When is information covered by the privacy act

An individual has rights under the Privacy Act to seek access to and request correction if applicable or an accounting of disclosures of any such records maintained about him or her. Prohibits disclosure of such records without the prior, written consent of the individual s to whom the records pertain, unless one of the twelve disclosure exceptions enumerated in subsection b of the Act applies.

Binds only federal agencies and covers only records under the control of federal agencies and, by contract, also applies to contractor personnel and systems used by a federal agency to maintain the records. The Health Insurance Portability and Accountability Act of HIPAA The Health Insurance Portability and Accountability Act of HIPAA Rules contain privacy, security, and breach notification requirements that apply to individually identifiable health information created, received, maintained, or transmitted by health care providers who engage in certain electronic transactions, health transactions, health plans, health care clearinghouses, and their business associates.

A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions.

The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements. Law Enforcement Purposes.

Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.

Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue. Serious Threat to Health or Safety. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat including the target of the threat.

Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal. Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions.

Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs. A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed.

An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person s disclosing and receiving the information, expiration, right to revoke in writing, and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, Psychotherapy Notes Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service.

Marketing also is an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. No authorization is needed, however, to make a communication that falls within one of the exceptions to the marketing definition.

See additional guidance on Marketing. Minimum Necessary. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose. See additional guidance on Minimum Necessary.

Access and Uses. For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs. Disclosures and Requests for Disclosures.

Covered entities must establish and implement policies and procedures which may be standard protocols for routine, recurring disclosures, or requests for disclosures , that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.

Reasonable Reliance. If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. Privacy Practices Notice.

Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices.

The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans. See additional guidance on Notice. Covered entities, whether direct treatment providers or indirect treatment providers such as laboratories or health plans must supply notice to anyone on request. The covered entities in an organized health care arrangement may use a joint privacy practices notice, as long as each agrees to abide by the notice content with respect to the protected health information created or received in connection with participation in the arrangement.

A health plan must distribute its privacy practices notice to each of its enrollees by its Privacy Rule compliance date. Thereafter, the health plan must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request.

For information included within the right of access, covered entities may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion.

The Rule gives individuals the right to have covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete. The Rule specifies processes for requesting and responding to a request for amendment. A covered entity must amend protected health information in its designated record set upon receipt of notice to amend from another covered entity.

Disclosure Accounting. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities. Restriction Request. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency. Confidential Communications Requirements. Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs.

Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card. Health plans must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the protected health information could endanger the individual. Any covered entity may condition compliance with a confidential communication request on the individual specifying an alternative address or method of contact and explaining how any payment will be handled.

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment.

Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. Privacy Personnel. Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity whether or not they are paid by the entity.

A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule. Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.

See additional guidance on Incidental Uses and Disclosures. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS.