I. GENERAL QUESTIONS
When do I have to be in compliance?
For the changes related to HITECH, September 23, 2013 (covered entities, business associates, and subcontractors.)
What legal documents should be developed under HIPAA?
Covered entities should develop the following legal documents through their legal counsel, and review additional requirements that may impact them, their business associates and subcontractors:
Authorization Forms – to obtain written permissions from patients to authorize covered entities to use or disclose health information;
Notice of Privacy Practices – to provide patients notice regarding disclosure and use of information; and
Covered entities must have business associate agreements to assure that business associates also comply with the rule. Additionally, “subcontractors” of business associates may also be required to comply and this must be reviewed in all contracts. The rule grants an additional one-year time-frame for contract compliance.
To view a sample agreement, go to this link:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
What type information is protected?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Examples (not an exhaustive list):
Name
Specific dates – birth, admission, discharge, death
Telephone number
Social Security number, medical record number
Photographs
City, zip code, and other geographic identifiers…
What are “covered entities?”
Health plans — HMOs, insurers;
Health care clearinghouses – billing services, community health management information systems and “value added” networks and switches; and
Health care providers – medical or health service provider and any other person or organization that furnishes, bills, or is paid for health care in electronic form (e.g., insurers, physicians, hospitals, labs and pharmacies).
What is meant by “business associates” covered by the Rule?
Business associates perform functions or services for the covered entity that involve the use of protected health information. They may include: direct marketers, pharmaceutical manufacturers, medical equipment suppliers, software and database vendors and suppliers. A covered entity can also be a business associate to other covered entities. Business associates can be held liable at the federal and state level.
Under the omnibus rule business associate include:
A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services to a covered entity and requires access on a routine basis.
A person that offers a personal health record to one or more individuals on behalf of a covered entity.
A subcontractor that creates, receives, maintains or transmits protected health information on behalf of the business associate.
