HIPAA Need-to-Know Basis: Understanding and Why It's Important
HTML-код
- Опубликовано: 8 сен 2024
- If you’ve ever watched a spy movie before, the plotline I’m about to describe ALWAYS happens.
The main character hasn’t been on “active duty” as a super-secret agent for some time now, or maybe they’ve retired altogether. Yet, the scene before set the conflict. The biggest, worst bad guy to ever grace the silver screen has the most diabolical plot the world has ever seen before.
LINKS:
____________________________________________
etactics.com/b...
____________________________________________
It’s such a dangerous mission that the world’s only hope is the main character, who receives a dossier that others received on a “need-to-know basis”. Then, when their closest companion from the agency that they used to work for pleads them to come back. The main character replies something like, “I’m not that person anymore.”
If you’re a scriptwriter, please don’t take that masterpiece of a story I just described.
But, what if I told you that a portion of my plot describes a requirement within the healthcare industry? Can you pick it out?
I’m talking about the portion of that spy movie scene where the main character receives confidential information. It's on a “need-to-know basis.”
Believe it or not, a need-to-know basis is sort of a requirement for healthcare organizations according to the Health Insurance Portability and Accountability Act (HIPAA).
I said “sort of” earlier because that verbiage isn’t explicitly included within the law itself. Yet, it’s a best practice, and that phrasing makes what’s written out within the law much more understandable.
The Minimum Necessary Standard is a situational section within the HIPAA Privacy Rule that covers how covered entities should use or disclose protected health information (PHI).
In essence, it states that healthcare professionals shouldn’t use or disclose PHI when it isn’t necessary for a specific purpose or function. In a case where professionals decide that they need to disclose or use PHI for a purpose, the rule requires that they only share information that’s relevant and necessary.
Of course, the Minimum Necessary Standard doesn’t apply when holding a discussion with a patient. There are 5 additional nonapplicable scenarios; Requests made by another provider for treatment purposes. When the applicable patient gives permission. Required for compliance with HIPAA Administrative Simplification Rules. If the Department of Health and Human Services (HHS) requires disclosures for enforcement purposes. If the requirements to share come from another law.
Yet, this portion of the law is viewed as flexible, rather than enigmatic. In other words, it’s built to cater to scenarios covered entities may find themselves in.
So where does Need-to-know come in?
Nowhere within HIPAA does it explicitly say that PHI requires a “need-to-know” basis. Instead, it’s a term that encompasses the Minimum Necessary Standard.
Instead of having to worry about all of the different specifications, requirements and legal vernacular stated within the law and on the HHS’ website. That term summarizes everything.
According to the Cambridge Dictionary, a need-to-know basis means, “...you only tell [people] the facts they need to know at the time they need to know them, and nothing more.” In other words, that definition aligns perfectly with what the Minimum Necessary Standard requires healthcare organizations to implement.
Using the phrase “need-to-know basis” makes the Minimum Necessary Standard more comprehensible. Thus, incorporating that phrasing into your policies and/or annual HIPAA training sessions makes it easy for your employees to understand the law.
Incorporating a need-to-know basis at your organization also has an effect with vendors you work with outside of your organization.
If you’re a healthcare professional, you know that there are certain vendors you have to use in order to make your job easier. HIPAA allows practices and facilities to work with vendors, otherwise the burnout situation would be even worse.
Naturally, some vendors that medical organizations work with need to have access to or store PHI in order for their services to work. That’s allowed as long as there’s a business associate agreement (BAA) signed.
At that point, though, both parties are responsible for securing the data that they handle.
► Reach out to Etactics @ www.etactics.com
►Subscribe: rb.gy/pso1fq to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn: / etactics-inc
►Find us on Facebook: /
#HIPAA #PatientPrivacy #HIPAAPrivacyRule
Just wanted to compliment you on this video! Explained a complex concept in a clear and concrete manner. Amazing job!!!!
What if you pay for surgery with Care Credit/Synchrony bank, something with terribly wrong with the surgery so you have a valid reason to dispute the charge. Is the surgeon allowed to send my medical records to the bank?
Synchrony told me that they weren’t business associates with the professionals