Be Part of the Ultimate Safety & Compliance Community
Trending news, knowledge-building content, and more – all personalized to you!
:
|
Employers are covered by the HIPAA privacy rule when they self-insure or when they have entered an insurance agreement, but receive, manage, or disclose protected health information (PHI) as a group health plan. An employer that is not self-insured but that performs certain record-keeping functions, such as transmitting individuals’ health records to a group plan, is also subject to the rule.
In general, privacy is about who has the right to access information that identifies an individual, the individual’s physical or mental health condition, the health care that the individual has received, or payments for such care. PHI does not include summary health information which excludes the individual’s name or other identifying information. The privacy rule covers all PHI in the hands of covered entities or their business associates, regardless of whether it is or has been in electronic form.
HIPPA privacy standards
Generally, the privacy standards:
Employer requirements
As representatives of the plan, employers should evaluate and take the following steps (this list is not exhaustive):
Authorized disclosure of PHI
Individuals may authorize the disclosure of their PHI. Authorizations are an individual’s signed permission to allow a covered entity to use or disclose the individual’s PHI that is described in the authorization for the purpose(s) and the recipient(s) stated use in the authorization. Authorizations allow additional, specific uses of health information beyond treatment, payment, and health care operations to be released.
Notice of privacy rights
Covered entities must provide notice of patient’s privacy rights and the privacy practices to affected individuals. The notice must explain how PHI may be used and disclosed. The notice also needs to contain the individuals’ rights with respect to the PHI, how the individuals may exercise their rights, the covered entity’s legal duties with respect to PHI, and who individuals can contact for further information. The notice must also have an effective date.
Employers are covered by the HIPAA privacy rule when they self-insure or when they have entered an insurance agreement, but receive, manage, or disclose protected health information (PHI) as a group health plan. An employer that is not self-insured but that performs certain record-keeping functions, such as transmitting individuals’ health records to a group plan, is also subject to the rule.
In general, privacy is about who has the right to access information that identifies an individual, the individual’s physical or mental health condition, the health care that the individual has received, or payments for such care. PHI does not include summary health information which excludes the individual’s name or other identifying information. The privacy rule covers all PHI in the hands of covered entities or their business associates, regardless of whether it is or has been in electronic form.
HIPPA privacy standards
Generally, the privacy standards:
Employer requirements
As representatives of the plan, employers should evaluate and take the following steps (this list is not exhaustive):
Authorized disclosure of PHI
Individuals may authorize the disclosure of their PHI. Authorizations are an individual’s signed permission to allow a covered entity to use or disclose the individual’s PHI that is described in the authorization for the purpose(s) and the recipient(s) stated use in the authorization. Authorizations allow additional, specific uses of health information beyond treatment, payment, and health care operations to be released.
Notice of privacy rights
Covered entities must provide notice of patient’s privacy rights and the privacy practices to affected individuals. The notice must explain how PHI may be used and disclosed. The notice also needs to contain the individuals’ rights with respect to the PHI, how the individuals may exercise their rights, the covered entity’s legal duties with respect to PHI, and who individuals can contact for further information. The notice must also have an effective date.