|
| |
| |
Federal - HIPAA Privacy and Calif. law provides in a one sentence summation that:
Any records which contain individually identifiable health information be secured, so that they are not readily available to those who do not need them. Source HSS Q & A See below for details and links to more details & FAQ's.
Privacy Practices Notice. Each covered entity, with certain exceptions, must provide a notice of its privacy practices.51 The Privacy Rule requires that the notice contain certain elements.
 | The notice must describe the ways in which the covered entity may use and disclose protected health information. |
| The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. |
| The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. |
| The notice must include a point of contact for further information and for making complaints to the covered entity. |
| Covered entities must act in accordance with their notices. hhs.gov summary page 11 |
Our Quote Engines - Privacy Policy
HIPAA Rates, for when your COBRA ends
Jewish Thought on Gossip, Tale Bearing JewFAQ.org Online Education Torah.org
|
|
|
|
| |
|
|
|
|
|
|
Summaries and Links
Calif. Civil Code California Privacy
Privacy Rights.org
1st HIPAA Privacy Conviction
Defendant Richard Gibson obtained the demographic information of a cancer patient from his employer, Seattle Cancer Care Alliance. Gibson then used this data to obtain credit cards in the patient’s name, eventually incurring over $9,000 in debt for items such as video games, apparel, and jewelry. Attorney's Corwel & Moring. The FULL details from Advanced Benefits Consulting
Summary - Employee Benefit Attorneys Web Site
FAQs on Disclosing PHI in Litigation - 1/14/05
Health Privacy Project Web Site
NAHU HIPAA Powerpoint Presentation
FAQ's from Heath & Human Services Steve's Picks
Summary from Med Law Plus
Summary from Health & Human Services - OCR (Office of Civil Rights) 20 Pages
Health Privacy . Org HIPPA Myths and Facts Lot's of Information in Simple to Understand Format
Office for Civil Rights - Subdivision of HHS - Health & Human Services
Kaiser 27 Pages
Anti-Phishing Act of 2005 Phony Websites & Email to gather identity theft information
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Actual Text of the Law
GENERAL ADMINISTRATIVE REQUIREMENTS 45 -CFR 160GPO.Gov
SECURITY AND PRIVACY 45 CFR - 164GPO.gov
Final Regulations Federal Register 45 CFR Parts 160 & 164 93 Pages
45 CFR Parts 160, 162, and 164 SUMMARY: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. (HIPAA).
Sec. 164.506 Consent for uses or disclosures to carry out treatment, payment, or health care operations.
Health Insurance Reform: Security 45 CFR Parts 160, 162, and 164 Standards; Final Rule Federal Register
§ 164.312 Technical safeguards. (iv) (c) (2)(d) (page 46) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Sample implementation 1 2 Voice Recognition
How to comply - Solutions
HR Next - Human Resource Answers Now
Purchase Employer's Privacy Guide $80 Download Version
Email Encryption Software
Sample Business Associates Agreement - from HHS/OCR Site
For members of NAHU - National Association of Health Underwriters - Compliance Guide |
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
Insurance Company Forms
Blue Cross Form to allow release of PHI (Protected Health Information) BC Individual Privacy HIPAA Forms
Claims - Billing Form 7/04
Blue Cross's Privacy Statement Blue Cross Procedures
Health Net's Privacy Statements Health Net HIPAA New Application Release
Blue SHIELD Privacy Statement - Release Form |
|
FAQ's
Who owns your medical records? Other questions on Privacy?
| These are Steve's Pick's from HIPAA's FAQ Site (Health & Human Services) |
| |
| |
| What does the HIPAA Privacy Rule do? |
| Answer |
Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
- It gives patients more control over their health information.
- It sets boundaries on the use and release of health records.
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
- And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
- It empowers individuals to control certain uses and disclosures of their health information. |
| |
| Question |
| |
When is an authorization required from the patient before a provider or health plan engages in marketing to that individual? |
 |
| |
Answer |
| |
The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances: (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. |
|
| |
| Question |
| |
Can contractors (business associates) use protected health information for its own marketing purposes? |
|
| |
Answer |
| |
No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes. Although, under the HIPAA statute, the Privacy Rule cannot govern contractors directly, the Rule does set clear parameters for how covered entities may contract with business associates. See 45 CFR 164.502(e) and 164.504(e), and the definition of “business associate” at 45 CFR 160.103.
Further, the Privacy Rule expressly prohibits health plans and covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list. |
|
| Steve's personal thoughts I think if people just followed the 10 Commandments, the 7 Noahide Laws, and the Golden Rule, and be careful about Gossip, we wouldn't have to have ALL these pages and tons of paperwork.
|
| |
| |
Sec. 164.502 Uses and disclosures of Protected health information:
general rules.
(a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or
by subpart C of part 160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies with
Sec. 164.506, to carry out treatment, payment, or health care operations;
Sec. 160.103 Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
|
| |
| |
| |
TITLE 45--PUBLIC WELFARE
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.506 Consent for uses or disclosures to carry out treatment, payment, or health care operations.
(a) Standard: Consent requirement. (1) Except as provided in
paragraph (a)(2) or (a)(3) of this section, a covered health care
provider must obtain the individual's consent, in accordance with this
section, prior to using or disclosing protected health information to
carry out treatment, payment, or health care operations.
(2) A covered health care provider may, without consent, use or
disclose protected health information to carry out treatment, payment,
or health care operations, if:
(i) The covered health care provider has an indirect treatment
relationship with the individual; or
(ii) The covered health care provider created or received the
protected health information in the course of providing health care to
an individual who is an inmate.
(3)(i) A covered health care provider may, without prior consent,
use or disclose protected health information created or received under
paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment,
payment, or health care operations:
(A) In emergency treatment situations, if the covered health care
provider attempts to obtain such consent as soon as reasonably
practicable after the delivery of such treatment;
(B) If the covered health care provider is required by law to treat
the individual, and the covered health care provider attempts to obtain
such consent but is unable to obtain such consent; or
(C) If a covered health care provider attempts to obtain such
consent from the individual but is unable to obtain such consent due to
substantial barriers to communicating with the individual, and the
covered health care provider determines, in the exercise of professional
judgment, that the individual's consent to receive treatment is clearly
inferred from the circumstances.
(ii) A covered health care provider that fails to obtain such
consent in accordance with paragraph (a)(3)(i) of this section must
document its attempt to obtain consent and the reason why consent was
not obtained.
(4) If a covered entity is not required to obtain consent by
paragraph (a)(1) of this section, it may obtain an individual's consent
for the covered entity's own use or disclosure of protected health
information to carry out treatment, payment, or health care operations,
provided that such consent meets the requirements of this section.
(5) Except as provided in paragraph (f)(1) of this section, a
consent obtained by a covered entity under this section is not effective
to permit another covered entity to use or disclose protected health
information.
(b) Implementation specifications: General requirements. (1) A
covered health care provider may condition treatment on the provision by
the individual of a consent under this section.
(2) A health plan may condition enrollment in the health plan on the
provision by the individual of a consent under this section sought in
conjunction with such enrollment.
(3) A consent under this section may not be combined in a single
document with the notice required by Sec. 164.520.
(4)(i) A consent for use or disclosure may be combined with other
types of written legal permission from the individual (e.g., an informed
consent for treatment or a consent to assignment of benefits), if the
consent under this section:
(A) Is visually and organizationally separate from such other
written legal permission; and
(B) Is separately signed by the individual and dated.
(ii) A consent for use or disclosure may be combined with a research
authorization under Sec. 164.508(f).
[[Page 701]]
(5) An individual may revoke a consent under this section at any
time, except to the extent that the covered entity has taken action in
reliance thereon. Such revocation must be in writing.
(6) A covered entity must document and retain any signed consent
under this section as required by Sec. 164.530(j).
(c) Implementation specifications: Content requirements. A consent
under this section must be in plain language and:
(1) Inform the individual that protected health information may be
used and disclosed to carry out treatment, payment, or health care
operations;
(2) Refer the individual to the notice required by Sec. 164.520 for
a more complete description of such uses and disclosures and state that
the individual has the right to review the notice prior to signing the
consent;
(3) If the covered entity has reserved the right to change its
privacy practices that are described in the notice in accordance with
Sec. 164.520(b)(1)(v)(C), state that the terms of its notice may change
and describe how the individual may obtain a revised notice;
(4) State that:
(i) The individual has the right to request that the covered entity
restrict how protected health information is used or disclosed to carry
out treatment, payment, or health care operations;
(ii) The covered entity is not required to agree to requested
restrictions; and
(iii) If the covered entity agrees to a requested restriction, the
restriction is binding on the covered entity;
(5) State that the individual has the right to revoke the consent in
writing, except to the extent that the covered entity has taken action
in reliance thereon; and
(6) Be signed by the individual and dated.
(d) Implementation specifications: Defective consents. There is no
consent under this section, if the document submitted has any of the
following defects:
(1) The consent lacks an element required by paragraph (c) of this
section, as applicable; or
(2) The consent has been revoked in accordance with paragraph (b)(5)
of this section.
(e) Standard: Resolving conflicting consents and authorizations. (1)
If a covered entity has obtained a consent under this section and
receives any other authorization or written legal permission from the
individual for a disclosure of protected health information to carry out
treatment, payment, or health care operations, the covered entity may
disclose such protected health information only in accordance with the
more restrictive consent, authorization, or other written legal
permission from the individual.
(2) A covered entity may attempt to resolve a conflict between a
consent and an authorization or other written legal permission from the
individual described in paragraph (e)(1) of this section by:
(i) Obtaining a new consent from the individual under this section
for the disclosure to carry out treatment, payment, or health care
operations; or
(ii) Communicating orally or in writing with the individual in order
to determine the individual's preference in resolving the conflict. The
covered entity must document the individual's preference and may only
disclose protected health information in accordance with the
individual's preference.
(f)(1) Standard: Joint consents. Covered entities that participate
in an organized health care arrangement and that have a joint notice
under Sec. 164.520(d) may comply with this section by a joint consent.
(2) Implementation specifications: Requirements for joint consents.
(i) A joint consent must:
(A) Include the name or other specific identification of the covered
entities, or classes of covered entities, to which the joint consent
applies; and
(B) Meet the requirements of this section, except that the
statements required by this section may be altered to reflect the fact
that the consent covers more than one covered entity.
(ii) If an individual revokes a joint consent, the covered entity
that receives the revocation must inform the other entities covered by
the joint consent of the revocation as soon as practicable.
Effective Date Note: At 67 FR 53268, Aug. 14, 2002, Sec. 164.506 was
revised, effective Oct. 15,
[[Page 702]]
2002. For the convenience of the user, the revised text is set forth as
follows:
Sec. 164.506 Uses and disclosures to carry out treatment, payment, or
health care operations.
(a) Standard: Permitted uses and disclosures. Except with respect to
uses or disclosures that require an authorization under
Sec. 164.508(a)(2) and (3), a covered entity may use or disclose
protected health information for treatment, payment, or health care
operations as set forth in paragraph (c) of this section, provided that
such use or disclosure is consistent with other applicable requirements
of this subpart.
(b) Standard: Consent for uses and disclosures permitted. (1) A
covered entity may obtain consent of the individual to use or disclose
protected health information to carry out treatment, payment, or health
care operations.
(2) Consent, under paragraph (b) of this section, shall not be
effective to permit a use or disclosure of protected health information
when an authorization, under Sec. 164.508, is required or when another
condition must be met for such use or disclosure to be permissible under
this subpart.
(c) Implementation specifications: Treatment, payment, or health
care operations.
(1) A covered entity may use or disclose protected health
information for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information for
treatment activities of a health care provider.
(3) A covered entity may disclose protected health information to
another covered entity or a health care provider for the payment
activities of the entity that receives the information.
(4) A covered entity may disclose protected health information to
another covered entity for health care operations activities of the
entity that receives the information, if each entity either has or had a
relationship with the individual who is the subject of the protected
health information being requested, the protected health information
pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition
of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or
compliance.
(5) A covered entity that participates in an organized health care
arrangement may disclose protected health information about an
individual to another covered entity that participates in the organized
health care arrangement for any health care operations activities of the
organized health care arrangement.
Privacy Issues in Email
First, the technology used to communicate via e-mail is extraordinarily analogous to a telephone conversation. Indeed, e-mail is transmitted from one computer to another via telephone communication, either hard line or satellite. We have recognized that "[t]elephone conversations are protected by the Fourth Amendment if there is a reasonable expectation of privacy." United States v. Sullivan, 42 MJ 360, 363 (1995).
E-mail transmissions are not unlike other forms of modern communication. We can draw parallels from these other mediums. For example, if a sender of first-class mail seals an envelope and addresses it to another person, the sender can reasonably expect the contents to remain private and free from the eyes of the police absent a search warrant founded upon probable cause. Cf. Gouled v. United States, supra. However, once the letter is received and opened, the destiny of the letter then lies in the control of the recipient of the letter, not the sender, absent some legal privilege. See Mil.R.Evid. 501-06, Manual for Courts-Martial, United States, 1984. Cf. Gouled v. United States, 255 U.S. at 302.
The fact that an unauthorized "hacker" might intercept an e-mail message does not diminish the legitimate expectation of privacy in any way.
Expectations of privacy in e-mail transmissions depend in large part on the type of e-mail involved and the intended recipient U.S. v Maxwell
|
|
|
|
|
     |
| |
|
|
|
| |
|
