Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to
ensure the portability of an employees insurance from one plan to another to decrease
fraud and abuse in health care and to protect the confidentiality of an individuals
health information. In addition to re!uirin" safe"uards that protect the security and
confidentiality of confidential patient information this law also includes pro#isions
desi"ned to sa#e money for health care businesses by encoura"in" electronic transactions
such as electronic claim submissions$
Policies and procedures are in place at %%& to ensure %%&s compliance with HIPAA$
These Policies and Procedures include'
(H)*$1 HIPAA Incident + &omplaint and ,anction Policy
(H)1$1 Protected Health Information -ses and .isclosures and

All %%&s HIPAA Policies and Procedures can be located by searchin" for /HIPAA0 in
%%& Administrati#e Policies and Procedures %anual on the Intranet
HIPAA refers to confidential information as /protected health information0 or PHI$
PHI includes oral written and electronic communications re"ardin" the health of an
indi#idual the care pro#ided to an indi#idual and payment for health care$
Patients are informed about HIPAA by way of the HIPAA (oint Pri#acy 1otice they are
pro#ided upon their first #isit to %%&$ The Pri#acy 1otice e2plains that pro#iders are
allowed to use a patients PHI for the purposes of the patients treatment payment and
operations of the medical center$ (TP3$)
.isclosure of a patients PHI for any other reason usually re!uires a written authori4ation
by the patient$ .etails re"ardin" when written authori4ation is re!uired are outlined in
%%& Policy and Procedure (H)1$1 Protected Health Information -ses and .isclosures$
5ailure to comply with HIPAA standards can lead to both ci#il penalties (such as fines)
and criminal penalties (such as imprisonment) particularly if an offense is committed
with the intent to sell or use PHI for commercial ad#anta"e personal "ain or malice$ The
HIPAA re"ulations not only co#er the use of PHI in the clinical settin" but also in such
areas as mar6etin" fundraisin" research employee health and the sharin" of information
with business partners (consultants #endors etc$)$ All members of the %%& wor6force 7
associates physicians #olunteers etc$ 7 are re!uired to comply with HIPAA$ Those who
do not comply with HIPAA and %%&s HIPAA policies will be sub8ect to appropriate
sanctions which can include termination of employment$
If patient information is e#er disclosed improperly %%&s Information Pri#acy 3fficer
must be notified about the improper disclosure even if the improper disclosure is
accidental. Therefore if you witness or hear about an improper disclosure of patient
information you must notify your super#isor and %%&s Information Pri#acy 3fficer$
9ou may also report any improper disclosure of patient information to %%&s
&ompliance Hotline$ 1:;**:%%&:;<9<
Protected Health Information (PHI)
PHI is any indi#idually identifiable health information includin" demo"raphic
information that meets the followin" criteria'
Is created recei#ed held or transmitted by a health care pro#ider health plan or health
care clearin" house=
>elates to the past present or future physical or mental health or condition of the
indi#idual or the pro#ision of health care to the indi#idual= and
.escribes the past present or future payment for the pro#ision of health care to an
indi#idual$
?enerally spea6in" if you are handlin" patient information as part of your 8ob at %%&
the patient information probably !ualifies as PHI and HIPAA applies to it$
inimum !ecessary
HIPAA re!uires that health care pro#iders health plans and health care clearin"houses
ma6e reasonable efforts to use disclose and re!uest only the minimum amount of PHI
needed to accomplish the intended purpose of the use disclosure or re!uest$
Two 6ey concepts of HIPAAs minimum necessary re!uirement are'
"ou should only use or disclose the least amount of PHI necessary for the situation.
(5or e2ample if a health plan re!uests the patients dia"nosis in order to process a claim
do not pro#ide the patients entire medical record$)
!#$%' %inimum necessary doesnt apply to disclosures to or re!uests by a health care
pro#ider for treatment purposes or disclosures to the patient (or the patient@s authori4ed
representati#e) of his or her own PHI$
"ou should only access PHI if you have a &ob'related need to (no) it.
%*AP+%, 9oure a nutritionist$ 9our friend .awn from Purchasin" tells you she is
bein" e#aluated at %%& to see if she has diabetes$ ,he as6s you to "o into the computer
and find out the results of her most recent blood tests$
,ince .awn is not one of your patients you tell her that you are not permitted to loo6 up
her lab results$ 9ou ad#ise her to call the doctor who ordered them.
Incidental -isclosures and .easonable /afe0uards
An incidental disclosure is a disclosure of PHI to a third party that occurs when the PHI
is bein" used or disclosed for an allowable reason such as treatment payment or health
care operations$ Incidental disclosures are often a concern where there are space
a#ailability issues such as reception des6s located in busy offices+waitin" areas 3>
holdin" areas where there are only curtains for pri#acy semi:pri#ate patient rooms and
the li6e$

HIPAA allows for incidental disclosures as lon" as reasonable safeguards are used to
limit such disclosures$ A safe"uard is a course of action that helps to maintain the
confidentiality of PHI$ Ahether a safe"uard is a /reasonable0 depends on the
circumstances$
B2amples of reasonable safe"uards include'
1ot discussin" patient information in public locations such as the ele#ators cafeteria
hallways buildin" entrances etc$
Pullin" curtains around when spea6in" with patients in semi:pri#ate rooms+areas
Ahen others are present such as in waitin" areas or preop e#aluation areas spea6in" in a
low #oice if this is possible
?oin" to the head of the bed to spea6 with the patient
Ceepin" charts in the nursin" station
Isolatin" or loc6in" file cabinets or record rooms
Ahen discardin" documents that contain PHI placin" them in a loc6ed shreddin"
receptacle or shreddin" them yourself
/afe0uardin0 %lectronic PHI
&omputers are bein" used more and more to store transmit and recei#e PHI$ The
followin" safe"uards must be used to protect the confidentiality of electronic PHI$
.3 13T ,HA>B 93-> &3%P-TB> PA,,A3>., AITH A1931B 53> A19
>BA,31D
.o not post passwords where others can see them (for e2ample taped to the computer
under the mouse pad etc$)
Eo" out of computer applications that contain PHI when you are finished usin" them
Eoc6 your wor6station whene#er you step away from your des6 (Press
&ontrol+Alt+.elete and select FEoc6 Aor6station)
Password protect laptops P.As or other portable electronic de#ices that contain PHI
-sin" secure e:mail systems (such as http'++mymontefiore$or") when communicatin"
with patients #ia e:mail
Bncrypt emails containin" PHI whene#er they are sent o#er the Internet$ (,imply open
tab for F,end 3ptions and choose F&onfidential)
Include a confidentiality notice on out"oin" e:mails that contain PHI
Pro"ram computers to "o to a password protected screen sa#er after a set period (1<
minutes or less) of inacti#ity$ Position computer monitors so that #isitors or others
wal6in" by cannot #iew the information or if this is not possible use a pri#acy screen on
the computer$
1ommunicatin0 )ith a Patients 2amily3 2riends or #thers Involved in the Patients
1are
B#en thou"h HIPAA re!uires health care pro#iders to protect patient pri#acy pro#iders
are permitted in most circumstances to communicate with the patients family friends
or others in#ol#ed in their care or payment for care$ The followin" common !uestions
about HIPAA clarify HIPAA re!uirements so that pro#iders do not unnecessarily
withhold a patients health information from these persons$
!#$% , ,pecial disclosure laws apply to hi"hly sensiti#e information such as HIG
mental health substance abuse conception pre"nancy other fertility and "enetic
information$ Hefore applyin" the "eneral rules below to disclosures of hi"hly sensiti#e
information pro#iders should chec6 with le"al counsel to confirm that disclosure is
necessary and permissible$

1##! 45%/$I#!/ A6#5$ HIPAA
If the patient is present and has the capacity to ma(e health care decisions3 )hen
does HIPAA allo) a health care provider to discuss the patients health information
)ith the patients family3 friends3 or others involved in the patients care or payment
for care7
If the patient is present and has the capacity to ma6e health care decisions a health care
pro#ider may discuss the patients health information with a family member friend or
other person if the patient a"rees or when "i#en the opportunity does not ob8ect$ A health
care pro#ider also may share information with these persons if usin" professional
8ud"ment he or she decides that the patient does not ob8ect$ In either case the health care
pro#ider may share or discuss only the information that the person in#ol#ed needs to
6now about the patients care or payment for care$
Patients are ad#ised of that HIPAA permits such discussions and are "i#en their first
opportunity or a"ree or ob8ect by way of the HIPAA (oint Pri#acy 1otice they recei#e on
their first #isit$ HIPAA en#isions that when patients are present or otherwise a#ailable
they are pro#ided an additional opportunity whene#er feasible to a"ree or ob8ect to such
discussions$
Here are some e8amples,
An emer"ency room doctor may discuss a patients treatment in front of the patients
friend if the patient as6s that her friend come into the treatment room$
A doctors office may discuss a patients bill with the patients adult dau"hter who is with
the patient at the patients medical appointment and has !uestions about the char"es$
A doctor may discuss the dru"s a patient needs to ta6e with the patients health aide who
has accompanied the patient to a medical appointment$
A doctor may "i#e information about a patients mobility limitations to the patients sister
who is dri#in" the patient home from the hospital$
A nurse may discuss a patients health status with the patients brother if she informs the
patient she is "oin" to do so and the patient does not ob8ect$
65$,
A nurse may not discuss a patients condition with the patients brother after the patient
has stated she does not want her family to 6now about her condition$
A doctor may not discuss a patients condition in front of a family member or friend
unless the patient pro#ides permission for that person to stay in the room$
If the patient is not present or is incapacitated3 may a health care provider still share
the patients health information )ith family3 friends3 or others involved in the
patients care or payment for care7

9es$ If the patient is not present or is incapacitated a health care pro#ider may share the
patients information with family friends or others as lon" as the health care pro#ider
determines based on professional 8ud"ment that it is in the best interest of the patient$
Ahen someone other than a friend or family member is in#ol#ed the health care pro#ider
must be reasonably sure that the patient as6ed the person to be in#ol#ed in his or her care
or payment for care$ The health care pro#ider may discuss only the information that the
person in#ol#ed needs to 6now about the patients care or payment$
Here are some e8amples,
A sur"eon who did emer"ency sur"ery on a patient may tell the patients spouse about the
patients condition while the patient is unconscious$
A pharmacist may "i#e a prescription to a patients friend who the patient has sent to pic6
up the prescription$
A hospital may discuss a patients bill with her adult son who calls the hospital A health
care pro#ider may "i#e information re"ardin" a patients dru" dosa"e to the patients
health aide who calls the pro#ider with !uestions about the particular prescription$
65$,
A nurse may not tell a patients friend about a past medical problem that is unrelated to
the patients current condition$
A health care pro#ider is not re!uired by HIPAA to share a patients information when the
patient is not present or is incapacitated and can choose to wait until the patient has an
opportunity to a"ree to the disclosure$
-oes HIPAA re9uire that a health care provider document a patients decision to
allo) the provider to share his or her health information )ith a family member3
friend3 or other person involved in the patients care or payment for care7
1o HIPAA does not re!uire that a health care pro#ider document the patients a"reement
or lac6 of ob8ection$ Howe#er a health care pro#ider is free to obtain or document the
patients a"reement or lac6 of ob8ection in writin" if he or she prefers$ 5or e2ample a
pro#ider may choose to document a patients a"reement to share information with a
family member with a note in the patients medical file$
ay a health care provider discuss a patients health information over the
phone )ith the patients family3 friends3 o r others involved in the patients
care or payment for care7
9es Ahere a health care pro#ider is allowed to share a patients health information with a
person information may be shared face:to:face o#er the phone or in writin"$
If a patients family member3 friend3 or other person involved in the patients care or
payment for care calls a health care provider to as( about the patients condition3
does HIPAA re9uire the health care provider to obtain proof of )ho the person is
before spea(in0 )ith them7
1o If the caller states that he or she is a family member or friend of the patient or is
in#ol#ed in the patients care or payment for care then HIPAA doesnt re!uire proof of
identity in this case$ In addition when someone other than a friend or family member is
in#ol#ed the pro#ider must be reasonably sure that the patient as6ed the person to be
in#ol#ed in his or her care or payment for care$
.eportin0 HIPAA Privacy and /ecurity 6reaches
?enerally spea6in" the chain of command should be used to report potential or actual
HIPAA pri#acy or security breaches+#iolations$
The chain of command is typically 7
9our immediate super#isor
9our department director
The %%& Information Pri#acy I ,ecurity 3fficer

9ou can also call the 1 1ompliance Hotline J 1:;**:%%&:;<9<$
.ay:to:day technical issues such as password resettin" systems access etc$ should be
reported to the BHIT Help .es6 J (K1;) 9L* : )<<)$
In#esti"ation and resolution of HIPAA pri#acy I security complaints+concerns is a multi:
departmental effort that is coordinated by the %%& &ompliance .epartment$
Internal : %8ternal .esources for HIPAA Privacy : /ecurity Issues
Althou"h e#eryone who wor6s at %%& is responsible for maintainin" the confidentiality
of PHI the &ompliance .epartment is responsible for ensurin" HIPAA compliance
throu"hout the %edical &enter$ Associates or others who ha#e !uestions about HIPAA or
other confidentiality issues are encoura"ed to contact the &ompliance .epartment to "et
their !uestions answered$
MMC Resources
&ompliance .epartment
Hy Phone' (K1;) 9L* : ;LM9
Information Pri#acy 3fficer' K1;:9L*:K*<9
Hy B:mail' 6"allinaJmontefiore$or"
H>B5NOmailto'lstanselJmontefiore$or"O
H>B5NOmailto'm"oodmanJmontefiore$or"O
3n %%& Intranet' &ompliance .epartment Home Pa"e Information Pri#acy I ,ecurity
tab 7 %%& HIPAA policies %%& 1otice of Pri#acy Practices %%& HIPAA 5APs etc$
Hotline' 1 7 ;** 7 %%& 7 ;<9<
Bmer"in" Health Information Technolo"ies (BHIT) Help .es6: (K1;) 9L* : )<<)
%%& Patient &onfidentiality I Pri#acy &hec6list 7 a#ailable on the >e"ulatory Affairs
home pa"e on the
%%& Intranet (Hein" the Hest + Bthics >i"hts I >esponsibilities tab)
External Resources
3ffice for &i#il >i"hts (3&>) 7 HIPAA Pri#acy >ule issues
H>B5NOhttp'++www$hhs$"o#+ocr+hipaa+O
&enter for %edicare and %edicaid ,er#ices (&%,) 7
HIPAA ,ecurity >ule issues
H>B5NOhttp'++www$cms$hhs$"o#+Bducation%aterials+*)Q,ecurity%aterials$aspRTop3fPa
"eOH>B5NOhttp'++www$cms$hhs$"o#+Bducation%aterials+*)Q,ecurity%aterials$aspRTop3
fPa"eO
&%, HIPAA ,ecurity ?uidance (.ec$ L**6) re' use of portable electronic de#ices
(laptops P.As etc$)
and remote access issues:
H>B5NOhttp'++www$cms$hhs$"o#+,ecurity,tandard+.ownloads+,ecurity?uidancefor>em
ote-se5inal$pdfOH>B5NOhttp'++www$cms$hhs$"o#+,ecurity,tandard+.ownloads+,ecurity
?uidancefor>emote-se5inal$pdfO