What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law passed to protect the privacy and security of certain health information.
A key goal of the HIPAA regulations is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The law allows the Department of Health and Human Services (DHHS) to develop regulations that set universal standards for electronic transactions between health care providers and insurance companies. The DHHS is responsible for administering and enforcing these standards.
What is PHI?
Protected Health Information (PHI) is health information, including demographic data, created or received by UNC Health Care System (UNC HCS) entities that relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care by an individual and that identifies or can be used to identify the individual.
How does HIPAA protect patient privacy?
Unless an exception is met under the HIPAA regulations, a health care provider may not use or disclose PHI without the authorization of the patient or the patient’s legally authorized representative. No authorization is required for health care providers to use or disclose PHI for treatment, payment or health care operations (e.g., quality review, reviewing the qualifications of health care providers, training students, conducting legal review, and managing and operating the health care entity). Except for treatment, health care providers must use the minimum necessary PHI.
What is the “minimum necessary” standard?
When using or disclosing PHI, or requesting PHI from another covered entity, a health care provider must make reasonable efforts to limit the PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. The minimum necessary rule does not apply to uses and disclosures for treatment, to the patient, subject to an authorization, as required by law, or to comply with the provisions of HIPAA.
What are the limitations on how PHI can be used internally or disclosed externally?
When PHI is shared within the UNC HCS, it is being “used.” When PHI is shared outside of the UNC HCS, it is being “disclosed.” The Privacy Rule allows the use or disclosure of PHI:
- For treatment (including treatment in the course of research)
- For payment
- For health care operations (including education programs)
- With authorization by the individual
- When compelled by law
What is the difference between a “use” and a “disclosure”?
“Use” means, with respect to individually identifiable health information, the sharing, application, utilization, examination or analysis of such information within the UNC HCS entity that maintains such information. “Disclosure” means the release of, transfer of, or provision of access to information, or the divulging of information in any other manner outside of the UNC HCS entity holding the information. The UNC HCS entity must maintain accountings of disclosure of PHI made by UNC HCS and provide a listing of those disclosures to patients upon request. Uses of PHI within the UNC HCS do not require such accounting.
What does it mean to “account for disclosure” and what must be accounted for?
Individuals have certain rights with respect to their PHI, including the right to receive an accounting of all disclosures requested to people or groups outside of UNC HCS for purposes other than for treatment, payment, health care operations or with authorization by the individual. The accounting of disclosures is for the six (6) years prior to the date on which the accounting is requested. UNC HCS must maintain accountings of disclosures made by UNC HCS entities and provide a listing of those disclosures to patients when requested.
What information can be disclosed for fundraising?
For the purpose of fundraising, UNC HCS entities may use or disclose to the UNC HCS entity’s Foundation, the following PHI without an authorization:
- Demographic information (including name, address and other contact information, age, gender, insurance status)
- Date of birth
- Dates of services provided to the patient
- Department of service
- Name of treating physician
- Outcome information (e.g., death, sub-optimum outcome)
Demographic information does not include any information about illness, diagnosis, or treatment, nor will such information be used in fundraising activities. Any fundraising material sent to an individual should include a clear and conspicuous description of how the individual may opt out of future fundraising communications. UNC HCS entities must honor any opt outs received.
Can PHI be released to law enforcement?
UNC HCS may disclose PHI to law enforcement only under one of the following circumstances:
- Required by law: This includes wound reporting, certain motor vehicle crashes, child and disabled adult abuse or neglect. These disclosures should be documented in the patient’s medical record.
- Court orders, subpoenas, warrants: This includes a court-ordered warrant, judge-issued subpoena, or summons issued by a judicial officer. Contact the UNC HCS Legal Department for assistance.
- Identification and location of a person: When the purpose is for identifying or location a suspect, fugitive, material witness or mission person and only the following information is disclosed: name, address, date and place of birth, blood type, type of injury, date and time of treatment, date and time of death, if applicable, and a description of the patient’s distinguishing physical characteristics, such as height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, piercing and tattoos.
Can PHI be disclosed on decedents?
The Privacy Rule permits the disclosure of decedent information in certain circumstances and with certain limitations. The Privacy Rule regulates the PHI of decedents until 50 years after the date of death. PHI is releasable during that period to a personal representative(s) of the decedent and/or to individuals who were involved with the patient’s care to the same extent PHI could be released before death.
When will I be notified about a breach of my information?
UNC Health Care has sixty (60) days to notify any affected individuals of a breach to their information but it is always our goal to notify as soon as possible.
Under what circumstances will I be notified of a breach to my information?
The UNC Health Care Privacy Office uses guidance from the Office for Civil Rights (OCR) to consider the type of information that was exposed, the individual to whom it was exposed, and the disposition of the information after the investigation. With those and other factors in mind, if it is determined that more than a low probability of compromise exists then the patient and the OCR will be notified in writing of the incident.