 |
|
|
|
 |
|
|
160.201-160.205 |
|
|
|
2.1. HIPAA privacy regulations
preempt state law except where: |
| |
2.1.1.
|
State law is determined by the Secretary
of HHS to be necessary to prevent fraud and abuse related to the provision
of or payment for health care, to ensure appropriate regulation of
insurance and health plans, for state reporting on health care and
delivery systems, or to serve a compelling need relating to public
health, safety or welfare that outweighs the intrusion into privacy; |
| |
2.1.2.
|
State law has as its principal purpose the regulation
of controlled substances;
|
| |
2.1.3.
|
State law relates to privacy of health
information and is more stringent than the regulations - i.e. state
law meets one or more of the following criteria: prohibits or restricts
a use/disclosure that would be permitted under the regulations, except
where the disclosure required by the Secretary of HHS for determining
a CE's compliance with the regulations, or where disclosure is to
the individual who is the subject of the health information; allows
the individual greater rights to access or amend his/her records (however,
the regulations may not be construed to preempt any state law to the
extent that it authorizes or prohibits disclosure of PHI about a minor
to a parent, guardian, or person acting in loco parentis); requires
more information be provided to the individual about the use/disclosure
of his/her records; narrows the scope or duration of, increases the
privacy protections afforded by, or reduces the coercive effect of
the circumstances surrounding the consent or authorization; requires
more record keeping relating to uses/disclosures, or; otherwise provides
greater privacy protections; |
| |
2.1.4.
|
State law provides for
reporting of disease or injury, child abuse, birth or death, or for
the conduct of public health surveillance, investigation or intervention,
or; |
| |
2.1.5.
|
State law requires a
health plan to report or provide access to information for management,
financial, programmatic or licensure or certification audit. |
|
164.502 |
|
|
|
|
2.2.
|
Except as permitted or required
under the privacy regulations, CEs may not use or disclose PHI without
consent or authorization. CE generally is required to allow individual
access to his/her PHI, and to permit Secretary of HHS access to PHI
for compliance/enforcement purposes. |
|
| |
|
|
|
| |
2.2.1.
|
Consent: Allows
a provider to use/disclose PHI only for treatment, payment and health
care operations; written in general terms; references the CE's Notice
of Privacy Practices/Privacy Notice; no specific termination |
| |
2.2.2.
|
Authorization: Allows use/disclosure
of PHI for purposes beyond TPO; written in specific terms; must specify
termination date/event/condition |
| |
2.2.3.
|
Exceptions: Regulations provide exceptions
for such uses/disclosures as public health, oversight, law enforcement,
legal process, safety, and research activities, etc. [¶ 9.] |
|
164.502(b) |
|
|
|
|
2.3.
|
CE must make reasonable
efforts to provide or request only the minimum PHI necessary
to accomplish the intended purpose of the use, disclosure or request. |
|
164.502(f) |
|
|
|
|
2.4.
|
Protection for PHI
of deceased persons is the same as if still living. |
|
164.520 |
|
|
|
|
2.5.
|
CE is required to provide
individuals with a Notice of Privacy Practices/Privacy Notice
that gives sufficient notice of the uses/disclosures that CE may make
of PHI, and of the individual's rights and the CE's duties relating
to PHI. Inmates and correctional facilities are exempted from this
right/obligation. |
|
164.528 |
|
|
|
|
2.6.
|
CE is required to account
to individual for most uses/disclosures of PHI made over a period
of up to six years. |
|
164.530 |
|
|
|
|
2.7.
|
Regulations impose
administrative requirements upon CE, including development
of policies, training of workforce, and documentation. |
|
| |
|
|
|
|
| |
|
|
|
|
