HIPAA
Is the electronic exchange of medical records allowed under the Health Insurance Portability and Accountability Act (HIPAA)?
Yes, electronic health records can be disclosed to another entity for treatment, payment, or health care operations purposes without an individual’s authorization regardless of whether they are paper or electronic.
For more details related to security, visit:
http://www.cms.hhs.gov/SecurityStandard/
http://www.cms.hhs.gov/securitystandard/downloads/securityfinalrule.pdf
http://www.securityfocus.com/infocus/1764
For more details related to privacy, visit:
http://www.hhs.gov/ocr/hipaa/
http://www.hhs.gov/ocr/privacy/index.html
What rights do my patients have under HIPAA Privacy Rule?
The HIPAA Privacy Rule gives patients certain rights including the right to access their health information, to restrict the use and disclosure of their health information to request an amendment to their health information, and to request an accounting of disclosures of their health information. The HIPAA Privacy Rule contains certain exceptions to these patient rights, as well as some additional rights for patients regardless of use and disclosure of their health information and to learn how their health information has been accessed.
For more details, visit:
http://www.iqh.org/
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
Can I comply with HIPAA and participate in health information exchange?
Yes, HIPAA provides certain security and privacy requirements for protecting the health information of your patients that apply to both paper and electronic health records.
For more details, visit:
http://healthit.ahrq.gov/portal/server.pt?open=512&objID=1117&&PageID=
14753&mode=2&in_hi_userid=3882&cached=true#Answer
How does HIPAA affect my office staffs’ access to electronic patient information?
The HIPAA Privacy Rule requires an organization to develop and implement policies to identify persons, or classes or persons in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
For more details, visit:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
How will electronic health records help my practice be HIPAA compliant?
The Privacy Rule covers all forms of patients’ protected health information: electronic, written or oral. Privacy standards include limiting access to the “minimum necessary” to those whose job demonstrates a “need to know.” They also require the adoption of administrative, technical and physical safeguards to protect the privacy and security of health information. One component of this program involves updating systems to ensure they provide adequate protection of patient data.
The Security Rule covers only electronic protected health information, and focuses on 4 aspects: administrative, physical, technical and organizational aspects of data transmission, storage and maintenance. Security safeguards include: appropriate policies and procedures, protecting physical access to electronic protected health information (ePHI), and ensuring that technical security is in place to protect networks, computers, and other electronic devices including PDAs and iPods.
Computer password requirements for access to and access logs which track access of electronic protected health information support the requirements of limited access to protected health information on a “minimum necessary” basis as determined by the employee’s job responsibilities.
For more details, visit:
www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPage
See “Downloads” and “Related Links”
www.cms.hhs.gov/EducationMaterials/Downloads/SecurityStandardsTechnical
Safeguards.pdf
See pages 3-11
www.cms.hhs.gov/EducationMaterials/Downloads/SecurityStandards
AdministrativeSafeguards.pdf
See pages 6-19
Am I required to completely restructure my existing workflow system in order to comply with HIPAA?
No, the basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to protected health information to those in the workforce that need access based on their roles in the covered entity.
For more details, visit:
http://www.hhs.gov/ocr/privacy/index.html
Does HIPAA allow for sending electronic protected health information (PHI) in an email or over the internet?
Yes, the HIPAA Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message. Also, while the HIPAA Privacy Rule does not prohibit the use of unencrypted email for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through unencrypted email.
For more details, visit:
www.cms.hhs.gov/EducationMaterials/Downloads/SecurityStandardsTechnical
Safeguards.pdf
See pages 3-13
