Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

Environment

FERPA

GLB/Security

Harassment

HIPAA
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar       Compliance Partners        Links

HIPAA PRIVACY RULES

A Summary of 45 C.F.R. Parts 160 and 164,

Focusing on Obligations of Health Plans

and Ramifications for Employers

by Linda O. Goldberg,[1] Esq.

©Miller, Canfield, Paddock and Stone, P.L.C.
www.millercanfield.com

 

 

I. INTRODUCTION

 

II. OVERVIEW OF REGULATIONS: PURPOSE AND SCOPE

A. Three Main Purposes

B. Preemption

C. Protected Health Information

D. Covered Entities Directly Responsible For Compliance

 

III. ESSENTIAL DEFINITIONS AND CONCEPTS

A. Only “Permitted” or “Required” Uses and Disclosures are Allowed

B. Permitted Uses and Disclosures (§164.502(a)(1))

C. Required Disclosures (§§164.502(a)(2), 164.524, 164.528)

1. Individual right of access §164.524

2. Individual right to an accounting §164.528

3. Disclosures to HHS for compliance review §164.502(a)(2)(ii)

IV. GENERAL PRIVACY RULES

 

V. EFFECT ON EMPLOYERS AS EMPLOYERS

A. Disability and Leave Determinations:  Information to be Used for Purposes other than “Treatment,  Payment or 

     Health Care Operations”

B. Authorizations

1.When individual entitled to copy

2.When an authorization can be required

3.“Authorization” generally required for use and disclosure for purposes other than treatment, payment or

    health care operations

4.Core elements of a valid authorization (§164.508(c))

5. Additional requirements of an authorization

6.“Minimum necessary” provisions do not apply in this situation

C. Litigation

1. Consent or authorization not required, but other requirements may apply  §164.512(e)

2. Added Complication—Limited preemption of State law

3. Strategies for obtaining records

D. “Public Health” Activities—OSHA and MIOSHA Compliance

1. Employer’s statutory obligations

2. Employers’ ability to obtain PHI—health care providers need not obtain authorizations in this setting

E. Workers’ Compensation

1. Workers’ Compensation carriers are not covered entities

2. Disclosures to Workers’ Compensation carriers

 

VI. EFFECT ON EMPLOYERS AS SPONSORS OF HEALTH PLANS

A. Regulations Apply Directly Only to “Covered Entities” and Employers, As Such, Are Not Covered Entities

B. Health Plans’ Use and Disclosure for Treatment, Payment and Health Care Operations

1. Health plans’ use of PHI

2. Health plans’ disclosure of PHI

3. Requests to the health plan for PHI

4. Requests by the health plan for PHI

C. General Rule for Group Health Plans—No Disclosure of PHI to Employer/Sponsor without Plan Amendments

D. Permitted Disclosures of PHI to Employer/Sponsor

E. Amendment of Plan Documents

F. Retention of Plan Amendments

G. Adequate Separation:  Firewalls

H. Crossroads

VII. DISTINCTION BETWEEN CERTAIN INSURED AND SELF-INSURED GROUP HEALTH PLANS—DUTIES UNDER THE RULES’ “ADMINISTRATIVE REQUIREMENTS”

 

A. Exemption for Insured Group Health Plans

B. Self-insured Group Health Plans and Plans that Create or Receive Protected Health Information

C. Administrative Requirements

 

VIII. ADDITIONAL REQUIREMENTS: DISCLOSURES OF PROTECTED HEALTH INFORMATION TO PARTIES OTHER THAN THE PLAN SPONSOR

A. The Business Associate Rules

B. When Non-Compliance of the Business Associate May Be Attributed to the Covered Entity

C. Deadline Extension for Business Associate Contracts

D. Model Business Associate Contract

IX. INDIVIDUAL RIGHTS

 

 

APPENDIX A EMPLOYEE AUTHORIZATION FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION TO EMPLOYER

 

APPENDIX B EMPLOYEE AUTHORIZATION FOR DISCLOSURE OF PSYCHOTHERAPY NOTES TO EMPLOYER

 

APPENDIX C MODEL BUSINESS ASSOCIATE CONTRACT PROVISIONS

 

 



Last Revised 16-Aug-04 05:41 PM.