Privacy Act Information
At Aero Health, we prioritize your privacy and are committed to protecting your health information. As part of the FAA’s mandate, all Aviation Medical Examiners (AMEs) are trained in HIPAA and privacy regulations to ensure your data is handled with the utmost care. For comprehensive details, you can visit the U.S. Health and Human Services website at http://www.hhs.gov.
Privacy Act Information
AMEs are required to be taught about HIPAA and privacy as part of the FAA’s mandate. All of the following information may be found on the US Health and Human Services website at http://www.hhs.gov.
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information – called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits heal information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
Health Care Providers
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule 6. Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
Protected Health Information
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any for m or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
Privacy Rule Summary
“Individually identifiable health information” is information, including demographic data, that relates to:
• The individual’s past, present or future physical or mental health or condition
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifies (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
Basic Principle
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either:
1. As the Privacy Rule permits or requires; or
2. As the individual who is the subject of the information (or the individual’s person representative) authorizes in writing.
Required Disclosures
A covered entity must disclose protected health information in only two situations:
(a) To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and
(b) To HHS when it is undertaking a compliance investigation or review or enforcement action.
Permitted Uses and Disclosures
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
(1) To the individual (unless required for access or accounting of disclosures)
(2) Treatment, payment, and health care operations
(3) Opportunity to agree or object
(4) Incident to an otherwise permitted use and disclosure
(5) Public interest and benefit activities
(6) Limited data set for the purposes of research, public health or health care operations
Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
(1) To the Individual. A covered entity may disclose protected health information to the individual who is the subject of the information.
(2) Treatment, Payment, Health Care Operations. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.
Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain payment or be reimbursed for the provision of health care to an individual. Health care operations are any of the following activities:
(a) Quality assessment and improvement activities, including case management and care coordination
(b) Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation
(c) Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs
(d) Specified insurance functions, such as underwriting, risk rating, and reinsuring risk
(e) Business planning, development, management, and administration
(f) Business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization as described below. Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent.
(3) Uses and Disclosures with Opportunity to Agree or Object. Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
(4) Incidental Use and Disclosure. The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use of disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.
(5) Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses make of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.
Required by Law. Covered entities may use and disclose protected health information without individual authorization as required by law (THE DISCLOSURE TO THE FAA BY THE AME IS REQUIRED BY LAW IN THE COURSE OF AN AME EXAM.)
Other reasons include:
- Public health activities
- Victims of abuse, neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Decedents
- Cadaveric organ, eye, or tissue donation
- Research
- Serious threat to health or safety
- Essential government functions
- Workers’ Compensation
Authorization. A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.
Minimum necessary. A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical records for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
Disclosure Accounting. Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity’s business associates. The maximum disclosure account period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.