Key Concepts of HIPAA Privacy Rule

Disclosure

The release of information to anyone outside of the covered entity, including the release of health information to other health care providers or to the patient themselves.

Authorization

The express permission of the subject individual, or the legally recognized representative of the individual, to disclose the individual's protected health information.

Treatment

The provision of health care by one or more health care providers.

Payment

Any activity related to securing, documenting, billing, and receiving payment for health care services provided.

Minimum Necessary

The principle under the Privacy Rule that a provider may only use and/or disclose the minimum amount of protected health information that is necessary for whatever purpose for which it is being used and disclosed.

TPO

Stands for Treatment, Payment, and Operations.

HIPAA Privacy Rule

The right to privacy and security of your health care information is clearly stated as a right.

Right to Obtain Copies

While the HIPAA Privacy Rule gives individuals the right to obtain copies of their health care information, Washington State law does not permit this and will take precedence over HIPAA.

Right to Add Corrections

If you believe that a health care provider made a mistake in documenting your health conditions and treatment in your medical record, you have the right to add your corrections to your medical record.

Informing Rights

Your doctor does have to inform you of your rights under the HIPAA Privacy Rule and state laws.

Right to Object

An individual does not have the right to object to certain uses of their health care information.

Tracking Disclosures

Health care providers must track all disclosures of your PHI and provide a list of those disclosures to you when requested.

Disclosures for TPO

Disclosures for TPO do not need to be tracked.

Authorization for Disclosures

Most disclosures of health care information require the authorization of the individual who is the subject of the information.

Workforce Members

Doctors, Registration Staff, Contractors working in the hospital, Traveling nurses, Administrators, Housekeepers are considered workforce members under HIPAA.

Written Authorization

A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule.

Refusal to Sign Authorization

If a patient refuses to sign an authorization for the release of health care information, a facility may refuse to treat the patient.

Disclosure to Law Enforcement

HIPAA requires providers to disclose PHI to law enforcement officials.

Patient Authorization for Attorney

Patient (or patient representative) authorization is required to disclose PHI to the patient's attorney.

PHI Examples

Birth date, Driver's License number, Weight, Telephone number, Address, Medical record information are considered PHI under HIPAA.

HIPAA Criminal Penalties

Only employers are subject to HIPAA criminal penalties.

General Penalties for HIPAA Violation

Be fined not more than $50,000, imprisoned not more than 1 year, or both.

Penalties for Violations under False Pretenses

Be fined not more than $100,000, imprisoned not more than 5 years, or both.

Penalties for Intent to Sell PHI

Be fined not more than $250,000, imprisoned not more than 10 years, or both.

PHI Definition

"Individually identifiable health information transmitted or maintained in any form or medium" is part of the definition of PHI (Protected Health Information).