[ Wednesday, March 19, 2003 ]


A little imaginary internal dialogue with an imaginary privacy officer, courtesy of Phoenix:

Are the state laws more or less stringent than the federal HIPAA Privacy Rule?

If my state laws are more "stringent," my Privacy policies and procedures must be developed following state provisions. I have to remember that the HIPAA concept of "more stringent" applies to state laws that provide any of the following:

Greater rights of access and amendment of PHI

Greater privacy protection for the patient or individual

Longer retention duration and/or more information for record keeping of accounting of disclosures

Greater restrictions on uses and disclosures of PHI

Increased privacy protections or a more narrow scope of duration for authorization forms

Is the Privacy policy or procedure related to reporting of disease or injury, child abuse, birth or death, public health surveillance, management of financial audits, program monitoring and evaluation, or licensure or certification, etc.? If the answer to any of these is yes, then I must follow state law.

Does the Privacy policy or procedure relate to unemancipated minors? If the answer is yes, then state law must prevail.

Do the state provisions actually impede my organization's ability to achieve the "full purposes and objectives" of HIPAA? If the answer is yes, then the Privacy policy or procedure must follow federal HIPAA Privacy guidelines."

Jeff [5:34 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template