First, individually identifiable health information that is protected under HIPAA (referred to as ‘protected health information’ or ‘PHI’) may not be used or disclosed in an unauthorised manner. Generally, a ‘covered entity’ (CE) custodian of PHI must first obtain a signed authorisation from the individual who is the subject of the PHI to permit the desired use or disclosure. If a signed authorisation is not obtained, then the CE custodian is only permitted to use and disclose PHI in ways expressly allowed under an exception in the HIPAA Privacy Rule. Examples of when HIPAA does not require a signed authorisation to use and disclose PHI include for: treatment, payment, health care operations, public health, and other limited reasons. However, even if a use or disclosure might fall within an exception under the HIPAA Privacy Rule, certain state laws could still require a signed consent before such information can be disclosed. In such cases, the CE custodian of the health information protected by a state’s privacy law would have to obtain a signed consent before disclosing the information, even if it is not required by HIPAA. Another important right guaranteed by HIPAA is the individual’s right of access. This ensures that an individual generally has a right to access and control his/her PHI, including being permitted to request and receive electronic copies of his/her PHI in the form and format requested, and directing such information to be transmitted to a third party. This provision together with the Information Blocking Rule have had a profound impact on increasing patients’ use of mobile applications to directly connect to their provider’s EMR, extract their health information and facilitate its transmission to other third parties. Finally, the HIPAA Breach Notification Rule guarantees that individuals will be notified if their PHI has been compromised by a data breach or security incident. This way, individuals can take steps to potentially protect themselves against identity theft and fraud. 18 LAWYER MONTHLY AUGUST 2023 What rights are guaranteed under HIPAA and other laws concerning healthcare information privacy? There are several ‘rights’ that HIPAA affords to individuals. I will touch on the big ones. like myself have had to keep up with a never-ending onslaught of new privacy laws, rules and amendments. Most recently, Congress enacted the 21st Century Cures Act, which resulted in a new ‘Information Blocking Rule’ that prohibits certain actors from interfering with the access, use and exchange of electronic health information when it is otherwise legally permissible. This new rule was created in part because certain electronic medical record (EMR) vendors were allegedly configuring their products to make it either impossible or too cost prohibitive for other vendors and third parties to connect to and access electronic health information from their EMR product. In many ways, the Information Blocking Rule has turned federal healthcare privacy law on its head. In the past, healthcare organisations focused on how to keep medical information private. Now, they are left scrambling to realign their longtime data privacy practices with the Information Blocking Rule, which requires electronic health information to be openly accessible. And, if that is not enough, more changes to federal laws affecting healthcare privacy and technology are in the pipeline as we speak. I look forward to hopefully many more years of doing the same things that I have been doing for the last 23.
RkJQdWJsaXNoZXIy Mjk3Mzkz