Action Resources:
Privacy

The Final Privacy Rule was published in the Federal Register on December 28, 2000. A "paperwork glitch" delayed the rule's effective date to April 14, 2001. Compliance is required by April 14, 2003. HHS' Office for Civil Rights first issued a guidance document on the Privacy Rule July 6, 2001.

On March 27, 2002, HHS issued proposed changes to certain standards in the Privacy Rule; the Final Modified Privacy Rule was published August 14, 2002. OCR issued a revised guidance document April 3, 2003.

• Analyses
  • WEDI SNIP Compliance White Papers & Presentations
  • AHIMA Practice Briefs
  • Business Associates
  • Privacy Officers
• Articles
• Models, Samples & Templates

Analyses

HIPAA Privacy Rule and Security Standards - friends or foes? by Cheryl S. Camin, Esq., ABA Health eSource, August 2006
This article is intended to be a brief analysis of how the differences between the Privacy Rule and the Security Standards may result in problems with compliance with both of these requirements.

The HIPAA Security and Privacy Rules – Intersections and Dependencies by Steve Weil, CISSP, CISA, Seitel Leeds & Associates

HIPAA/LAW: Legal Q/A: "Understanding the New Privacy Rule Modifications" by Steve Fox, Esq., & Rachel Wilson, Esq., August 2002

Analysis of the Marketing Provisions of the HIPAA Privacy Rules by Robert Gellman, Privacy and Information Policy Consultant
In debates over health privacy proposals, it was often said that video rental records had better privacy protection than medical records. Unfortunately, now that the final rule has been issued, it is still true that video rental records have better protections from marketing uses and disclosures than medical records.

• HIPAA fact sheet from the Direct Marketing Association
  (as revised, August 2002)

HIPAA and Newsgathering by Andrew M. Mar and Alison Page Howard, Davis Wright Tremaine LLP
Fortunately, HIPAA does not regulate what the media can report about. Nonetheless, journalists should be prepared to deal with and, if necessary, challenge, the manner in which agencies they cover interpret these regulations.

An Analysis of Web Site Privacy Policy Evolution in the Presence of HIPAA (PDF)
This 2004 study provides a unique perspective on the state of privacy practices before and after HIPAA's enactment, by comparing our current results to our pre-HIPAA study of these same institutions' privacy practices. HIPAA's introduction has resulted in more descriptive and detailed privacy policies but has not necessarily improved online privacy practices. The results of this analysis may be helpful for forecasting how future legislation will affect the state of online privacy in other domains.

CMS' Disclosure Desk Reference for Call Centers on the HIPAA Privacy Rule applied to the original Medicare plan, issued June 25, 2004 (PDF).

Office for Civil Rights (OCR) guidance for writing plain language notices is designed to help the writer of a Notice of Privacy Practices create a notice that does not require a high literacy level. The document describes principles for writing plain English, clear layout, and presentation. It also suggests some easily understandable words and phrases that can be used.

• Section I: Principles for Writing HIPAA Notices of Privacy Practices in Plain English
• Section II: Thesaurus of Plain Language Words and Phrases for HIPAA Notices of Privacy Practices
• Appendix A: Example of a Preamble for a Direct Treatment Provider
• Appendix B: Section 164.520 - Notice of Privacy Practices for Protected Health Information
• Appendix C: Chunking of long lists
• Appendix D: A simple protocol for Pretesting draft Privacy Notices
• References

OCR letter on research use of data (PDF)

Living Day-to-Day With HIPAA Privacy: The Top 10 Most Inappropriate Responses Overheard in the Healthcare Workplace by Randa Upham & Amanda Dorsey, Phoenix Health Systems

"Protecting Personal Health Information in Research: Understanding the
HIPAA Privacy Rule" (PDF) from HHS' National Institute of Health

Health Information Privacy Complaint Fact Sheet & Complaint Form
(Spanish version)

WEDI SNIP Compliance White Papers & Presentations:

• Access and Amendment
• Accounting of Disclosures
• Auditing Privacy Compliance
• Business Associate Example: Medical Transcription
• Deidentification
• Employer Issues
• Enforcement
• Minimum Necessary
• Notice and Authorization
• Oral Communications
• Organizational Change Management
• Paper vs. Electronic Records
• Preemption
• Privacy Policies and Procedures
• Small Practice Implementation

Electronic Communications
With advances in technology, email and voice mail have become important means of communications among physicians and between provider and patient.

• FAX Facts on sending and receiving faxes that contain PHI.

State Privacy Laws and Preemption Analyses, includes how to request
state preemption of HIPAA.

The Maryland Health Care Commission's "Guide to Privacy Readiness" (PDF) provides an overview of the HIPAA Privacy Regulation, definitions of terms used in the regulation, plus:

• Assessment Guide and Work Plan
• Business Associate Contract (development tips & model form)
• Notice of Privacy Practices (development tips & model form)
• Computer and Information Usage Agreement (development tips & model form)

Medical Privacy Horror Stories (compiled by Health Privacy Project)

Model HIPAA Notice of Privacy Practices

AMA's Group Practice HIPAA Notice of Privacy Practices

Cosmetics, mechanics and confidence in Web privacy

Electronic Privacy Information Center (EPIC)
Online Guide to Practical Privacy Tools

Electronic Privacy Information Center (EPIC) Bill Track
A summarized resource for understanding what privacy-related initiatives are evolving in Congress.

The Direct Marketing Association's (DMA) Privacy Policy Generator , though not specific to HIPAA, enables you to simply complete a questionnaire and create a general privacy policy statement to be posted on your own web page.

Computerworld's Privacy special coverage page with news, feature and opinion articles about privacy issues.

HealthKey

"A Framework and Structured Process for Developing Responsible Privacy Practices," (Second Edition—HIPAA Update, September 2001) companion document to "PKI in Healthcare." Includes an operational framework for developing privacy practices accompanied by a toolkit including the HealthKey Privacy Principles: A Working Set, endorsed by the HealthKey Privacy Advisory Group; policy checklists and model policies and practices for three common electronic transactions (e-mail, file transfer, secure access). All are intended for use as templates in real-world implementations.
Download as a 592.5KB Microsoft Word document.

Template for a Comprehensive Health Care Information Protection Agreement pre-publication draft (download as Word document) The Agreement allows for compliance in regards to business associates, chain of trust, trading partners, HCFA Internet Security Policy, GLB Act, generally accepted privacy principles, electronic signatures & electronic records, and health information transaction contracting; also includes a Crosswalk of Provisions.

Health Privacy Project

About the 1996 Health Insurance Portability & Accountability Act

Summary of the Final Regulations

Frequently Asked Questions

Health Privacy Polling Data

American Health Information Management Association (AHIMA) Practice Briefs:

A HIPAA Privacy Checklist (incorporates Aug. 2002 amendments)

Consent for Uses and Disclosures of Information (Updated)

Defining the Designated Record Set

Destruction of Patient Health Information (Updated)

Disaster Planning for a Mass-Casualty Event

Facsimile Transmission of Health Information (Updated)

HIPAA Privacy and Security Training (Updated)

Implementing the Minimum Necessary Standard

Laws and Regulations Governing the Disclosure of Health Information (Updated)

Notice of Privacy Practices

Patient Access and Amendment to Health Records (Updated)

Patient Anonymity (Updated)

Patient Photography, Videotaping, and Other Imaging (Updated)

Preemption of the HIPAA Privacy Rule (incorporates Aug. 2002 amendments)

Release of Information for Marketing or Fund-raising Purposes
(Updated)

Required Content for Authorizations to Disclose (Updated)

Possibilities and Pitfalls of Outsourcing, Newsfactor Magazine, November 23, 2005
Many healthcare organizations are finding that diverse functions can be outsourced without affecting the core competency of health care. Confidentiality and security of the information being transferred to the outsourcing firm is of great significance.

Healthcare and IT: Taming HIPAA by John A. Gliedman, Computerworld, May 2, 2005
With guidance, HIPAA requirements shouldn't intimidate IT vendors or healthcare providers. As with any other professional discipline, the legal implications can be managed with the proper tools and practices, such as a good business associate agreement.

OCR letter on medical device companies' roles as BAs (PDF)

Sample BA Contract Provisions from the final modified Privacy Rule.

Model Business Associate Contract from the Privacy NPRM.

AHA's Model Business Associate Agreement

Shaping Up Your Business Associates -- A Case Study on Compliance and Better Relationship Management
by DeDee Birdsall

Privacy Officers

Small Provider Organizations: A Day in the Life of a Privacy Officer by Helen Hadley, VantagePoint HealthCare Advisors

Massachusetts State Agency Privacy Officer email discussion group for use by privacy officers of state Medicaid agencies and other state health agencies of all 50 states. The purpose of the list is to give state agency privacy officers a forum to discuss some of the unique privacy issues that arise in the public sector. Only state agency employees or their contractors are eligible to join. To enroll, send a blank email message to:
join-medipoexchange@listserv.state.ma.us

AHIMA's Sample (Chief) Privacy Officer Job Description

Articles

Special Report: Officials Focus on Weak Links in Privacy, Government Computer News, September 25, 2006
Privacy has been an embedded component of electronic health records for the Health and Human Services Department and the collaborative groups that are conducting technical, standards, business process and policy tasks. But now HHS officials and their partners are elevating privacy as a separate component.

HIPAA: Best if Used by... by Heather B. Hayes, Government Health IT, June 12, 2006
There is now a mobilization under way to put privacy back in the spotlight and come up with a remedy for HIPAA's flaws. Several bills in Congress attempt to create health information networks while also addressing privacy concerns, and challenges to HIPAA's privacy rules have been filed in both state and federal courts.

Gaps in the HIPAA Chinese Wall by Anne M. Lavelle, Trustee Magazine, January 2006
When it comes to HIPAA, hospitals are, for the most part, very good at keeping patient information private, except when the patient also happens to be an employee of the hospital. Sometimes, the "Great Wall of China" which should exist between the "branch" of the hospital that treats the patient and its human resources "branch" often seems to be missing a few bricks.

Hurricane Katrina Sparks Data Privacy Concerns by Margie Semilof and Jo Maitland, SearchStorage.com, October 13, 2005
In the chaotic days that followed the hurricane, well-intentioned efforts by Microsoft Corp. to reunite scattered family members may usher in another kind of storm, this one involving the privacy of personal data belonging to the many residents forced into shelters.

HIPAA: Past, Present, and Future Implications for Nurses by Joe A. Flores, RN, MSN, CCRN, FNP, JD & Andrea Dodier, Paralegal; Online Journal of Issues in Nursing; May 31, 2005
Nurses stand at the forefront in the resolution of the dilemma of patient privacy versus healthcare expediency. HIPAA is a work in progress and not a specific act. All covered entities and their personnel need to look broadly at HIPAA as initiating a new way of work in healthcare.

Medical ID Bracelets Can be Crucial ER Tool by Kevin Helliker, Wall Street Journal, April 17, 2005
In the flurry of calls for electronic medical records, a low-tech alternative is being overlooked: the medical warning tag. But patients have their own qualms about wearing medical bracelets, including privacy.

Health IT: Fears and Opportunities by ML Baker, eWeek, February 1, 2005
Deborah Peel, chairman of the Appeal for Patient Privacy Foundation, thinks a national health information network could very well marginalize patients who fear that their personal information could be shared without their consent or that their consent could be coerced. Peel said that HIPAA provided little protection: "The Bush administration flipped the HIPAA privacy rule into a disclosure rule, where patients cannot control any 'routine' uses of their medical records."

Fundraisers Seek Patient Privacy Waivers by Sarah A. Klein, Crain's Chicago Business, November 13, 2004
The biggest physician group at Chicago's Northwestern Memorial Hospital is asking patients to waive their HIPAA privacy rights so their names and medical diagnoses can be passed on to fundraisers. The aim is to identify patients interested in specific diseases who would likely support research initiatives.

HIPAA, Heal Thyself by Maria Blackburn, Johns Hopkins Magazine, November 2004
A sweeping set of patient privacy regulations went into effect last year, complicating life considerably for Medicine's researchers, fundraisers, and archivists. Now many are wondering: Are the intended benefits outweighed by the unintended costs?

The Privacy Lawyer: HIPAA: Who Can You Trust? by Parry Aftab, Information Week, October 4, 2004
Exceptions under HIPAA regulations leave a door open for marketing using individual's personal information.

New Medical Privacy Rules Test Military by John Fritze, Indianapolis Star, April 21, 2003
Keeping medical records entirely private has proved difficult enough in the civilian world -- imagine trying to do it on a battlefield. New federal medical privacy regulations, which went into effect last week, have become a serious challenge for the armed forces -- including those deploying to Iraq -- military medics here said.

Officials Struggle with HIPAA when SARS is Concerned by Elaine Murphy, KATU, April 17, 2003
If a deadly disease like SARS or the West Nile Virus broke out in your community, would health officials tell you about it? Currently there is some confusion even among health professionals over what information can and cannot be made public under a new federal law. KATU, Portland, OR's ABC affiliate, wondered if that privacy law would compromise the publics' safety.

Privacy Notices: No Good If No One Reads by David Hallerman, eMarketer, January 7, 2003
What's striking about consumers' attitudes regarding privacy notices is how their opinions are supported by evidence. Research from Readability Consulting, a Golden Valley, MN-based firm that helps companies put documents into plain English, indicates how difficult it can be to understand privacy notices.

Getting the HIPAA Consent and Notice Mix Right - for Patient and Provider by D’Arcy Guerin Gue, Health Management Technology, July 2002
Six years, 100-plus hearings and nearly 100,000 comments later, the infancy of the patient privacy concept under HIPAA may be over. Patients and providers are fortunate, indeed, that politics and the extraordinary difficulty of the medical privacy birthing process have not resulted in the baby disappearing with the proverbial bath water.

Clamping Down by Brad Cain, HealthLeaders, April 2002
Chief Privacy Officer. Director of Privacy. Information Privacy Director. The position's title varies from one organization to the next, but those who have created a dedicated privacy position say the move can pay dividends beyond complying with the HIPAA mandate.

Defining the Roles of HIPAA Officers by Greg Gillespie, Health Data Management
CIOs must decide how to satisfy HIPAA’s requirement that two new positions be responsible for privacy and data security.

Go to TOP