What does HIPAA's privacy regulation require?
Covered entities (see 42,460) with access to protected health information (PHI) are subject to numerous requirements under HIPAA's privacy regulation.
l Notice. Covered entities must provide patients with a notice of their privacy rights and the privacy practices of the covered entity. (This requirement is optional for health plans.) In addition, direct treatment providers must make a good faith effort to obtain patients' written acknowledgement of the notice of privacy rights and practices.
l "Minimum necessary" disclosure. Covered entities must take reasonable steps to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. They must also implement policies and procedures for minimum necessary uses and disclosures, as well as develop a complaint process and system of sanctions to deal with violations. Non-routine disclosures must be reviewed on an individual basis. When making non-routine requests for PHI, the covered entity must review each request so as to ask for only that information reasonably necessary for the purpose of the request. (The minimum necessary standard does not apply to uses and disclosures made pursuant to a written authorization obtained from an individual.)
l PHI safeguards. Covered entities must maintain physical, administrative and technical safeguards to protect PHI. Physical safeguards include locked file cabinets, separation of health information from personnel information, and password protection; administrative safeguards include employee access controls based on job functions; and technical safeguards include firewalls and system security measures.
l Employee training. Covered entities must implement employee training programs on the privacy requirements. Employees with access to PHI need to be aware of the privacy rules, and how their jobs are impacted. Training should be ongoing.
l Plan documents. Plan sponsors may need to amend plan documents so they can access certain data for cost analysis and plan design.
l Specific authorization. Covered entities must obtain specific authorization from patients (or employees) before using or disclosing protected information in nonroutine circumstances. (Routine circumstances involve treatment, payment or health care operations purposes.)
l Prior written authorization for marketing use. Covered entities must get prior written authorization to use an individual's PHI for marketing purposes, except for a face-to-face encounter or a communication involving a promotional gift of nominal value.
l Contractual assurances. Covered entities must obtain satisfactory assurances through written agreements from their business associates who have access to PHI that the business associate will appropriately safeguard the information. Covered entities generally have until April 14, 2004 to change existing written contracts to come into compliance with the business associate requirements.
l Privacy officer. Covered entities must designate a privacy officer, who will be responsible for the implementation and development of the entity's privacy policies and procedures. There must also be a person designated to receive complaints and provide information regarding privacy. This person may or may not be the privacy officer.
<p> CCH-EXP, HRAnswersNow 42,465, What does HIPAA's privacy regulation require? What does HIPAA's privacy regulation require? Covered entities (see 42,460) with access to protected health information (PHI) are subject to numerous requirements under HIPAA's privacy regulation. l Notice. Covered entities mus</p>