This section provides a general outline of the HIPAA Privacy provisions. Please seek legal counsel for answers to legal questions.
The HIPAA Privacy rules define the rights of individuals, including members of Health First Colorado (Colorado's Medicaid Program) and all Medical assistance program beneficiaries and the obligations of providers and others regarding the individual's Protected Health Information (PHI).The Privacy rules became effective on April 14, 2002, with nationwide implementation required two years later. The Department of Health Care Policy & Financing (Department) is fully compliant with the letter and the spirit of these rules.
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI). Health plans (including Health First Colorado), health care providers, and health clearinghouses are all covered entities under the rule.
While HIPAA sets a national minimum standard for protecting such patient information, it allows more stringent state laws to supersede the minimum standard.
Health Plans, Health Care Providers and Health Care Clearinghouses
For entities covered by HIPAA, including Health First Colorado, the privacy rules define and limit the circumstances in which an individual's PHI may be used or disclosed. A covered entity may disclose some or all of a subject individual's PHI, even without specific authorization from the individual:
- to the subject individual when requested by the subject individual
- for treatment, payment and health care operations for the individual
- if incidental to an otherwise permitted use
- to others, if authorized in writing by the subject individual
- to others, if the subject individual has been given the opportunity to approve or deny this
A covered entity must disclose PHI:
- to the subject individual
- to the Secretary of Health and Human Services when it is to be used as part of an investigation or to determine compliance
In addition, covered entities are required by these rules to:
- provide notice of their privacy practices and a point of contact for further information and for submitting complaints
- limit disclosure of PHI to the minimum necessary (other than for health care treatment and certain other purposes)
- disclose to the individual to whom, when, and why PHI might be shared where it is authorized by these rules to do so
- amend health care records at an individual's request. Covered entities can deny the individual's request if it is accurate and complete or was not created by the covered entity receiving the request.
- track disclosures of PHI for other than 1) health care treatment, payment and operations, 2) to the subject individual or 3) for certain public benefit purposes.
Providers may not condition treatment, nor may health plans condition payment, upon a patient's signing an authorization.
Rights of Patients/Clients
The HIPAA Privacy Rule specifies that clients/patients have the right:
- to see and have a copy of their health care information record
- to request changes to their health care record and if denied, to submit a statement of disagreement which will be included in the client/patient record
- to request that disclosure of their health care information be further restricted to that necessary for treatment, payment and limited other immediate needs
- to request a list of the instances when their health care information has been disclosed for other than a) treatment, b) payment, c) health care operations or when the disclosure was specifically approved in writing
- to request that communications of PHI be sent to alternative locations or by alternative means to further protect the privacy of the subject individual
- to file complaints with the Department of Health & Human Services' Office of Civil Rights.
Penalties for Non-Compliance
Like other HIPAA rules, the Privacy Rules carries penalties for noncompliance unless the violation is due to reasonable cause, did not involve willful neglect and was corrected within 30 days.