HIPAA Style Data Privacy Rules

Notice of Privacy Practices

• HIPAA requires that all health providers provide patients with a Notice of Privacy Practices before using their data. The provider must obtain a signature from the patient indicating that the patient has read and understands all information in the notice.

  The Notice of Privacy Practices provides the patient with information on how their information will be protected. It also includes information on how patients can manage their health information, including details on how to gain access to their health information, how to receive notices of how health information has been used by the provider and how to request that access to health records be limited. The notice must also include information on how to make corrections to information errors, how to request that communications regarding health information be made confidentially and how to file a complaint if the patient believes that her privacy has been violated.

  Health insurers are also required to periodically provide their customers with a Notice of Privacy Practices indicating their data privacy policies. They are not required to collect patient signatures when they do so.

Minimum Necessary Standard

• All uses and disclosures of medical information must follow the principal of minimum necessary standard. The minimum necessary standard rule dictates that only the minimum amount of information that is required for successful treatment or business practices may be disclosed or made available to any given health employee or associate. Rules for maintaining minimum necessary standards practices must be made clear in a company's policies and must be enforced using computer-access controls.

Authorization for Additional Use

• If a health provider, insurer or other entity wishes to use a patient's medical information for a purpose such as research, marketing or fundraising, then it muse seek supplemental authorization for data use. It must provide the patient with a statement regarding what data will be used and how his privacy will be protected. The entity may only use patient data for these additional uses if the patient returns a signed authorization form.

Psychotherapy Privacy

• Notes obtained during the course of a psychotherapy session are protected by stronger privacy rules than normal medical information. Any health entity that wishes to obtain or use psychotherapy notes must obtain a signed supplemental authorization form from the participant, unless the use is exempt from HIPAA privacy regulations.

Privacy Exceptions

• There are certain cases in which private medical data may be disclosed or used without consent. Privacy restrictions are exempt for purposes of public health, health oversight, public safety or national security. Any informaton that is required for investigation into abuse, neglect or domestic violence proceedings or other judicial proceedings is also not protected by HIPAA. Health information about dead persons is also not protected.

Assurances

• Businesses that work with health information that is collected by a medical provider are not required to obtain a patient signature when performing business functions with the data. However, they must sign a contractual assurance that indicates that all employees of the company will follow HIPAA rules and regulations.

Privacy Officer

• Each health care entity must designate a privacy officer who is responsible for setting and enforcing HIPAA-compliant privacy standards. The Notice of Privacy Practices that is provided to patients must include information on how to contact the privacy officer in the case of question or complaint.

HIPAA and State Laws

• HIPAA sets a minimum level for national medical data privacy standards. Any state laws that create more stringent privacy standards may supersede the federal requirements that are dictated by HIPAA.

HIPAA Violation Penalties

• HIPAA legislation includes provisions that cover the penalties that may be imposed on an individual who violates HIPAA privacy policies. Violations that result from accidental negligence are typically punishable by a $100 fine, while willful violations that result in personal gain or harm to patients can be punishable by up to a $250,000 fine and ten years imprisonment.