An Introduction to HIPAA
Privacy Handbook

The University of Texas Health Science Center at Houston respects the privacy of every patient. Patients expect that the information that they give to their health care providers will remain confidential and protected. If patients do not feel that the information that they give to their health care providers is respected and protected, patients may not be forthcoming with information. Withholding information could have a drastic and adverse effect on the treatment that the patient receives and the outcome of research based on patient data.

Health care providers and researchers have always been keeping health information confidential. A health care provider has always had an ethical duty to keep what her patients tell her confidential, and a researchers must demonstrate his efforts to protect the privacy of health information to the IRB prior to getting approval for a protocol. So why, now, is there such a concern for the privacy of healthcare information?

We live in an amazing era of technology. Vast amounts of data can be kept in very small spaces. A press of a button can reveal very personal information about a person or about thousands of people. We no longer live in an era where a patient's physician is the only person who sees the patient's health information. Others use information for billing, for scheduling, for consulting or assisting in treatment, for quality control, for research, for the development of best practices, and for a myriad of other legitimate purposes. Millions of pieces of healthcare information exchange hands every day, and until recently, there was no general standard for the protection of that health care information.

In addition, people are increasingly concerned about personal rights. The public wants to know what information is kept, who has access to their information, records can be amended and errors can be corrected, and what rights patients have with regard to their health information. We all have an expectation that our banking information is private and personal, and the law will extend that expectation to our health information.

In recognition of patients' rights and the increasingly complex flow of health information in the country, Congress passed a federal law in 1996 that, among other things, required the Department of Health and Human Services to issue Privacy Standards. This law is called the Health Insurance Portability and Accountability Act of 1996, and it is commonly referred to as HIPAA.

DHHS, in turn, wrote the Standards for the Privacy of Individually Identifiable Health Information, and entities covered by the Standards health care providers, health care clearinghouses and health plans are required to comply with these standards by April 14, 2003. The University of Texas Health Science Center at Houston is a provider and, therefore, is covered by HIPAA.

What is protected?

The Privacy Standards cover Protected Health Information, or PHI. PHI is individually identifiable health information that is related to the "past, present or future physical or mental health condition" of a person. The definition of PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (20 USC 1232g). It also excludes employment records held by a covered entity in its role as employer.

PHI under HIPAA means individually identifiable health information. This definition is narrowed to information created or received by a health care provider, health plan, employer or health care clearinghouse. The information that is protected includes information in oral, written or electronic form. Information relating to the provision and the payment for the provision of healthcare is also included in this definition.

Identifiable refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items that reasonably could be expected to allow individual identification. There are eighteen elements in the Privacy Standards that can identify an individual.

PHI can be clinical information (test results, diagnoses, clinical notes, images, etc.), financial information (health insurance coverage, itemized bills and charges), demographic and scheduling information (names, address, SSN, dates of service, appointments), educational and training documentation (procedure logs, case studies, training notes), or research records (source documentation, case report forms, databases, etc.).   Any information that identifies a patient is PHI.

If the information is de-identified, then the Privacy Standards do not apply. The elements that identify Protected Health Information are

  • Names
  • All Geocodes smaller than state
  • Birth/Death Date/Other Dates except for year.
  • Social Security Number
  • Telephone Numbers
  • Fax Numbers
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code,

It is important to note that any identifiers of employers or family members should also be removed in order to deidentify information. Also note the final identifier is any other unique identifying number, characteristic or code. This means that even if every other identifier is stripped, there may be identifying information on the PHI.

How is the information protected?

The core concept of the Privacy Standards is that patient information cannot be used by the provider or disclosed to a third party without the authorization of the patient, with a few exceptions.

Treatment

The first major exception is the treatment of the patient. The Privacy Standards permit a health care provider to disclose protected health information about a patient, without the patient's authorization, to another health care provider for that provider's treatment of the patient.Treatment, according to the Privacy Standards, generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another

The Privacy Standards recognize that different health care providers must exchange information about their patients with each other in order to provide the best care possible for the patient. Accordingly, providers may call each other to discuss their common patients, to ask for opinions on the best approach to treat a patient. Providers may continue to call pharmacies to verify that a patient is on a particular medication. So-called curbside consults may continue without restrictions on the information that may be passed between providers. Providers may refer patients to one another without an authorization, and certainly providers may pass on patient information to each other when checking in or out of a service.

Payment

Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Payment is a fairly expansive definition under HIPAA and can include

  • Determinations of eligibility or coverage
  • Adjudication or subrogation of claims
  • Billing, claims management, collection activities, obtaining payment under reinsurance and related health care data processing.
  • Review of health care services with respect to clincial necessity, coverage under a health plan, appropriateness of care or justification of charges
  • Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
  • Disclosure to consumer reporting agencies.

We may disclose PHI for our own payment activities or for the payment activities of another provider.

It is important to note that for payment activities, unlike for treatment activities, we must follow the Minimum Necessary Rule. The Minimum Necessary Rule states that we must use the minimum necessary PHI to accomplish the purpose that we need the information for. For example, if a health plan requires documentation of a particular procedure, we may disclose that information without an authorization to the health plan, but we may only disclose the minimum necessary information to accomplish the documentation of the procedure.  

Health Care Operations

Health Care Operations is the final category of activities that we may use or disclose protected health information without an authorization from the patient, so long as the minimum necessary rule is used. The definition used by DHHS is rather expansive. Health Care Operations is defined by HHS as certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.

These activities include:

  • Conducting quality assessment and improvement activities, population based activities relating to improving health or reducing health care costs, and case management and care coordination;
  • Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
  • Conducting or arranging for clincial review, legal, and auditing services, including fraud and abuse detection and compliance programs;
  • Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
  • Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

We may only share protected health information for the health care operations of another covered entity when we share the same patient.

It is important to note that research is not considered a health care operation, but training is certainly considered a health care operation. The teaching activities that occur at UTHSC-H fall within health care operations, and PHI may be exchanged with students so long as the minimum necessary rule is used.

Research

Research that use protected health information does not fall within the three categories of treatment, payment or health care operations. In order to use or disclose protected health information in a research study, researchers must obtain an authorization from the patient, must enter into a limited data use agreement with the custodian of the PHI, must obtain a waiver of authorization from the IRB, or must show that the review of PHI is preparatory to research. The CPHS Researchers Guide to HIPAA has more detailed information on HIPAA and Research. http://www.uth.tmc.edu/ut_general/research_acad_aff/orsc/cphs/guidelines/hrg.doc

Authorization

There are very limited public policy circumstances where disclosure outside of treatment, payment, and health care operations without an authorization are permissible. For the most part, however, most disclosures must be accompanied with an authorization. The forms section of the Privacy Office website contains an authorization form that should be filled out and signed by the patient when PHI is desired for an activity outside of treatment, payment or health care operations.   The patient should keep a copy of the form, and the original copy must be kept in the medical record.

Reasonable Safeguards

Under all circumstances including treatment, reasonable safeguards should be used to protect the privacy of a patient's protected health information. There are some basic safeguards that should be used by each member of the UTHSC-H workforce at a bare minimum, but each department and clinic may tailor the safeguards to their own circumstances.

  • Patients' health information is to be used or disclosed only for work-related purposes;
  • The uses and disclosures made by UTHSC-H workforce members, including students and residents, must be no more than necessary to get the job done;
  • It is everyone at UTHSC-H's responsibility to keep patients' information confidential and secure.
  • UTHSC-H departments should be kept secure from intruders with locks, alarm systems and other security devices and systems the department is not open for business;
  • When the department is open for business, unattended areas are still kept secure with locks and other devices if possible, but at least closed doors;
  • Physical access to filing cabinets, computers and printers, photocopiers, fax machines and any other areas or equipment where patient information may be present should be controlled and monitored;
  • All workers should wear UTHSC-H identification badges at all times;
  • Patients and visitors should be appropriately escorted to ensure that they do not access restricted areas, and unidentified persons in restricted areas are (politely) challenged for identification;
  • When a person no longer works at UTHCS-H, keys and identification badge should be returned, alarm codes are changed, and computer access should be removed within one day.  

Confidentiality in oral exchanges

  • Confidential conversations about patient information should not take place where they can easily be overheard by third parties;
  • "Quiet areas" (away from public areas) should be used for sensitive information exchange whenever possible;
  • When possible, do not use names or other information that could identify patients;
  • When it cannot be avoided, discussions about a patient's condition in public areas should be conducted quietly;
  • Call only the patient's name in waiting rooms or on intercom/paging systems;
  • In general, oral communications of patient information are limited to the minimum necessary to get the job done.

Confidentiality for telephone use

  • Telephone conversations involving patient information should be conducted where they cannot be overheard, if at all possible;
  • ALWAYS confirm the other person's identity when discussing confidential information with a patient, or about a patient to a third party;
  • If the patient cannot be reached on the telephone, leave only names and callback numbers on answering machines, voicemail systems, or with the person that answers if the patient cannot be reached;
    • Voicemail should be password protected, and the passwords should be changed periodically, just like computer system passwords;
  • Telephone communications of patient information should be limited to the minimum necessary to get the job done.

Paper information in general

  • Paper that contains patient information should discarded in a secure container (for future shredding) or shredded immediately;
  • Patient information is not left on unattended photocopiers, computer printers, or fax machines (those devices should be kept in a secure area or monitored on a regular basis);
  • Patient files are never left in plain view (e.g., if on a door rack, the identifying information must be obscured);
  • If patient files must be left in an area where visitors are present, they are face down or otherwise concealed;
  • Sign-in sheets contain only limited information (usually, only the patient's name and time of appointment);
  • Patient schedules should not be left in public areas or where they can be easily viewed by non-staff and when they are no longer needed, they should be filed or destroyed;
  • Patient information should not be left in public areas, ever;
  • In general, paper-based patient information should be limited to the minimum necessary to get the job done.
  • Patient information that is received by mail or by fax should be immediately responded to and then securely filed or properly discarded.
  • Filing cabinets or rooms that contain patient information should be locked when unattended.

Fax machines

Patent information should be sent only to fax machines at known locations, where the physical security and monitoring practices of the receiving fax machine are known; call ahead to ensure that the recipient knows the information is coming and can securely receive it.
  • Patient information should be sent from fax machines that are physically secure and appropriately monitored; if the machine is unsecured, wait for the fax to go through and collect the original.
  • If possible, use preprogrammed (and tested) fax numbers set, to reduce dialing errors;
  • All faxes that contain patient information should include a "confidentiality request" -- that information sent to an incorrect destination be destroyed, and requesting notification to the sender of such errors;
  • All information should not be left sitting in or around the fax machine;
  • Faxes of patient information should be limited to the minimum necessary to get the job done.
  • In general, anything out of the ordinary should be referred to the Privacy Officer.

Basic rules of computer security

  • Computer passwords should be kept secure, and changed regularly;
  • Computer access tokens (such as key cards or USB keys), if used, should also be kept secure;
  • Computer screens should not be in plain view, where anyone other than staff can easily see them;
  • Users should log in to computer systems or terminals only with their own userid, password or token; these only may be shared in extraordinary situations;
  • If there is no password protected screensaver on the computer, log off when a computer system or terminal is unattended, even if it is only for a short time;
  • Computer systems should be used only for work-related functions ("playing" can provide a way in for viruses and other computer bugs);
  • Portable computing devices (laptops, PDAs) should be kept secure by remaining in the department or by password protection;
  • When a person no longer works at UTHSC-H, his/her computer userids and passwords should be immediately deleted, and any access tokens should be returned;
  • Use of computer-based patient information should be limited to the minimum necessary to get the job done.
  • PHI should be stored on the secure servers in Zone 100.

Patient's Rights

With the Privacy Standards, Patients have new rights.

First, patients have the right to view and copy their own clinical records. The Privacy Regulations grant every individual a "right of access" -- to inspect and obtain a copy of all protected health information within the designated record set maintained by the covered entity. UTHSC-H, under very limited circumstances, may deny records to patients, and the denial may be appealed by the patient.

Second, patients have the right to request an amendment or addendum to their clinical records. Patients now have a right to to take exception to information in their records with which they disagree, and request corrections. UTHSC-H may choose to make requested changes; or the information can be left unchanged if it is believed to be correct, but with documentation in the record of the patient's disagreement.

Third, patients have the right to an accounting of disclosures. There are very limited circumstances where UTHSC-H may disclose information without an authorization by the patient outside of treatment, payment and authorizations. The patient has a right to know about those disclosures, and the patient may request a list of disclosures for up to six years. For example, if a patient's information is used in a retrospective chart review, where the researcher obtained a waiver of authorization, the patient's record should reflect that it was accessed, the date it was accessed, the name of the person or entity accessing the information, a brief description of the PHI disclosed, and a brief statement describing the purpose of the disclosure.

Fourth, patients have the rights to request restrictions on the uses and disclosures of their protected health information. For example, if a patient had a particular surgery, and that patient does not want his or her insurance company to know about the surgery, the patient may request a restriction on the use and disclosure of that information. UTHSC-H does not have to grant the restriction, but if we do, we must follow the restriction until it is terminated.

Fifth, patients have the right to confidential communications. Patients may want communications from their provider sent to an alternate P.O. Box or to their work address rather than home. UTHSC-H must accommodate reasonable requests of this kind.

Sixth, patients have the right to complain to the Privacy Officer or the Department of Health and Human Services regarding the Privacy Rule.

Finally, patients have the right to receive a Notice of Privacy Practices that describes the uses and disclosures of their PHI that may occur and also describes their rights under the Privacy Rule.

7000 Fannin, Houston TX 77030, Ste. 2385
Phone: 713.500.3391   Fax 713.500.0326
Created through the UT-H Office of Academic Computing Multimedia Scriptorium