HIPAA EMPLOYER - ABOUT HIPAA PRIVACY

What information is protected by the Privacy Rule?

The Privacy Rule does not protect all forms of health information - only health information that is "individually identifiable." In other words, it protects health information from which an individual can be identified, but only if that information is in the hands of a covered entity. Generally, health information held in a group health plan's records will be protected.

Health information is protected if:

• It is created or received by a provider, health plan, employer, or health care clearinghouse;
• It relates to the physical or mental health or condition of an individual, at any time, past, present or future (and includes information related to payment of health benefits);
• It identifies an individual or can be used to identify the individual; and
• It is in the possession or control of a covered entity (including a group health plan).[45 CFR §§ 160.103 (definition of "health information"); 164.501 (definitions of "individually identifiable information" and "protected health information").]

Compliance Tip: This definition encompasses health information in all forms - electronic, written, oral, or any other medium. [45 CFR § 164.501(definition of "protected health information"); 65 Fed. Reg. 82496.]

What is "protected health information"?

"Protected health information" (often referred to "PHI") is the health information described above, i.e., it is the health information that is subject to the Privacy Rule's protections.

Do I need to comply with state privacy laws?

Possibly. The Privacy Rule does not preempt all state privacy laws. State privacy laws that are "more stringent" are preserved. That is, a state privacy law that provides more privacy protections or greater individual rights than provided by the federal Privacy Rule will apply, unless that law is otherwise preempted by a different federal law, such as ERISA. Generally, state laws preempted by ERISA will remain preempted. [45 CFR § 160.203; 65 Fed. Reg. 82483.]

Accordingly, employers must determine whether and to what extent they must follow state law (including decisional law as well as statutes and regulations). This task may be particularly complicated for employers with employees in more than one state. A detailed discussion of the preemption issues raised by the Privacy Rule is beyond the scope of this Workbook. Employers might wish to consult with legal counsel to determine applicable state privacy laws.

Do I need to comply with other federal laws that require me to use or release protected health information?

Generally, nothing in HIPAA or the Administrative Simplification Rules exempts an employer from complying with other federal laws (e.g., ERISA, ADA, FMLA) under the general rules of precedence applicable to federal law.

Generally, when may protected health information be used or disclosed?

Group health plans may use or disclose protected health information only if the use or disclosure is permitted or required by the Privacy Rule. [45 CFR § 164.502(a).] In very general terms, a group health plan may use protected health information internally or disclose it externally only under the limited circumstances and for the specific purposes permitted by the Privacy Rule. Otherwise, group health plans may use or disclose protected health information only with the permission of the individual who is the subject of the protected health information.

<Previous     Page 4 of 5     Next>