization, you must follow the Institutional Review Board (IRB) or Privacy Board Waiver conditions, which dictate research committees and how research can be performed.
With 16 different regulatory codes defining proper IRB establishment, compliance to the IRB standards can be tricky. But if you follow research basics, you should be fine.
First, make sure that your IRB has at least 5 research members from a variety of professional backgrounds, which allows for adequate review of the research activities. Specifically, one member’s primary concern should be in scientific areas, another in non-scientific areas, and another should not be affiliated with the organization, nor a family member of a person connected with the organization.
Board members should be knowledgeable with:
To meet the waiver requirements for authorization, follow all IRB requirements. For example, you need to document the IRB and the date when the waiver was approved. Include a brief description of the PHI that is necessary. You also need a statement that the waiver meets the following requirements:
Your waiver should also include a statement that the waiver has been approved under normal or expedited procedures, including the signature of the IRB chair (or chair-designated member).
Before starting research, the researcher must either orally or in writing clarify that PHI is only to establish a research protocol and that PHI will not be removed from the CE disclosure.
If you use research on deceased individuals, the researcher must explain orally or in writing that PHI is only for research on deceased individuals and necessary for their research. As a covered entity, you can ask the researcher to provide information about the individual whose information is being sought and how they died.
PHI should be part of a limited data set with a proper data use agreement set in place. However, PHI can also be disclosed for research purposes with patient authorization.
Patients must be notified of your intent to use PHI in directory information and they must be given an opportunity to object to being part of the directory. Notification happens at first encounter and inside your Notice of Privacy Practices (NPP), and includes what information will be kept and to whom it can be disclosed.
In emergency circumstances, the opportunity for patients to object can be bypassed, but only if it follows (i.e., is consistent with) a previously expressed permission or is in the patient’s best interest (which is determined by their healthcare provider).
Example directory information:
Directory information can be disclosed to clergy members or other individuals who asks for the patient by name.
If you use or disclose patient data for marketing purposes, you need to gain patient authorization. HIPAA defines marketing as “communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
There are a few exceptions to this rule:
If financial payment is received from a third party for making the communication, then patients need to give authorization to contact or market to them (with the exception of refill reminders and if payment covers only the communication cost). If a third party is involved with financial payment, your authorization must say so.
Using or disclosing patient data for fundraising purposes requires patient notification and allowing them an opportunity to object. Your notification must be included in your NPP.
All communication must provide individuals with an opportunity to object, with objections not causing individuals undue burden or cost. Covered entities may not condition treatment or payment on the decision to agree or object to the communications. An individual’s decision to object must be honored; though, youare allowed to let individuals opt back in to fundraising.
A covered entity can use or disclose the following information to a business associate (or similar organization) to raise funds for its own benefit:
When using or disclosing PHI for fundraising purposes, individuals must be allowed an opportunity to object.
When covered entities or business associates use, disclose, or request PHI to or from one another, they should follow the minimum necessary requirement. Minimum necessary is the principle to limit PHI access to only those who need to see that specific PHI to do their jobs.
For example, a receptionist (or someone who doesn’t provide direct patient care) probably doesn’t need to see the X-rays of a patient to do their job.
Start your minimum necessary policy by identifying people or job roles that require PHI access to perform their jobs. Next, identify and document what type(s) of PHI each group needs access to and what are appropriate access conditions. Establish policies to limit employee PHI access to their identified and approved types of PHI.
The easiest way to take charge of the data is by creating individual user accounts on a network. In the ideal scenario, each user account in a network, EHR/EMR, or computer system, would be given specific privileges based on their job title or a user’s role.
For example, a doctor’s privilege would get access to all PHI in their patient database because they need access to do their job, while an IT administrator would have restricted access to PHI because they’re not involved with patient care.
The minimum necessary also applies to PHI disclosed externally with business associates and subcontractors. Organizations are required to limit how much PHI is disclosed based on job responsibilities and nature of the third party’s business.
Both covered entities and business associates need to be careful about how much data they send, receive, and request.
To avoid these issues, covered entities and business associates should assess their responsibilities concerning minimum necessary data accordingly:
On the other hand, minimum necessary does not apply in the following circumstances:
By limiting PHI access to the smallest number of people possible, the likelihood of a breach or HIPAA violation decreases significantly.
If you need to use patient data for research, public health, or healthcare operations, you need to properly de-identify PHI. De-identifying PHI means that you need to remove all information that could identify an individual, such as the 18 PHI identifiers, which are:
Once PHI has been adequately de-identified, it is no longer protected by the HIPAA Privacy Rule. This means that you can disclose this information to anyone without authorization.
However, codes and other information used to re-identify de-identified PHI are considered PHI if disclosed. But these codes are not considered PHI if they are not related to and cannot be used to identify indiividuals without appropriate mechanisms (which cannot be disclosed).
You can also use a limited data set without patient authorization for the following purposes: healthcare operations, research, or public health. A limited data set is similar to de-identified data, except the limited data set can include the following information:
But if you disclose limited data sets outside of your organization, your organization needs to have a data use agreement in place with the entity receiving this data. Your data use agreement must include:
If this outside organization is one of your business associates, then your business associate agreement (BAA) can be used as a data use agreement.
Individuals can request an accounting of your disclosures of their PHI made in the last 6 years. They are allowed to receive one free accounting per year, but after this request, organizations can charge individuals a fee based on the cost of time and material used to provide this accounting.
You need to provide this accounting within 60 days of the request, unless you receive a 30-day extension by providing the individual a written statement explaining your reasons for the delay and when to expect your disclosure information.
Your accounting of disclosures must include:
If PHI disclosures were made for research purposes and involved data from more than 50 individuals, make sure to include:
However, covered entities don’t have to provide an accounting of disclosures when healthcare practice and/or information:
The 2013 HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) for all relationships wherein the business associate creates, receives, maintains, and/or transmits electronic patient information.
In these new or revised BAAs, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. Here are a few examples of what should be included in your business associate agreement:
Whether compromised from within your system or a business associate’s system, your organization can be liable for up to $50,000 per violation per day as a result of any breach of your patient data. This is just HHS penalties. This doesn’t include civil action, cost of mitigation, and loss of patient trust that may come after a breach.
With these consequences in mind, remember that you should only share minimal need-to-know data with your business associates, and regularly validate that they are following HIPAA requirements to properly handle PHI.
If a covered entity terminates a business associate contract, the business associate needs to follow the termination clause. Basically, a business associate needs to make sure that any PHI you have received, created, or maintained is:
Remember that HIPAA regulations require you to take action if you know or believe a business associate is not HIPAA compliant.
Patient data usage and disclosure can be complex, with numerous exceptions to regulation on acceptable and restricted usage or disclosure of PHI. You’ll want to regularly review, analyze, and alter how your organization uses or discloses patient information.
Remember, your overall goal should be to limit the amount of PHI that your organization uses, discloses, or requests to the absolute minimum necessary to accomplish an intended purpose. Extend this philosophy to how much and what types of PHI your organization creates as well.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.
.svg)
