Ana səhifə

Hipaa privacy rule fact sheet

Yüklə 301.5 Kb.
ölçüsü301.5 Kb.

LITA of Marin HIPAA Privacy Rule Fact Sheet
And Policy Regarding Protected Health Information


The first-ever federal privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers took effect on April 14, 2003. Developed by the Department of Health and Human Services (HHS), these new standards (hereinafter referred to as the “Privacy Rule”) generally provide patients with access to their medical records and more control over how their personal health information is used and disclosed.

The Privacy Rule applies only to “covered entities,” including health plans, health care clearinghouses and certain health care providers. LITA of Marin (“LITA”) is not a covered entity for purposes of the Privacy Rule. Nonetheless, LITA may be considered a “business associate” of certain skilled nursing or continuing care communities that are covered entities under HIPAA. As a business associate, LITA must ensure that it and its volunteers use any patient confidential information only for the purpose for which it was engaged by the covered entity, safeguard the information from misuse, report any use or disclosure of patient confidential information for any purpose other than the performance of the services for which LITA was engaged, and generally help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.


The new Privacy Rule ensures a national floor of privacy protections for patients by limiting the ways that covered entities can use patients' personal medical information. The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally. Key provisions of these new standards include:

  • Access to Medical Records. Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes

  • Notice of Privacy Practices. Covered health plans, doctors and other health care providers must provide a notice to their patients how they may use personal medical information and their rights under the new privacy regulation. Patients generally will be asked to sign, initial or otherwise acknowledge that they received this notice. Patients also may ask covered entities to restrict the use or disclosure of their information beyond the practices included in the notice, but the covered entities would not have to agree to the changes.

  • Limits on Use of Personal Medical Information. The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information. To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. In other situations, though, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.

  • Prohibition on Marketing. The final privacy rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing. At the same time, the rule permits doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

  • Stronger State Laws. The new federal privacy standards do not affect state laws that provide additional privacy protections for patients. The confidentiality protections are cumulative; the privacy rule will set a national "floor" of privacy standards that protect all Americans, and any state law providing additional protections would continue to apply. When a state law requires a certain disclosure -- such as reporting an infectious disease outbreak to the public health authorities -- the federal privacy regulations would not preempt the state law.

  • Confidential communications. Under the privacy rule, patients can request that their doctors, health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example, a patient could ask a doctor to call his or her office rather than home, and the doctor's office should comply with that request if it can be reasonably accommodated.

  • Complaints. Consumers may file a formal complaint regarding the privacy practices of a covered health plan or provider. Such complaints can be made directly to the covered provider or health plan or to HHS' Office for Civil Rights (OCR), which is charged with investigating complaints and enforcing the privacy regulation. Information about filing complaints should be included in each covered entity's notice of privacy practices. Consumers can find out more information about filing a complaint at or by calling (866) 627-7748.

Covered entities must establish policies and procedures to protect the confidentiality of protected health information about their patients. These requirements are flexible and scalable to allow different covered entities to implement them as appropriate for their businesses or practices. Covered entities must provide all the protections for patients cited above, such as providing a notice of their privacy practices and limiting the use and disclosure of information as required under the rule. In addition, covered entities must take some additional steps to protect patient privacy:

  • Written Privacy Procedures. The rule requires covered entities to have written privacy procedures, including a description of staff that has access to protected information, how it will be used and when it may be disclosed. Covered entities generally must take steps to ensure that any business associates who have access to protected information agree to the same limitations on the use and disclosure of that information.

  • Employee Training and Privacy Officer. Covered entities must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring the procedures are followed. If covered entities learn an employee failed to follow these procedures, they must take appropriate disciplinary action.

  • Public Responsibilities. In limited circumstances, the final rule permits -- but does not require --covered entities to continue certain existing disclosures of health information for specific public responsibilities. These permitted disclosures include: emergency circumstances; identification of the body of a deceased person, or the cause of death; public health needs; research that involves limited data or has been independently approved by an Institutional Review Board or privacy board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security. The privacy rule generally establishes new safeguards and limits on these disclosures. Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgment to decide whether to make such disclosures based on their own policies and ethical principles.

  • Equivalent Requirements For Government. The provisions of the final rule generally apply equally to private sector and public sector covered entities. For example, private hospitals and government-run hospitals covered by the rule have to comply with the full range of requirements.


As noted above, the Privacy Rule regulates only covered entities and LITA is not a covered entity. However, the Privacy Rule requires covered entities to obtain assurances from their business associates that the business associates will safeguard protected health information. Because LITA may be considered a business associate of the facilities through which it provides volunteer services, LITA may be required to provide such assurances.

It is the policy of LITA that its agents and volunteers must, at a minimum, meet the following requirements with respect to the protected health information:

  1. All agents and volunteers of LITA must review and become familiar with LITA’s Policy Regarding Protected Health Information and must sign LITA’s “Volunteer Agreement Regarding Privacy and Confidentiality”;

  2. LITA and its agents and volunteers must use and disclose protected health information only in order to perform the volunteer services that they have agreed to provide to any covered entity or any resident of a covered entity;

  3. LITA and its agents and volunteers must use appropriate safeguards to prevent use or disclosure of protected health information for purposes other than the performance of the volunteer services they have agreed to provide;

  4. LITA and its agents and volunteers must not access or request any protected health information unless it is needed to perform authorized activities as a LITA volunteer;

  5. If protected health information is accessed or requested by LITA, its agents or its volunteers, only the minimum amount of such information will be used as is necessary to perform the volunteer services they have agreed to provide;

  6. LITA and its agents and volunteers will not disclose any protected health information unless such disclosure is authorized by law;

  7. LITA and its agents and volunteers will not remove any original or copies of protected health information from the premises of LITA or from any facility in which LITA, through its volunteers, provides services;

  8. LITA and its agents and volunteers agree to report to the covered entity any use or disclosure of protected health information for purposes other than the performance of the volunteer services;

  9. While serving as a volunteer at any facility, LITA’s agents and volunteers agree to follow those facilities’ policies and procedures with respect to privacy of patient information.

If you have any questions about the HIPAA Privacy Rule, the above policies or your obligations as a LITA volunteer, please contact LITA’s main office.

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2016
rəhbərliyinə müraciət