Institute: ONC | Component: 2 | Unit: 9 | Lecture: c | Slide: 21
Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:HIPAA Privacy Rule
Slide content:Other Modifications in HITECH Breach notification: When 500 or more patients affected, breach must be reported to local media and OCR www.hhs.gov/hipaa/for-professionals/breach-notification/index.html Restrictions on disclosures Information about services paid for out of pocket must be withheld from payers upon request TPO disclosures must be tracked and records maintained for three years Covered entities with EHRs must provide or transmit PHI in electronic format as directed by patient Patients can opt out of fundraising appeals 21
Slide notes:There are other modifications to the HIPAA Privacy Rule under the HITECH legislation. One area concerns breach notification. Obviously, patients must be informed, but when the breach exceeds five hundred patients, the OCR as well as the local media or local press, must be notified. In fact, the OCR maintains a web page that lists all breaches of more than five hundred patients, which can be accessed through the URL on this slide. There are also some modifications that allow patients to put more restrictions on disclosures. For example, when patients pay for medical care out-of-pocket instead of through their insurance, they can stipulate that information not be sent to payers. There are also stricter rules for appropriate disclosures of TPO. These disclosures must be tracked and records maintained for three years. In addition, covered entities that have electronic health records have to either provide or, if the patient requests, transmit PHI in electronic format as the patient directs. Finally, one other clause allows patients to opt out of fundraising appeals. 21