Health Care Privacy Compliance Handbook

  1. Copyright for Health Care Privacy Compliance Handbook, 3rd Edition

    Health Care Privacy Compliance Handbook, 3rd Edition  | October 2020 

    Copyright for Health Care Privacy Compliance Handbook, Third Edition is published and updated by the Health Care Compliance Association, Minneapolis, MN...

  2. Contributors, 3rd Edition

    Health Care Privacy Compliance Handbook, 3rd Edition  | October 2020 

    HCCA would like to thank all who helped produce this book...

  3. 1. HIPAA Privacy and Security

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: David B. Nelson, Janis E. Anfossi  | October 2020 

    This chapter outlines what is probably the single most important set of regulations to affect the healthcare privacy professional. Most every discipline (whether accounting, journalism, insurance, or banking) has one or more statutes, and their implementing regulations, that form the basis for legal standards in that industry. The Health Insurance Portability and Accountability Act (HIPAA), with its standards for the access, disclosure, transmission, and retention of protected health information (PHI), created a national baseline for healthcare information privacy and security. Individual states can also develop health information statutes, but they can only add higher standards than HIPAA to their healthcare...

  4. 1—Appendix A: Security Standards Matrix

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: David B. Nelson, Janis E. Anfossi  | October 2020 

    Excerpted from 45 C.F.R. § 164, Subpart C, Appendix A...

  5. 2. Breach Notification

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: John C. Falcetano, Shawn DeGroot  | October 2020 

    The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted on February 17, 2009, as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009.[2] On January 25, 2013, modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement, and Breach Notification rules under the HITECH Act and the Genetic Information Nondiscrimination Act were issued—commonly known as the Omnibus Rule.[3]...

  6. 3. HIPAA Vendor Relations

    Health Care Privacy Compliance Handbook, 3rd Edition  | Author: David Nelson  | October 2020 

    Vendors play a critical function in helping healthcare entities deliver services. The array of services available are extensive, as they might be direct or indirect. Services available could be physicians, temporary nurses, billing, legal, research, data retention—right down to educational pamphlets, paper clips, and watercoolers jugs. The range is between relatively simple to extremely complex, and they all must be reflected in the description of the business relationship between the covered entity (CE) and the vendor...

  7. 4. Human Research Privacy

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    This chapter provides an overview of the ethical guidelines and United States regulations governing the privacy and confidentiality of individually identifiable information in human subject research. The chapter is organized into three parts:...

  8. 4—Appendix A: Sample Confidentiality Statements Covered Entity Informed Consent Form

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    As required by the federal Health Insurance Portability and Accountability Act (HIPAA), [Covered Entity] will take reasonable measures to safeguard the confidentiality of information that identifies you and relates to your past, present, and future physical and mental health, and conditions (protected health information) collected, used, and shared as part of this research. As part of this study, we may collect, use, and share protected health information about you as specified in the accompanying Research HIPAA Authorization Form...

  9. 4—Appendix B: Sample Authorization Language for Research Uses and Disclosures of Individually Identifiable Health Information by a Covered Health Care Provider

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    If you sign this document, you give permission to [name or other identification of specific health care provider(s) or description of classes of persons, e.g., all doctors, all health care providers] at [name of covered entity or entities] to use or disclose (release) your health information that identifies you for the research study described here:...

  10. 4—Appendix C: Sample Research HIPAA Authorization Form

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    PROTOCOL TITLE: _______________________________________________...

  11. 4—Appendix D: Authorization to Disclose Protected Health Information for Research Databases and Repositories Outside of [Covered Entity]

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    PROTOCOL TITLE: _______________________________________________...

  12. 4—Appendix E: Authorization to Use Protected Health Information for Research Databases and Repositories Maintained by [Covered Entity]

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    PROTOCOL TITLE: _______________________________________________...

  13. 4—Appendix F: Sample Tracking Form for Accountings of Research Disclosures (Fewer than 50 Individuals)

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    Instructions: Use this form to track disclosures to an individual or entity outside of [Covered Entity] of protected health information (PHI) for purposes of research where individual participant HIPAA authorization is not obtained. For example, this form must be used when PHI is disclosed:...

  14. 4—Appendix G: Sample Tracking Form for Accountings of Research Disclosures (50 or More Individuals)

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: Rick King, Joan M. Podleski  | October 2020 

    Instructions: Use this form to track disclosures to an individual or entity outside of [Covered Entity] of protected health information (PHI) for purposes of research where individual participant HIPAA authorization is not obtained. For example, this form must be used when PHI is disclosed:...

  15. 5. Payer Privacy Issues

    Health Care Privacy Compliance Handbook, 3rd Edition  | Author: Debbie R. Mabari  | October 2020 

    What is privacy? Or perhaps more importantly, does privacy still exist in today’s interconnected world? Many people view the Fourth Amendment to the Constitution of the United States as implicitly granting a right to privacy:...

  16. 6. Family Education Rights and Protection Act

    Health Care Privacy Compliance Handbook, 3rd Edition  | Authors: David B. Nelson, Janis E. Anfossi  | October 2020 

    The Family Educational Rights and Privacy Act[2] (FERPA) is obscure for most healthcare professionals, yet more and more healthcare services link to educational institutions. Often schools and districts contract for services related to health and mental health. This contractual link may require that the privacy professional clearly define what information is covered by each regulation so both institutions may be compliant...

  17. 7. The Privacy Act of 1974

    Health Care Privacy Compliance Handbook, 3rd Edition  | Author: John C. Falcetano  | October 2020 

    The Privacy Act of 1974[2] was created in response to the government creating and using computer databases. There was concern that the use of databases might infringe on an individual’s privacy rights. The act requires the government to show any records kept on individuals to those individuals. In addition, the act also places restrictions on how the government can share the information with other individuals and agencies...

  18. 8. 42 C.F.R. Part 2: Substance Use Disorder Programs

    Health Care Privacy Compliance Handbook, 3rd Edition  | Author: David B. Nelson  | October 2020 

    42 C.F.R. Part 2 (Part 2) covers 14 legal sections in the regulation text and many subsets of the topics within. Significant revisions to Part 2 have occurred in recent years. In 2017, the Department of Health & Human Services (HHS) published 75 pages of revisions in the Federal Register,[2] and in 2018, it published another 13 pages of revisions.[3] More revisions were published on July 15, 2020. Reviewing the revisions as published in the Federal Register is helpful because it does not just provide the text of the revision, it also gives you the intent of the changes...

  19. 9. Effective Privacy Risk Assessments

    Health Care Privacy Compliance Handbook, 3rd Edition  | Author: Dwight Claustre  | October 2020 

    As privacy professionals, we want to make sure we have all the tools we need to perform our duties. One of the most important tools is the risk assessment process. The U.S. Department of Health & Human Services (HHS) Office of Inspector General (OIG), the U.S. Federal Sentencing Guidelines, and the HHS Office for Civil Rights (OCR) all stress the importance of conducting risk assessments. In addition, because we all have limited resources, we need a process that will allow us to prioritize the risks. We need a method that offers a way to create our privacy work plan and...

  20. 10. Auditing and Monitoring for Privacy in Healthcare

    Health Care Privacy Compliance Handbook, 3rd Edition  | Author: Sheryl Vacca  | October 2020 

    In designing the privacy risk-based auditing and monitoring activities, it is important to work closely with the organization’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimize and mitigate privacy risks for the organization. The organization’s compliance officer should be included as well to assure that applicable resources are leveraged and auditing and monitoring activities for privacy are not duplicated in the organization’s overall compliance plan. There may be other functions that might not be represented on the...