USE AND DISCLOSURE OF PHI UNDER THE HIPAA PRIVACY RULE
1. INFORMATION REQUIRED TO BE PROTECTED. Under the HIPAA Privacy Rule, the privacy of all medical records, billing records, and other individually identifiable health information (“protected health information” or “PHI”) must be protected.
2. RESTRICTIONS ON USE AND DISCLOSURE OF PHI. Under HIPAA an individual’s PHI may be used or disclosed, without patient authorization, for treatment, payment, and healthcare operational purposes.
3. BUSINESS ASSOCIATES
4. DE-IDENTIFICATION OF PHI. If healthcare information is de-identified, it is no longer subject to the HIPAA Privacy Standards, and can be freely shared with others. However, there are 18 specific identifiers that must be removed from the data for it to be considered de-identified for purposes of HIPAA.
5. USE OF PHI TO CREATE A LIMITED DATA SET. As an alternative to de-identification, a covered entity, such as Cyberonics, can create a “limited data set” through the removal of 16 specific identifiers. However, a limited data set may be used only for purposes of research, public health, or healthcare operations, and prior to disclosure of a limited data set Cyberonics would be required to enter into a Data Use Agreement with the recipient of the data set.