Q. WHAT IS HIPAA?
A. HIPAA stands for "Health Insurance Portability and Accountability Act of 1996". It is a set of federal rules designed in part to protect the privacy of a person’s health care information.
Q. WHEN DID HIPAA TAKE EFFECT?
A. Privacy, the first HIPAA Rule, went into effect April 14, 2003. More Rules were phased in over time. The Security Rule is the latest one. It took effect April 20, 2005.
Q. WHAT DOES HIPAA’S PRIVACY RULE DO?
A. The Privacy Rule sets standards to protect health care information. Specifically, it regulates health care information that can be linked with a person.
Health care information is any data relating to a person’s past, present or future health, or the payment for health care. Health care information linked with personal identifying information is called Protected Health Information (PHI).
Q. WHAT IS PERSONAL IDENTIFING INFORMATION?
A. Name, address, birth date, social security number and medical record number are personal identifiers. So are phone number, fax number, e-mail address, and health plan beneficiary number.
Q. DO HIPAA RULES APPLY TO HEALTH INFORMATION CONTAINING NO PERSONAL IDENTIFIERS?
A. No. Removing all personal identifiers from PHI makes it "de-identified". De-identified health data is not governed by HIPAA.
Q. DOES IT MATTER WHAT FORM PHI IS IN?
A. No. The Privacy Rule applies to PHI in any form. This includes computer and paper files, x-rays, physician appointment schedules, medical bills, dictated notes, conversations and more.
Q. DO MARYLAND’S CONFIDENTIALITY AND PRIVACY LAWS STILL APPLY?
A. Yes. Maryland’s laws protect the confidentiality and privacy of patient health information. Most of these laws are set out in Title 4 of the Health Occupations Article of the Maryland Code (http://mlis.state.md.us). To the extent Maryland law is more stringent than HIPAA Rules, Maryland law applies.
Q. WHAT DOES THE PRIVACY RULE DEMAND?
A. The Privacy Rule limits use and disclosure of PHI to the "minimum necessary." It also demands that "reasonable" safeguards be taken to prevent improper use or disclosure of PHI. The Rule imposes civil and criminal sanctions for non-compliance.
Q. WHAT IS "USE"?
A. "Use" is sharing PHI with others to perform treatment, payment or health care operations (TPO). Use should be kept to the "minimum necessary." However, broad use is granted for treatment purposes. PHI may also be used for certain "public purposes" (e.g. law enforcement, public health, or courts).
Patients can authorize the use of their PHI for research. Alternatively, an Institutional Review Board (IRB) may waive patient authorization for access PHI for certain research activities. Patients can authorize use of their PHI for marketing, fundraising or other specific purposes.
Q. WHAT IS "DISCLOSURE"?
A. "Disclosure" means giving PHI to others for reasons other than TPO. Disclosures also must be kept to the minimum necessary. HIPAA gives patients the right to know who received a copy of their PHI. Unlike "uses", HIPAA mandates an accounting for all disclosures.
Q. WHAT IS MY RESPONSIBILITY UNDER THE PRIVACY RULE?
A. Your job is to make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish the task. HIPAA imposes civil and criminal sanctions for non-compliance.
Q. WHAT DOES HIPAA PROHIBIT?
A. Use or disclosure of PHI is prohibited unless it is authorized by the patient, permitted by law or granted through an IRB waiver. HIPAA prohibits leaving PHI in public view. Discarding unneeded medical records in the trash (as opposed to shredding them) is a HIPAA violation. So is giving out patient information without first confirming that the person receiving it is the patient.
Some uses and disclosures cannot reasonably be prevented. Conversations that might be overheard or PHI accidentally seen are examples. The key is to make reasonable efforts to limit incidental uses and disclosures.
Q. HOW IS HIPAA IMPLEMENTED AMONG OUR LEGAL ENTITIES – THE SCHOOL OF MEDICINE, UPI, AND THE PAs?
A. Under HIPAA, the School of Medicine, UPI, and the PAs formed a Single Affiliated Covered Entity (SACE). A SACE allows efficient flow of PHI between the entities. Nevertheless, each entity remains responsible for complying with HIPAA. Designated HIPAA Officers in each entity oversee compliance and training.
Q. WHAT ABOUT THE HOSPITAL?
A. The University of Maryland Medical Center (UMMC) is not part of our SACE. UMMC joined with our SACE to form an Organized Health Care Arrangement (OHCA). Again, this helps improve the exchange of PHI among these entities.
Q. WHAT ABOUT THE CAMPUS?
A. The University of Maryland Baltimore is a hybrid entity. A hybrid entity consists of entities regulated by HIPAA along with entities that are not. Giving PHI to UMB entities not regulated by HIPAA without prior authorization is a disclosure.
Q. WHO DOES HIPAA AFFECT?
A. HIPAA affects everyone in our SACE. HIPAA clearly applies to clinical operations. However, the HIPAA Privacy and Security Rules touch research, marketing, fundraising, and other activities.
Medical researchers often rely on PHI. HIPAA insists that researchers get patient authorization and IRB approval before using or disclosing PHI. Our OHCA contains a number of non-profit institutions. Our patients are a primary audience for marketing and fundraising initiatives that benefit the School of Medicine and its departments. PHI is also used and disclosed when teaching medical and other health professions students.
Anyone who works with or accesses PHI is affected by HIPAA even if they are not in our SACE or OHCA. Business associates are outside individuals or firms to whom we give access to our patient data. In return, they give us services. Business associates are subject to many of HIPAA’s requirements.
Q. WHAT ARE SOME RIGHTS HIPAA GIVES TO PATIENTS?
A. Patients have the right to:
- Receive our Notice of Privacy Practices (NPP).
- Access and copy medical billing records.
- Request an amendment of PHI or other record.
- An accounting for some disclosures.
- Ask for restrictions on uses and disclosures of their PHI.
- Request the use of alternate channels of communication of PHI (e.g. use a different telephone number, different address, etc.).
- Complain to us or to the federal Department of Health and Human Services about a HIPAA violation.
Q. WHAT DOES THE SECURITY RULE DEMAND?
A. The HIPAA Security Rule sets safeguards for data systems and networks that store, process or transmit PHI. The Rule follows the best security practices used in industry and government.
Administrative safeguards include auditing computers for signs of misuse, reminding employees to follow security rules, and having a disaster recovery plan. Physical precautions include posting security guards at building entrances, logging off, and placing servers in locked rooms. Technical safeguards are measures such as using strong passwords and encrypting transmitted data.
Each entity’s information technology group manages many of these safeguards.
Q. WHAT SECURITY MEASURES AM I RESPONSIBLE FOR?
A. There are several:
- Pick complex log-in passwords
- Use passwords on PDAs and other portable devices
- Do NOT share computer log-in accounts
- Do NOT share your log-in passwords, not even with your supervisor
- If you must write down your passwords, keep them in a secure place
- Use a screen saver that automatically locks or logs off after a period of inactivity
Q. DO HIPAA RULES APPLY WHEN I WORK OFF-CAMPUS?
A. Yes. Regardless of location, you must protect the security and privacy of PHI. When working from home, for example, use the same security precautions (anti-virus, software updates, password-protected screen saver, etc.) on your home computer as on your office computer. Do not let household members access PHI.
Q. DO I HAVE A RESPONSIBILITY TO REPORT SUSPECTED SECURITY BREACHES?
A. Yes. Report suspected security breaches to your supervisor or department Security Liaison. Examples of security breaches include:
- Sharing passwords or log-in accounts
- Trying to guess another’s log-in or password
- Improper email activity (e.g., sending sensitive data insecurely)
- Unusual computer behavior (e.g., very slow responses)
- Unauthorized access to sensitive information
Q. HOW AND WHEN DO I RECEIVE HIPAA TRAINING?
A. You must take HIPAA training online at the School of Medicine’s website. All employees, students, residents, fellows, volunteers and business associates of the School of Medicine, UPI, and the PAs must take this training as soon as possible. Many also must take specialized HIPAA training that focuses on their job duties.
Q. IF I HAVE MORE QUESTIONS ABOUT PRIVACY OR SECURITY RULES, WHOM SHOULD I CONTACT?
A. We hope that our HIPAA training will answer most questions. More detailed descriptions of our HIPAA policies. (Can only be viewed on campus.)
The Office of Civil Rights of the Department of Health and Human Services offers excellent guidance on the HIPAA Rules.
For University of Maryland Faculty Physicians Inc. (FPI) and the clinical practices, please contact the FPI HIPAA Privacy Hotline 667-214-1200 or FPIHIPAAPRIVACY@fpi.umaryland.edu.
For questions related to IRB protocol submissions and/or consent forms, please contact the Human Research Protection Office, ext 6-5037.