Privacy Under HIPAA
This section provides a general outline of the HIPAA Privacy provisions. Readers seeking detailed and definitive descriptions should consult the CMS documents referenced below. Readers are advised to seek legal counsel for answers to legal questions.
The HIPAA Privacy rules define the rights of individuals (including clients of the CO Medicaid Program) and the obligations of providers and others regarding the individual's Protected Health Information (PHI). The Privacy rules became effective on April 14, 2002, with nationwide implementation required two years later. The CO Medicaid Program is fully compliant with the letter and the spirit of these rules.
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI). Health plans (including the CO Medicaid Program), health care providers and health clearinghouses are all covered entities under the rule.
While HIPAA sets a national minimum standard for protecting such patient information, it allows more stringent state laws to supersede the minimum standard.
Health Plans, Health Care Providers and Health Care Clearinghouses
For entities covered by HIPAA, including the CO Medicaid Program, the privacy rules define and limit the circumstances in which an individual's PHI may be used or disclosed. A covered entity may disclose some or all of a subject individual's PHI, even without specific authorization from the individual:
A covered entity must disclose PHI:
In addition, covered entities (including the CO Medicaid Program) are required by these rules to:
Providers may not condition treatment, nor may health plans condition payment, upon a patient's signing an authorization.
Rights of Patients/Clients
The HIPAA Privacy Rule specifies that clients/patients have the right:
Penalties for Non-compliance
Like other HIPAA rules, the Privacy Rules carries penalties for noncompliance unless the violation is due to reasonable cause, did not involve willful neglect and was corrected within 30 days.