Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) | Yale University

Overview

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), one purpose of which is to protect health information by establishing transaction standards for the exchange of health information, security standards, and privacy standards for the use and disclosure of individually identifiable health information. HIPAA applies to health care providers and employer group health plans. At the University the School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology), the School of Nursing, Yale University Health Services, the Department of Psychology clinics, and the Group Health Plan are covered components. HIPAA is a complex statute that affects the University’s covered components in several ways, including operations, policies, IT systems, contractual relationships and relationships with long–standing partners in health care delivery and training, such as Yale–New Haven Hospital.

The administrative simplification provisions of HIPAA have three major requirements:

  • Protection for the privacy of Protected Health Information
  • Protection for the security of Protected Health Information
  • Standardization of electronic data interchange in health care transactions

The HIPAA Privacy rule went into effect in April 2003 and the Security rule went into effect in April 2005.

In 2009, the HITECH Act added an additional requirement related to notification of patients in the event of a breach of their health information.

Privacy Requirements

Rules Concerning the Use and Disclosure of Protected Health Information

HIPAA contains detailed requirements for the use or disclosure of protected health information. Covered entities may only use and disclose PHI as permitted by HIPAA or more protective state rules.

In general, the covered units at Yale may use PHI for the purposes of treatment, payment and health care operations (TPO) without any special permission from a patient. Health care ‘operations’ includes activities such as quality assurance, peer review, training and business planning activities. Before the date of the first service provided to a patient, we must provide to the patient a Notice of Privacy Practices that explains how we may use the patient's health information for TPO purposes and what rights the patient has with respect to his or her PHI.

Special permission, called an authorization, must be obtained for uses and disclosures other than for TPO. For example, an authorization may be required for the use of protected health information for research purposes (discussed below) or for marketing activities.

For some uses and disclosures, a covered entity need not obtain an authorization but must give the patient the opportunity to agree or object. An important example is the disclosure of health information to family or friends involved in the patient’s care. Finally, in some situations, such as reporting to public health authorities, emergencies, or in research studies in which a waiver has been obtained from an Institutional Review Board (“IRB”), a covered entity does not need to obtain an authorization or provide an opportunity to agree or object.

We must keep a record, or an “accounting,” of disclosures made and, if requested, provide that accounting to the patient. We do not need to account for disclosures made pursuant to an authorization. Once we have implemented an Electronic Health Record (EHR), we will be required to account for disclosures performed for TPO as well.

Minimum Necessary

Yale must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. The default standard for the minimum necessary information is that of a limited data set. For routine disclosures, this may be achieved by creating policies and procedures that limit the protected health information disclosed. For other disclosures, an individualized review will be required. When treating providers are sharing PHI for treatment purposes, this minimum necessary requirement does not apply. To ensure that only the minimum necessary PHI is used or disclosed, the University has defined appropriate access protocols for common employee roles to ensure that the appropriate level of information is used or disclosed.

Research

HIPAA also addresses use of protected health information for research purposes. HIPAA requires either a patient authorization or an IRB approved waiver of the authorization requirement for the use, disclosure or creation of identifiable health information for research.

An authorization is not required for research using only “de–identified” data. If a researcher uses health information from which the 18 HIPAA defined identifiers have been removed, then no authorization is required.

Marketing and Fundraising

HIPAA addresses the need for covered entities to respect patient confidentiality when performing marketing or development activities. Consistent with current University practice, these activities should be conducted in a responsible manner and should be in accordance with HIPAA policies.

These policies apply to all individuals in any office, department or section which seeks to use PHI for marketing and fundraising purposes.

Business Associates

Contractors that handle protected health information while providing a function or activity for a covered component at Yale must be compliant with HIPAA. All contracts must require that contractors, called business associates in the regulations, use appropriate safeguards to prevent use or disclosure of the information other than as permitted by the contract. The University and the Business Associate may be held responsible for the actions of its business associates if (1) it knew of a pattern of activity of the business associate that violated the contract and (2) failed to take reasonable steps to correct the problem.

Individual Rights

The privacy rule creates five individual rights:

  1. Right to a notice of a covered entity’s privacy practices.
  2. Right to request restrictions and confidential communications concerning protected health information.
  3. Right to obtain access to protected health information for inspection and copying.
  4. Right to obtain an accounting of certain disclosures.
  5. Right to request amendment of protected health information.

Administrative Requirements

We are required to comply with a number of administrative requirements, including the following:

  1. Designation of a privacy official responsible for development of policies and procedures for the use and disclosure of protected health information.
  2. Implementation of an internal complaint process to handle complaints relating to privacy rules and to explain privacy procedures.
  3. Workforce training.
  4. Implementation of administrative, technical and physical safeguards to protect the confidentiality and integrity of PHI.
  5. Development and enforcement of sanctions for failure to comply with policies and procedures.
  6. Development of procedures to mitigate adverse effects of a prohibited use or disclosure.
  7. Development and enforcement of policy prohibiting retaliation against a person for exercising individual rights or filing a complaint.

Security Requirements

The Privacy requirements affect PHI in all formats, including electronic PHI (ePHI). Physical security of PHI in all formats is a component of HIPAA Privacy, but HIPAA Security specifically focuses on the protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any Protected Health Information (PHI) which is created, stored, accessed, transmitted or received electronically. Hence, the “e” at the beginning of ePHI.

Confidentiality is the assurance that ePHI data is shared only among authorized persons or organizations.

Integrity is the assurance that ePHI data is not changed unless an alteration is known, required, documented, validated and authoritatively approved. Most important to HIPAA, data integrity ensures that we can rely on data in making medical decisions. It is an assurance that the information is authentic and complete, and that the information can be relied upon to be sufficiently accurate for its purpose.

Availability is the assurance that systems responsible for delivering, storing and processing critical ePHI data are accessible when needed, by those who need them under both routine and emergency circumstances.

  • ‘Basic’ ePHI system safeguards: personal computing devices used by a single individual to create, access, transmit or receive electronic protected health information (ePHI) must understand and observe specific safeguards.
  • ‘Above threshold’ ePHI system security safeguards: An above–threshold ePHI system is a system that creates accesses, transmits or receives: 1) primary source ePHI (original, not copied), 2) ePHI critical for treatment, payment or health care operations or 3) any form of ePHI and the host system is configured to allow access by multiple people. All above–threshold ePHI systems must be registered and entered into the University System Inventory Database.

Security and privacy are distinct, but related.

Breach Notification

Yale is required to notify individuals within 60 days of any instances where their unsecured PHI is inappropriately accessed, used, disclosed or acquired. We must also notify the Department of Health and Human Services and, if the breach involves more than 500 individuals, the media.

All potential breaches should be reported immediately to 203.627.4665 or information.security@yale.edu

 

Penalties

HIPAA establishes both civil monetary penalties and criminal penalties for the knowing use or disclosure of individually identifiable health information in violation of HIPAA. Alleged violations of University HIPAA policies will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff and students, as outlined in the faculty Handbook, Staff Personnel Policies and Practice Manual, various student regulations, and other applicable materials. Staff members who are members of University–recognized bargain units will be disciplined for violations of policy in accordance with the relevant disciplinary provisions set forth in the agreements covering their bargaining units.