Each covered entity, with certain exceptions, must provide a notice of its privacy practices.
The Privacy Rule requires that the notice contain certain elements.
The notice must describe the ways in which the covered entity may use and disclose protected health information.
The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice.
The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated.
The notice must include a point of contact for further information and for making complaints to the covered entity.
Covered entities must act in accordance with their notices. (hhs.gov )
I think if people just followed the 10 Commandments, the 7 Noahide Laws, and the Golden Rule, and be careful about Gossip, we wouldn't have to have ALL these pages and tons of paperwork.
1st HIPAA Privacy Conviction
Defendant Richard Gibson obtained the demographic information of a cancer patient from his employer, Seattle Cancer Care Alliance. Gibson then used this data to obtain credit cards in the patient’s name, eventually incurring over $9,000 in debt for items such as video games, apparel, and jewelry. (Attorney's Corwel & Moring)
Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
- It gives patients more control over their health information.
- It sets boundaries on the use and release of health records.
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
- And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
- It empowers individuals to control certain uses and disclosures of their health information.
When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?
The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances: (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
Can contractors (business associates) use protected health information for its own marketing purposes?
No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes. Although, under the HIPAA statute, the Privacy Rule cannot govern contractors directly, the Rule does set clear parameters for how covered entities may contract with business associates. See 45 CFR 164.502(e) and 164.504(e), and the definition of “business associate” at 45 CFR 160.103.
Further, the Privacy Rule expressly prohibits health plans and covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list.
45 CFR Parts 160, 162, and 164 SUMMARY: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. (HIPAA).
Health Insurance Reform: Security 45 CFR Parts 160, 162, and 164 Standards; Final Rule Federal Register
§ 164.312 Technical safeguards. (iv) (c) (2)(d) (page 46) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Sample implementation 12 Voice Recognition
(a) Standard. A covered entity may not use or disclose protected healthinformation, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. (1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protectedhealthinformation as follows: (i) To the individual; (ii) Pursuant to and in compliance with a consent that complies with Sec. 164.506, to carry out treatment, payment, or health care operations;
Sec. 160.103 Individually identifiable health information(PHI) is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
TITLE 45--PUBLIC WELFARE
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.506 Consent for uses or disclosures to carry out treatment, payment, or health care operations.
(a) Standard: Consent requirement. (1) Except as provided in paragraph (a)(2) or (a)(3) of this section, a covered health care provider must obtain the individual's consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. (2) A covered health care provider may, without consent, use or disclose protected health information to carry out treatment, payment, or health care operations, if: (i) The covered health care provider has an indirect treatment relationship with the individual; or (ii) The covered health care provider created or received the protected health information in the course of providing health care to an individual who is an inmate. (3)(i) A covered health care provider may, without prior consent, use or disclose protected health information created or received under paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment, payment, or health care operations: (A) In emergency treatment situations, if the covered health care provider attempts to obtain such consent as soon as reasonably practicable after the delivery of such treatment; (B) If the covered health care provider is required by law to treat the individual, and the covered health care provider attempts to obtain such consent but is unable to obtain such consent; or (C) If a covered health care provider attempts to obtain such consent from the individual but is unable to obtain such consent due to substantial barriers to communicating with the individual, and the covered health care provider determines, in the exercise of professional judgment, that the individual's consent to receive treatment is clearly inferred from the circumstances. (ii) A covered health care provider that fails to obtain such consent in accordance with paragraph (a)(3)(i) of this section must document its attempt to obtain consent and the reason why consent was not obtained. (4) If a covered entity is not required to obtain consent by paragraph (a)(1) of this section, it may obtain an individual's consent for the covered entity's own use or disclosure of protected health information to carry out treatment, payment, or health care operations, provided that such consent meets the requirements of this section. (5) Except as provided in paragraph (f)(1) of this section, a consent obtained by a covered entity under this section is not effective to permit another covered entity to use or disclose protected health information. (b) Implementation specifications: General requirements. (1) A covered health care provider may condition treatment on the provision by the individual of a consent under this section. (2) A health plan may condition enrollment in the health plan on the provision by the individual of a consent under this section sought in conjunction with such enrollment. (3) A consent under this section may not be combined in a single document with the notice required by Sec. 164.520. (4)(i) A consent for use or disclosure may be combined with other types of written legal permission from the individual (e.g., an informed consent for treatment or a consent to assignment of benefits), if the consent under this section: (A) Is visually and organizationally separate from such other written legal permission; and (B) Is separately signed by the individual and dated. (ii) A consent for use or disclosure may be combined with a research authorization under Sec. 164.508(f).
[[Page 701]]
(5) An individual may revoke a consent under this section at any time, except to the extent that the covered entity has taken action in reliance thereon. Such revocation must be in writing. (6) A covered entity must document and retain any signed consent under this section as required by Sec. 164.530(j). (c) Implementation specifications: Content requirements. A consent under this section must be in plain language and: (1) Inform the individual that protected health information may be used and disclosed to carry out treatment, payment, or health care operations; (2) Refer the individual to the notice required by Sec. 164.520 for a more complete description of such uses and disclosures and state that the individual has the right to review the notice prior to signing the consent; (3) If the covered entity has reserved the right to change its privacy practices that are described in the notice in accordance with Sec. 164.520(b)(1)(v)(C), state that the terms of its notice may change and describe how the individual may obtain a revised notice; (4) State that: (i) The individual has the right to request that the covered entity restrict how protected health information is used or disclosed to carry out treatment, payment, or health care operations; (ii) The covered entity is not required to agree to requested restrictions; and (iii) If the covered entity agrees to a requested restriction, the restriction is binding on the covered entity; (5) State that the individual has the right to revoke the consent in writing, except to the extent that the covered entity has taken action in reliance thereon; and (6) Be signed by the individual and dated. (d) Implementation specifications: Defective consents. There is no consent under this section, if the document submitted has any of the following defects: (1) The consent lacks an element required by paragraph (c) of this section, as applicable; or (2) The consent has been revoked in accordance with paragraph (b)(5) of this section. (e) Standard: Resolving conflicting consents and authorizations. (1) If a covered entity has obtained a consent under this section and receives any other authorization or written legal permission from the individual for a disclosure of protected health information to carry out treatment, payment, or health care operations, the covered entity may disclose such protected health information only in accordance with the more restrictive consent, authorization, or other written legal permission from the individual. (2) A covered entity may attempt to resolve a conflict between a consent and an authorization or other written legal permission from the individual described in paragraph (e)(1) of this section by: (i) Obtaining a new consent from the individual under this section for the disclosure to carry out treatment, payment, or health care operations; or (ii) Communicating orally or in writing with the individual in order to determine the individual's preference in resolving the conflict. The covered entity must document the individual's preference and may only disclose protected health information in accordance with the individual's preference. (f)(1) Standard: Joint consents. Covered entities that participate in an organized health care arrangement and that have a joint notice under Sec. 164.520(d) may comply with this section by a joint consent. (2) Implementation specifications: Requirements for joint consents. (i) A joint consent must: (A) Include the name or other specific identification of the covered entities, or classes of covered entities, to which the joint consent applies; and (B) Meet the requirements of this section, except that the statements required by this section may be altered to reflect the fact that the consent covers more than one covered entity. (ii) If an individual revokes a joint consent, the covered entity that receives the revocation must inform the other entities covered by the joint consent of the revocation as soon as practicable.
Effective Date Note: At 67 FR 53268, Aug. 14, 2002, Sec. 164.506 was revised, effective Oct. 15,
[[Page 702]]
2002. For the convenience of the user, the revised text is set forth as follows:
Sec. 164.506 Uses and disclosures to carry out treatment, payment, or health care operations.
(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under Sec. 164.508(a)(2) and (3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. (b) Standard: Consent for uses and disclosures permitted. (1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. (2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under Sec. 164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. (c) Implementation specifications: Treatment, payment, or health care operations. (1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. (2) A covered entity may disclose protected health information for treatment activities of a health care provider. (3) A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information. (4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is: (i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or (ii) For the purpose of health care fraud and abuse detection or compliance. (5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
First, the technology used to communicate via e-mail is extraordinarily analogous to a telephone conversation. Indeed, e-mail is transmitted from one computer to another via telephone communication, either hard line or satellite. We have recognized that "[t]elephone conversations are protected by the Fourth Amendment if there is a reasonable expectation of privacy." United States v. Sullivan, 42 MJ 360, 363 (1995).
E-mail transmissions are not unlike other forms of modern communication. We can draw parallels from these other mediums. For example, if a sender of first-class mail seals an envelope and addresses it to another person, the sender can reasonably expect the contents to remain private and free from the eyes of the police absent a search warrant founded upon probable cause. Cf. Gouled v. United States, supra. However, once the letter is received and opened, the destiny of the letter then lies in the control of the recipient of the letter, not the sender, absent some legal privilege. See Mil.R.Evid. 501-06, Manual for Courts-Martial, United States, 1984. Cf. Gouled v. United States, 255 U.S. at 302.
The fact that an unauthorized "hacker" might intercept an e-mail message does not diminish the legitimate expectation of privacy in any way.
Expectations of privacy in e-mail transmissions depend in large part on the type of e-mail involved and the intended recipient U.S. v Maxwell
See the "Caveats" below. I hope you find what your looking for and that you can come to an amicable resolution of your problem.
We will NOT respond to any questions about law - other than if it applies to our "Day Job"Medical, Life, Disability & Retirement Plans. That is why we have Google Ads on the site, so that you can find an appropriate professional to help you. If you need to consult an Attorney - click here for links.
This Web site is designed to provide accurate and authoritative information regarding the subject matter covered. BUT it will no longer be regulary maintainted. The webmasters "Day Job" is now keeping him too busy to regulary update this site or answer any questions on anything other than Insurance Matters. It is provided with the understanding that the website is not engaged in rendering legal, tax, Medical or Insurance advice. Be sure to verify that any forms linked to are the MOST recent version. The links are from our review of various search engines, advertising and so forth. We do NOT necessarily recommend those we link to. We link to many Government sites and as the saying goes - one of the world's 3 biggest liesis - I'm from the Government and we're here to help you. We not responsible for content on external web sites, nor do we have any control over them. If legal, tax, Insurance or Medical advice is required, the services of a competent professional in your state, if you are outside of California click here for a Health Insurance Professional should be sought. Click here for more formal wording and the visitor agreement.
Linking - You are encouraged and permission is granted to link to ANY page shown on our site map. You may not link to any other pages, without express permission. Click here for more details.
