|What does HIPAA stand for?
||HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.
|What does HIPAA regulate?
||The Health Insurance Reform provisions (Title I of the Health Insurance Portability and Accountability Act of 1996) protects health insurance coverage for workers and their families when they change or lose their jobs. The Administrative Simplification provisions (Title II of the Health Insurance Portability and Accountability Act of 1996) requires the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data.
|Who must comply with the Privacy Rule?
1. Health Plans
2. Health care providers of services and supplies.
3. Health care clearinghouses - a clearinghouse is an entity that processes or facilitates processing of health information received from a covered entity. When a clearinghouse creates or receives protected health information as a business associate of another entity, it must comply with the Privacy Rule.
|What Information is Protected by HIPAA?
||Information protected under HIPAA includes health care information, which is all information related to preventive, diagnostic, therapeutic, rehabilitative, maintenance, palliative, counseling, service assessment, physical, mental, or functional services. Protected health information includes information created or received by a covered entity, public health authority, employer, life insurer, or school that relates to the past, present, or future physical or mental health of an identified individual. The Privacy Rule is not limited to medical records. The HIPAA Privacy Rule protects all health information. Therefore, any information related to treatment, diagnosis, or payment recorded in any form in any location is protected under the HIPAA provisions.
|Can I Request Any and All Records for All Time?
||No. Under HIPAA, a provider is expected to make all reasonable efforts to limit the protected health information released to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The entire medical record will not be released, but only the specific portions as requested in the authorization. Therefore, all requests made to LSLLC for retrieval of health information should include within the authorization the dates of service requested as well as specific documents requested, if applicable.
|What does the Privacy Rule Do?
The Privacy Rule does the following:
1. Gives patients more control over their health information;
2. Sets boundaries on the use and release of health records;
3. Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information;
4. Holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights; and
5. Strikes a balance when public responsibility supports disclosure of some forms of data,for example, to protect public health.
|How does HIPAA interact with existing state law?
||HIPAA regulations pre-empt State laws with regard to protected health information. If State laws are stricter than HIPAA guidelines, then State laws supercede HIPAA guidelines. HIPAA guidelines serve to create a national standard regarding protected health information.
|What Information Does A Proper HIPAA Authorization Have to Include?
HIPAA compliant authorizations must include the following elements:
1. Patient's full identity
2. Address and date of birth
3. Releasing provider
4. Authorized recipient
5. Purpose for release
6. Extent of information for release
7. Time period of information
8. Expiration of authorization
9. Revocation statement
10. Date signed
11. Signature of patient or designee
12. Photocopy authorization yes/no
|Mental Health and Psychotherapy Notes
||Mental Health and psychotherapy notes are treated differently from other protected health information. There are stricter requirements for the disclosure of mental health records or psychotherapy notes. In order for information to be considered psychotherapy notes, the notes must be separated from the rest of the individual's medical record. Generally, this type of protected health information can be disclosed only with a specific authorization. Each covered entity usually has an authorization specific to their facility for the release of mental health records.
|Are Subpoenas Accepted for the Release of Information?
||Yes. Subpoenas are accepted for the release of information. A provider may request that a signed authorization be provided instead of a subpoena; however, it has been confirmed with the Office of Civil Rights that as long as the provider can be given reasonable and satisfactory assurance that the patient had the opportunity to object to the service of the subpoena then records may be produced. LSI has made adjustments to its subpoena correspondence to include language noting that the Certificate Prerequisite and Notice of Intent are attached to provide the required satisfactory assurance for each subpoena served upon a covered entity.