Chapter 10: The Privacy Rule: Rule, Rights, and Responsibilities (3)
This is a continuation of my series of 20 posts celebrating the 20th anniversary of the HIPAA Privacy Rule and the 20th anniversary of the beginning of this blog.
The Transactions and Code Sets
rule really came first, but that’s a pretty much self-actuating rule: once
everyone uses the same forms, it’s easier for everyone else to follow
along. As for the parts of HIPAA that
require work, the Privacy Rule came first in HIPAA. The first set of regulations addressed
privacy, and it was 2 years later that the Security Rule came out. Of course, we’ll get to security soon enough.
In keeping with our theme of
“threes” (3 types of covered entities, 3 digits in the transaction codes), the
Privacy Rule has three major components: the overall “rule” for using and
disclosing PHI; the “rights” individuals have with respect to their PHI; and
the “responsibilities” of covered entities to provide protection.
The Rule: The basic purpose of
the Privacy Rule can be described as a “thou shalt not” rule: a covered entity
may not use or disclose PHI unless specifically permitted by HIPAA. It’s not “unless the patient gives permission
or consent;” there are plenty of ways a covered entity can use or disclose PHI
without getting consent, but “patient’s authorization” is one of the permitted
ways. The primary permitted way is if
the use or disclosure is for treatment, payment, or healthcare operations. If the use or disclosure is for one of the
“TPO” purposes, the consent of the individual is not required. The vast majority of uses and disclosures of
PHI in the healthcare industry are for TPO.
Of course, if the patient gives a specific type of consent (HIPAA uses
the terminology “authorization”), the use or disclosure is permitted as well.
The Privacy Rule includes
several specific types of disclosures that are permitted without authorization,
in addition to PTO. In certain
circumstances and subject to some specific requirements, uses and disclosures
of PHI are permitted: for research purposes; in connection with judicial
proceedings; for law enforcement; where required by other laws; with respect to
inmates and prisoners or military affairs; for coroners, medical examiners, and
organ donation organizations; and a few other instances.
But if the use and disclosure
of PHI is not for TPO, pursuant to an authorization, or for a specifically
permitted purposes, it can’t be done by a HIPAA covered entity.
The Rights: There are 6 rights
of individuals enshrined in HIPAA: the right to receive a Notice of Privacy
Practices (see more below), the right to access your PHI, the right to request
amendments, the right to an accounting of disclosures, the right to request
communications in a different format or at a chosen location, and the right to
request specific privacy protections. Not
all of these are absolute: for example, a covered entity can refuse a request
for an amendment of PHI if the existing PHI is correct, and a covered entity
doesn’t have to agree to alternative means of communication or additional
privacy protections if the requests aren’t reasonable. Additionally, the right to access and
amendment only apply to PHI the covered entity maintains in a “designated
record set;” if the covered entity has patient names and addresses in a client
management database or holiday card mailing list, that doesn’t have to be
provided to the patient when they ask for access or amended when they ask.
One other thing to note about
the access right: the patient obviously has the right to ask for access
themselves, but they can also ask for access and ask that the copies be sent to
a third party. Some providers see the
third party recipient and think the disclosure should be treated as a
disclosure pursuant to the authorization of the patient. This can be confusing, but the best way to
look at it is: who is asking for the information to be sent to the third party,
the patient (that would be access) or the recipient or covered entity (you need
a signed authorization authorization).
Additionally, since getting an authorization usually takes an extra step
(but is safer for the covered entity since it makes it clear that the patient
authorized it), it could at times be seen as imposing an unnecessary burden on
the patient. This becomes important if
the refusal to disclose the PHI until the patient signs an authorization
reaches the level of “data blocking” (we’ll discuss data blocking later). Just remember, the patient generally has the
right to access their PHI, with very few and limited exceptions.
The Responsibilities: The third
major component of the Privacy Rule imposes certain responsibilities on covered
entities. These generally relate to the
way the covered entities provide privacy and data security (and prove that they
do so). Most covered entities are
required to give individuals a “Notice of Privacy Practices” explaining how
their PHI will be used. They are
required to enter into “business associate agreements” (or “BAAs”) with any
vendor or subcontractor that might deal with PHI. They must adopt certain policies and
procedures to protect PHI. They must
respond to complaints and ensure the individuals may exercise their rights. And they have to document all the way they do
these things.
The basic result of the
Responsibilities should be to impose on covered entities the obligation to
operate in a manner that fosters a culture or privacy and confidentiality with
respect to PHI. Many of these
obligations do not have checklist-style methods of proving compliance; that’s
more visible in the Security Rule. Here,
it’s more cultural. But the underlying
emphasis of the Responsibilities is ultimately to enforce the Rule and ensure
the Rights are protected.