bmad-plus 0.9.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/LICENSE +21 -21
- package/README.md +105 -85
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +30 -3
- package/readme-international/README.de.md +8 -3
- package/readme-international/README.es.md +8 -3
- package/readme-international/README.fr.md +8 -3
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/bmad-plus-cli.js +5 -3
- package/tools/cli/commands/autoconfig.js +5 -58
- package/tools/cli/commands/doctor.js +2 -0
- package/tools/cli/commands/install.js +9 -128
- package/tools/cli/commands/memory.js +1 -0
- package/tools/cli/commands/scan.js +26 -41
- package/tools/cli/commands/uninstall.js +7 -4
- package/tools/cli/commands/update.js +2 -1
- package/tools/cli/lib/ide-config.js +259 -0
- package/tools/cli/lib/memory-init.js +0 -1
- package/tools/cli/lib/pack-copy.js +84 -84
- package/tools/cli/lib/packs.js +114 -114
- package/tools/cli/lib/stack-detect.js +102 -0
- package/tools/cli/lib/validate.js +45 -0
|
@@ -1,276 +1,276 @@
|
|
|
1
|
-
# HIPAA Privacy Rule Reference
|
|
2
|
-
## 45 CFR Part 164, Subparts A and E
|
|
3
|
-
|
|
4
|
-
---
|
|
5
|
-
|
|
6
|
-
## Table of Contents
|
|
7
|
-
1. [Applicability & Scope](#1-applicability--scope)
|
|
8
|
-
2. [Uses and Disclosures — General Rules](#2-uses-and-disclosures--general-rules)
|
|
9
|
-
3. [Permitted Uses Without Authorization](#3-permitted-uses-without-authorization)
|
|
10
|
-
4. [Patient Rights](#4-patient-rights)
|
|
11
|
-
5. [Notice of Privacy Practices (NPP)](#5-notice-of-privacy-practices-npp)
|
|
12
|
-
6. [Minimum Necessary Standard](#6-minimum-necessary-standard)
|
|
13
|
-
7. [Authorization Requirements](#7-authorization-requirements)
|
|
14
|
-
8. [Special Categories of PHI](#8-special-categories-of-phi)
|
|
15
|
-
9. [Administrative Requirements](#9-administrative-requirements)
|
|
16
|
-
10. [Marketing & Fundraising](#10-marketing--fundraising)
|
|
17
|
-
|
|
18
|
-
---
|
|
19
|
-
|
|
20
|
-
## 1. Applicability & Scope
|
|
21
|
-
|
|
22
|
-
**Covered Entities (CEs)** subject to Privacy Rule:
|
|
23
|
-
- Health plans (insurance companies, HMOs, employer-sponsored plans with 50+ participants)
|
|
24
|
-
- Healthcare clearinghouses
|
|
25
|
-
- Healthcare providers who transmit health information electronically
|
|
26
|
-
|
|
27
|
-
**Business Associates (BAs):**
|
|
28
|
-
- Entities that create, receive, maintain, or transmit PHI on behalf of a CE
|
|
29
|
-
- Must sign a **Business Associate Agreement (BAA)** before PHI is shared
|
|
30
|
-
- Subject to Security Rule; portions of Privacy Rule apply via BAA
|
|
31
|
-
|
|
32
|
-
**PHI Definition** (§164.501):
|
|
33
|
-
Protected Health Information = health information that:
|
|
34
|
-
- Is created or received by a CE/BA
|
|
35
|
-
- Relates to past/present/future physical or mental health condition, healthcare provision, or payment
|
|
36
|
-
- Identifies or could reasonably identify the individual
|
|
37
|
-
|
|
38
|
-
**Does NOT apply to:**
|
|
39
|
-
- Employers acting in their employer capacity
|
|
40
|
-
- Life insurers (unless also a health plan)
|
|
41
|
-
- Workers' comp carriers (in most states, not subject to HIPAA directly)
|
|
42
|
-
- Education records (FERPA applies instead)
|
|
43
|
-
|
|
44
|
-
---
|
|
45
|
-
|
|
46
|
-
## 2. Uses and Disclosures — General Rules
|
|
47
|
-
|
|
48
|
-
### General Prohibition (§164.502(a))
|
|
49
|
-
A CE/BA may not use or disclose PHI except as permitted or required by the Privacy Rule.
|
|
50
|
-
|
|
51
|
-
### Required Disclosures (§164.502(a)(2))
|
|
52
|
-
- To the **individual** (upon request for access or accounting)
|
|
53
|
-
- To **HHS** for compliance investigations/enforcement
|
|
54
|
-
|
|
55
|
-
### Consent vs. Authorization vs. Agreement
|
|
56
|
-
| Mechanism | When Required | Notes |
|
|
57
|
-
|-----------|--------------|-------|
|
|
58
|
-
| Written Authorization | Uses/disclosures beyond TPO, marketing, sale of PHI | Must meet §164.508 requirements |
|
|
59
|
-
| Opportunity to agree/object | Facility directories, to family/friends involved in care | Informal; oral ok |
|
|
60
|
-
| No permission needed | TPO, public health, law enforcement (limited), etc. | See §164.512 |
|
|
61
|
-
|
|
62
|
-
---
|
|
63
|
-
|
|
64
|
-
## 3. Permitted Uses Without Authorization
|
|
65
|
-
|
|
66
|
-
### Treatment, Payment, Operations (TPO) (§164.506)
|
|
67
|
-
- **Treatment**: Providing, coordinating, managing healthcare
|
|
68
|
-
- **Payment**: Billing, claims processing, utilization review
|
|
69
|
-
- **Operations**: Quality assessment, training, auditing, legal, business planning
|
|
70
|
-
|
|
71
|
-
### Other Permitted Disclosures (§164.512)
|
|
72
|
-
| Purpose | Requirements |
|
|
73
|
-
|---------|-------------|
|
|
74
|
-
| Public health (§164.512(b)) | To authorized public health authorities |
|
|
75
|
-
| Abuse/neglect reporting (§164.512(c)) | To government authorities authorized to receive |
|
|
76
|
-
| Health oversight (§164.512(d)) | Audits, inspections, licensure by oversight agencies |
|
|
77
|
-
| Judicial/administrative (§164.512(e)) | Court order or subpoena with satisfactory assurance |
|
|
78
|
-
| Law enforcement (§164.512(f)) | Limited; specific conditions apply (e.g., court order, crime on premises) |
|
|
79
|
-
| Research (§164.512(i)) | With IRB/Privacy Board waiver or individual authorization |
|
|
80
|
-
| Serious threat (§164.512(j)) | To prevent imminent serious harm to individual or others |
|
|
81
|
-
| Workers' comp (§164.512(l)) | As authorized by workers' comp laws |
|
|
82
|
-
| Decedents (§164.512(g)) | To coroners, medical examiners, funeral directors |
|
|
83
|
-
| Limited data set (§164.514(e)) | Remove direct identifiers; require Data Use Agreement (DUA) |
|
|
84
|
-
|
|
85
|
-
### Incidental Disclosures (§164.502(a)(1)(iii))
|
|
86
|
-
Permitted if:
|
|
87
|
-
- Reasonable safeguards are in place
|
|
88
|
-
- Minimum necessary standard is met
|
|
89
|
-
- Example: A patient overhearing another patient's conversation in a waiting room
|
|
90
|
-
|
|
91
|
-
---
|
|
92
|
-
|
|
93
|
-
## 4. Patient Rights
|
|
94
|
-
|
|
95
|
-
### Right of Access (§164.524)
|
|
96
|
-
- Individuals have the right to inspect and obtain a copy of their PHI in a **designated record set**
|
|
97
|
-
- **Timeline**: Provide access within **30 days** (one 30-day extension permitted with written notice)
|
|
98
|
-
- **Format**: Must provide in format requested if readily producible; electronic if requested
|
|
99
|
-
- **Fees**: May charge a reasonable, cost-based fee (labor + supplies + postage only); no retrieval fees
|
|
100
|
-
- **Denials**: Permitted for psychotherapy notes, information compiled for legal proceedings, PHI that could endanger life/safety; some denials are reviewable
|
|
101
|
-
|
|
102
|
-
> **2021 Rule Update**: HHS reinforced that fees must be limited; EHR patient portal access must be free.
|
|
103
|
-
|
|
104
|
-
### Right to Amend (§164.526)
|
|
105
|
-
- Individual may request amendment to their PHI in a designated record set
|
|
106
|
-
- **Timeline**: 60 days to act (one 60-day extension)
|
|
107
|
-
- May deny if: CE did not create the record; record is accurate and complete; not part of designated record set
|
|
108
|
-
|
|
109
|
-
### Right to Accounting of Disclosures (§164.528)
|
|
110
|
-
- Right to list of disclosures made in prior 6 years
|
|
111
|
-
- **Excludes**: TPO disclosures, to the individual, authorized disclosures, incidental, national security
|
|
112
|
-
- **Timeline**: 60 days (one 60-day extension)
|
|
113
|
-
|
|
114
|
-
### Right to Request Restrictions (§164.522(a))
|
|
115
|
-
- Individual may request restrictions on uses/disclosures for TPO or to family/friends
|
|
116
|
-
- CE is **not required** to agree — **except**: must honor restriction on disclosure to health plan for service paid out-of-pocket in full
|
|
117
|
-
|
|
118
|
-
### Right to Confidential Communications (§164.522(b))
|
|
119
|
-
- Individual may request alternative means or locations for communications
|
|
120
|
-
- CE must accommodate **reasonable requests**; no explanation required from individual
|
|
121
|
-
- Health plans must accommodate if individual states disclosure could endanger them
|
|
122
|
-
|
|
123
|
-
### Right to Notice (§164.520)
|
|
124
|
-
- Right to receive a Notice of Privacy Practices (see Section 5)
|
|
125
|
-
|
|
126
|
-
### Right to Opt Out of Fundraising (§164.514(f))
|
|
127
|
-
- Must include opt-out mechanism in every fundraising communication
|
|
128
|
-
|
|
129
|
-
---
|
|
130
|
-
|
|
131
|
-
## 5. Notice of Privacy Practices (NPP)
|
|
132
|
-
|
|
133
|
-
### Required for: All Covered Entities (not BAs)
|
|
134
|
-
|
|
135
|
-
### Must Be Provided (§164.520(c)):
|
|
136
|
-
- At first service delivery (in-person)
|
|
137
|
-
- On request
|
|
138
|
-
- On CE's website (if one exists)
|
|
139
|
-
- Health plans: at enrollment and every 3 years if material changes
|
|
140
|
-
|
|
141
|
-
### Required NPP Contents (§164.520(b)):
|
|
142
|
-
1. **Header**: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
|
|
143
|
-
2. Description of how CE may use/disclose PHI (with examples of TPO + other)
|
|
144
|
-
3. Description of other uses requiring authorization
|
|
145
|
-
4. Individual rights (access, amendment, accounting, restrictions, confidential comms, opt-out of fundraising)
|
|
146
|
-
5. CE's duties (maintain privacy, notify of breaches, abide by NPP)
|
|
147
|
-
6. How to complain (to CE and to HHS; no retaliation)
|
|
148
|
-
7. Contact person/office for more information
|
|
149
|
-
8. Effective date
|
|
150
|
-
|
|
151
|
-
### Electronic NPP:
|
|
152
|
-
- Can be provided electronically if individual agrees
|
|
153
|
-
- Must be in plain language
|
|
154
|
-
|
|
155
|
-
---
|
|
156
|
-
|
|
157
|
-
## 6. Minimum Necessary Standard
|
|
158
|
-
|
|
159
|
-
### Rule (§164.502(b), §164.514(d)):
|
|
160
|
-
When using or disclosing PHI, or requesting from another CE, make reasonable efforts to limit PHI to the **minimum necessary** to accomplish the intended purpose.
|
|
161
|
-
|
|
162
|
-
### Applies To:
|
|
163
|
-
- Routine disclosures → Establish policies identifying persons who need access + type of PHI
|
|
164
|
-
- Non-routine disclosures → Review on case-by-case basis
|
|
165
|
-
- Requests from others → Limit requests to minimum necessary
|
|
166
|
-
|
|
167
|
-
### Does NOT Apply To:
|
|
168
|
-
- Disclosures to or requests by a treating provider
|
|
169
|
-
- Disclosures to the individual
|
|
170
|
-
- Pursuant to individual's authorization
|
|
171
|
-
- Required by law
|
|
172
|
-
- For HHS compliance activities
|
|
173
|
-
|
|
174
|
-
### Practical Implementation:
|
|
175
|
-
- Role-based access controls in EHR systems
|
|
176
|
-
- Need-to-know training for workforce
|
|
177
|
-
- De-identify data where full PHI isn't required
|
|
178
|
-
|
|
179
|
-
---
|
|
180
|
-
|
|
181
|
-
## 7. Authorization Requirements
|
|
182
|
-
|
|
183
|
-
### When Required (§164.508):
|
|
184
|
-
- Most uses/disclosures not covered by TPO or §164.512 permitted disclosures
|
|
185
|
-
- **Always required for**: psychotherapy notes (with limited exceptions), marketing involving financial remuneration, sale of PHI
|
|
186
|
-
|
|
187
|
-
### Valid Authorization Must Contain (§164.508(c)):
|
|
188
|
-
1. Description of PHI to be used/disclosed (specific, meaningful)
|
|
189
|
-
2. Name/class of person(s) authorized to make the disclosure
|
|
190
|
-
3. Name/class of person(s) to whom disclosure may be made
|
|
191
|
-
4. Description of each purpose of the use/disclosure
|
|
192
|
-
5. Expiration date or event
|
|
193
|
-
6. Individual's signature and date
|
|
194
|
-
7. If signed by personal representative: description of authority
|
|
195
|
-
8. Statement that individual may revoke
|
|
196
|
-
9. Statement about re-disclosure risk (if applicable)
|
|
197
|
-
10. Conditioning statement (if authorization is conditioned on treatment/payment)
|
|
198
|
-
|
|
199
|
-
### Defective Authorization (§164.508(b)(2)):
|
|
200
|
-
Authorization is defective if:
|
|
201
|
-
- Expiration date has passed
|
|
202
|
-
- Not filled out completely
|
|
203
|
-
- CE knows it has been revoked
|
|
204
|
-
- Compound authorization (combining with another document) when not permitted
|
|
205
|
-
|
|
206
|
-
---
|
|
207
|
-
|
|
208
|
-
## 8. Special Categories of PHI
|
|
209
|
-
|
|
210
|
-
These categories receive **heightened protection** (often under state law as well):
|
|
211
|
-
|
|
212
|
-
| Category | Notes |
|
|
213
|
-
|----------|-------|
|
|
214
|
-
| **Psychotherapy notes** | Stored separately; require specific authorization for almost all uses/disclosures |
|
|
215
|
-
| **HIV/AIDS information** | Most states have additional restrictions beyond HIPAA |
|
|
216
|
-
| **Substance use disorder** (42 CFR Part 2) | Separate federal law with stricter rules than HIPAA |
|
|
217
|
-
| **Mental health records** | State law often adds restrictions |
|
|
218
|
-
| **Reproductive health** | Post-Dobbs guidance; HHS issued rules limiting disclosure for lawful reproductive care |
|
|
219
|
-
| **Genetic information** (GINA) | Cannot be used for underwriting by health plans |
|
|
220
|
-
| **Minors** | Generally parents are personal representatives; exceptions for emancipated minors, sensitive services |
|
|
221
|
-
|
|
222
|
-
> **Important**: State laws can be MORE protective than HIPAA. HIPAA sets a floor. Always check state law.
|
|
223
|
-
|
|
224
|
-
---
|
|
225
|
-
|
|
226
|
-
## 9. Administrative Requirements
|
|
227
|
-
|
|
228
|
-
### Policies & Procedures (§164.530(i)):
|
|
229
|
-
- Must implement written policies and procedures complying with Privacy Rule
|
|
230
|
-
- Must document policies; retain for 6 years from creation or last effective date
|
|
231
|
-
|
|
232
|
-
### Workforce Training (§164.530(b)):
|
|
233
|
-
- Train all workforce members on privacy policies as necessary for them to carry out their functions
|
|
234
|
-
- Train new members within reasonable time after joining
|
|
235
|
-
- Document training
|
|
236
|
-
|
|
237
|
-
### Sanctions (§164.530(e)):
|
|
238
|
-
- Apply appropriate sanctions against workforce members who violate privacy policies
|
|
239
|
-
- Document sanctions
|
|
240
|
-
|
|
241
|
-
### Complaint Process (§164.530(d)):
|
|
242
|
-
- Provide process for individuals to make complaints
|
|
243
|
-
- Document all complaints and their disposition
|
|
244
|
-
|
|
245
|
-
### Privacy Official (§164.530(a)):
|
|
246
|
-
- Designate a Privacy Official responsible for developing and implementing policies
|
|
247
|
-
- Designate a contact person for receiving complaints
|
|
248
|
-
|
|
249
|
-
### Retaliation Prohibition (§164.530(g)):
|
|
250
|
-
- May not retaliate against individuals for exercising HIPAA rights
|
|
251
|
-
- May not retaliate against workforce members for filing complaints or participating in investigations
|
|
252
|
-
|
|
253
|
-
### Waiver Prohibition (§164.530(h)):
|
|
254
|
-
- May not require individuals to waive HIPAA rights as condition of treatment/payment/enrollment
|
|
255
|
-
|
|
256
|
-
---
|
|
257
|
-
|
|
258
|
-
## 10. Marketing & Fundraising
|
|
259
|
-
|
|
260
|
-
### Marketing Definition (§164.501):
|
|
261
|
-
Communication about a product/service that encourages recipients to purchase or use the product/service.
|
|
262
|
-
|
|
263
|
-
### Marketing Requires Authorization EXCEPT:
|
|
264
|
-
- Face-to-face communication with individual
|
|
265
|
-
- Promotional gifts of nominal value
|
|
266
|
-
- Refill reminders (if financial remuneration is reasonably related to CE's cost)
|
|
267
|
-
- Communications about health-related products/services offered by CE (own services, treatment alternatives, case management) — if no financial remuneration from third party
|
|
268
|
-
|
|
269
|
-
### Sale of PHI (§164.502(a)(5)(ii)):
|
|
270
|
-
- Generally prohibited without authorization
|
|
271
|
-
- Exceptions: public health, research, treatment, sale/merger of business, BAA, providing individual access
|
|
272
|
-
|
|
273
|
-
### Fundraising (§164.514(f)):
|
|
274
|
-
- May use demographic info + dates of service without authorization
|
|
275
|
-
- Must include opt-out mechanism in each communication
|
|
276
|
-
- Cannot condition treatment on making a donation
|
|
1
|
+
# HIPAA Privacy Rule Reference
|
|
2
|
+
## 45 CFR Part 164, Subparts A and E
|
|
3
|
+
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
## Table of Contents
|
|
7
|
+
1. [Applicability & Scope](#1-applicability--scope)
|
|
8
|
+
2. [Uses and Disclosures — General Rules](#2-uses-and-disclosures--general-rules)
|
|
9
|
+
3. [Permitted Uses Without Authorization](#3-permitted-uses-without-authorization)
|
|
10
|
+
4. [Patient Rights](#4-patient-rights)
|
|
11
|
+
5. [Notice of Privacy Practices (NPP)](#5-notice-of-privacy-practices-npp)
|
|
12
|
+
6. [Minimum Necessary Standard](#6-minimum-necessary-standard)
|
|
13
|
+
7. [Authorization Requirements](#7-authorization-requirements)
|
|
14
|
+
8. [Special Categories of PHI](#8-special-categories-of-phi)
|
|
15
|
+
9. [Administrative Requirements](#9-administrative-requirements)
|
|
16
|
+
10. [Marketing & Fundraising](#10-marketing--fundraising)
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## 1. Applicability & Scope
|
|
21
|
+
|
|
22
|
+
**Covered Entities (CEs)** subject to Privacy Rule:
|
|
23
|
+
- Health plans (insurance companies, HMOs, employer-sponsored plans with 50+ participants)
|
|
24
|
+
- Healthcare clearinghouses
|
|
25
|
+
- Healthcare providers who transmit health information electronically
|
|
26
|
+
|
|
27
|
+
**Business Associates (BAs):**
|
|
28
|
+
- Entities that create, receive, maintain, or transmit PHI on behalf of a CE
|
|
29
|
+
- Must sign a **Business Associate Agreement (BAA)** before PHI is shared
|
|
30
|
+
- Subject to Security Rule; portions of Privacy Rule apply via BAA
|
|
31
|
+
|
|
32
|
+
**PHI Definition** (§164.501):
|
|
33
|
+
Protected Health Information = health information that:
|
|
34
|
+
- Is created or received by a CE/BA
|
|
35
|
+
- Relates to past/present/future physical or mental health condition, healthcare provision, or payment
|
|
36
|
+
- Identifies or could reasonably identify the individual
|
|
37
|
+
|
|
38
|
+
**Does NOT apply to:**
|
|
39
|
+
- Employers acting in their employer capacity
|
|
40
|
+
- Life insurers (unless also a health plan)
|
|
41
|
+
- Workers' comp carriers (in most states, not subject to HIPAA directly)
|
|
42
|
+
- Education records (FERPA applies instead)
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
## 2. Uses and Disclosures — General Rules
|
|
47
|
+
|
|
48
|
+
### General Prohibition (§164.502(a))
|
|
49
|
+
A CE/BA may not use or disclose PHI except as permitted or required by the Privacy Rule.
|
|
50
|
+
|
|
51
|
+
### Required Disclosures (§164.502(a)(2))
|
|
52
|
+
- To the **individual** (upon request for access or accounting)
|
|
53
|
+
- To **HHS** for compliance investigations/enforcement
|
|
54
|
+
|
|
55
|
+
### Consent vs. Authorization vs. Agreement
|
|
56
|
+
| Mechanism | When Required | Notes |
|
|
57
|
+
|-----------|--------------|-------|
|
|
58
|
+
| Written Authorization | Uses/disclosures beyond TPO, marketing, sale of PHI | Must meet §164.508 requirements |
|
|
59
|
+
| Opportunity to agree/object | Facility directories, to family/friends involved in care | Informal; oral ok |
|
|
60
|
+
| No permission needed | TPO, public health, law enforcement (limited), etc. | See §164.512 |
|
|
61
|
+
|
|
62
|
+
---
|
|
63
|
+
|
|
64
|
+
## 3. Permitted Uses Without Authorization
|
|
65
|
+
|
|
66
|
+
### Treatment, Payment, Operations (TPO) (§164.506)
|
|
67
|
+
- **Treatment**: Providing, coordinating, managing healthcare
|
|
68
|
+
- **Payment**: Billing, claims processing, utilization review
|
|
69
|
+
- **Operations**: Quality assessment, training, auditing, legal, business planning
|
|
70
|
+
|
|
71
|
+
### Other Permitted Disclosures (§164.512)
|
|
72
|
+
| Purpose | Requirements |
|
|
73
|
+
|---------|-------------|
|
|
74
|
+
| Public health (§164.512(b)) | To authorized public health authorities |
|
|
75
|
+
| Abuse/neglect reporting (§164.512(c)) | To government authorities authorized to receive |
|
|
76
|
+
| Health oversight (§164.512(d)) | Audits, inspections, licensure by oversight agencies |
|
|
77
|
+
| Judicial/administrative (§164.512(e)) | Court order or subpoena with satisfactory assurance |
|
|
78
|
+
| Law enforcement (§164.512(f)) | Limited; specific conditions apply (e.g., court order, crime on premises) |
|
|
79
|
+
| Research (§164.512(i)) | With IRB/Privacy Board waiver or individual authorization |
|
|
80
|
+
| Serious threat (§164.512(j)) | To prevent imminent serious harm to individual or others |
|
|
81
|
+
| Workers' comp (§164.512(l)) | As authorized by workers' comp laws |
|
|
82
|
+
| Decedents (§164.512(g)) | To coroners, medical examiners, funeral directors |
|
|
83
|
+
| Limited data set (§164.514(e)) | Remove direct identifiers; require Data Use Agreement (DUA) |
|
|
84
|
+
|
|
85
|
+
### Incidental Disclosures (§164.502(a)(1)(iii))
|
|
86
|
+
Permitted if:
|
|
87
|
+
- Reasonable safeguards are in place
|
|
88
|
+
- Minimum necessary standard is met
|
|
89
|
+
- Example: A patient overhearing another patient's conversation in a waiting room
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
## 4. Patient Rights
|
|
94
|
+
|
|
95
|
+
### Right of Access (§164.524)
|
|
96
|
+
- Individuals have the right to inspect and obtain a copy of their PHI in a **designated record set**
|
|
97
|
+
- **Timeline**: Provide access within **30 days** (one 30-day extension permitted with written notice)
|
|
98
|
+
- **Format**: Must provide in format requested if readily producible; electronic if requested
|
|
99
|
+
- **Fees**: May charge a reasonable, cost-based fee (labor + supplies + postage only); no retrieval fees
|
|
100
|
+
- **Denials**: Permitted for psychotherapy notes, information compiled for legal proceedings, PHI that could endanger life/safety; some denials are reviewable
|
|
101
|
+
|
|
102
|
+
> **2021 Rule Update**: HHS reinforced that fees must be limited; EHR patient portal access must be free.
|
|
103
|
+
|
|
104
|
+
### Right to Amend (§164.526)
|
|
105
|
+
- Individual may request amendment to their PHI in a designated record set
|
|
106
|
+
- **Timeline**: 60 days to act (one 60-day extension)
|
|
107
|
+
- May deny if: CE did not create the record; record is accurate and complete; not part of designated record set
|
|
108
|
+
|
|
109
|
+
### Right to Accounting of Disclosures (§164.528)
|
|
110
|
+
- Right to list of disclosures made in prior 6 years
|
|
111
|
+
- **Excludes**: TPO disclosures, to the individual, authorized disclosures, incidental, national security
|
|
112
|
+
- **Timeline**: 60 days (one 60-day extension)
|
|
113
|
+
|
|
114
|
+
### Right to Request Restrictions (§164.522(a))
|
|
115
|
+
- Individual may request restrictions on uses/disclosures for TPO or to family/friends
|
|
116
|
+
- CE is **not required** to agree — **except**: must honor restriction on disclosure to health plan for service paid out-of-pocket in full
|
|
117
|
+
|
|
118
|
+
### Right to Confidential Communications (§164.522(b))
|
|
119
|
+
- Individual may request alternative means or locations for communications
|
|
120
|
+
- CE must accommodate **reasonable requests**; no explanation required from individual
|
|
121
|
+
- Health plans must accommodate if individual states disclosure could endanger them
|
|
122
|
+
|
|
123
|
+
### Right to Notice (§164.520)
|
|
124
|
+
- Right to receive a Notice of Privacy Practices (see Section 5)
|
|
125
|
+
|
|
126
|
+
### Right to Opt Out of Fundraising (§164.514(f))
|
|
127
|
+
- Must include opt-out mechanism in every fundraising communication
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## 5. Notice of Privacy Practices (NPP)
|
|
132
|
+
|
|
133
|
+
### Required for: All Covered Entities (not BAs)
|
|
134
|
+
|
|
135
|
+
### Must Be Provided (§164.520(c)):
|
|
136
|
+
- At first service delivery (in-person)
|
|
137
|
+
- On request
|
|
138
|
+
- On CE's website (if one exists)
|
|
139
|
+
- Health plans: at enrollment and every 3 years if material changes
|
|
140
|
+
|
|
141
|
+
### Required NPP Contents (§164.520(b)):
|
|
142
|
+
1. **Header**: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
|
|
143
|
+
2. Description of how CE may use/disclose PHI (with examples of TPO + other)
|
|
144
|
+
3. Description of other uses requiring authorization
|
|
145
|
+
4. Individual rights (access, amendment, accounting, restrictions, confidential comms, opt-out of fundraising)
|
|
146
|
+
5. CE's duties (maintain privacy, notify of breaches, abide by NPP)
|
|
147
|
+
6. How to complain (to CE and to HHS; no retaliation)
|
|
148
|
+
7. Contact person/office for more information
|
|
149
|
+
8. Effective date
|
|
150
|
+
|
|
151
|
+
### Electronic NPP:
|
|
152
|
+
- Can be provided electronically if individual agrees
|
|
153
|
+
- Must be in plain language
|
|
154
|
+
|
|
155
|
+
---
|
|
156
|
+
|
|
157
|
+
## 6. Minimum Necessary Standard
|
|
158
|
+
|
|
159
|
+
### Rule (§164.502(b), §164.514(d)):
|
|
160
|
+
When using or disclosing PHI, or requesting from another CE, make reasonable efforts to limit PHI to the **minimum necessary** to accomplish the intended purpose.
|
|
161
|
+
|
|
162
|
+
### Applies To:
|
|
163
|
+
- Routine disclosures → Establish policies identifying persons who need access + type of PHI
|
|
164
|
+
- Non-routine disclosures → Review on case-by-case basis
|
|
165
|
+
- Requests from others → Limit requests to minimum necessary
|
|
166
|
+
|
|
167
|
+
### Does NOT Apply To:
|
|
168
|
+
- Disclosures to or requests by a treating provider
|
|
169
|
+
- Disclosures to the individual
|
|
170
|
+
- Pursuant to individual's authorization
|
|
171
|
+
- Required by law
|
|
172
|
+
- For HHS compliance activities
|
|
173
|
+
|
|
174
|
+
### Practical Implementation:
|
|
175
|
+
- Role-based access controls in EHR systems
|
|
176
|
+
- Need-to-know training for workforce
|
|
177
|
+
- De-identify data where full PHI isn't required
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## 7. Authorization Requirements
|
|
182
|
+
|
|
183
|
+
### When Required (§164.508):
|
|
184
|
+
- Most uses/disclosures not covered by TPO or §164.512 permitted disclosures
|
|
185
|
+
- **Always required for**: psychotherapy notes (with limited exceptions), marketing involving financial remuneration, sale of PHI
|
|
186
|
+
|
|
187
|
+
### Valid Authorization Must Contain (§164.508(c)):
|
|
188
|
+
1. Description of PHI to be used/disclosed (specific, meaningful)
|
|
189
|
+
2. Name/class of person(s) authorized to make the disclosure
|
|
190
|
+
3. Name/class of person(s) to whom disclosure may be made
|
|
191
|
+
4. Description of each purpose of the use/disclosure
|
|
192
|
+
5. Expiration date or event
|
|
193
|
+
6. Individual's signature and date
|
|
194
|
+
7. If signed by personal representative: description of authority
|
|
195
|
+
8. Statement that individual may revoke
|
|
196
|
+
9. Statement about re-disclosure risk (if applicable)
|
|
197
|
+
10. Conditioning statement (if authorization is conditioned on treatment/payment)
|
|
198
|
+
|
|
199
|
+
### Defective Authorization (§164.508(b)(2)):
|
|
200
|
+
Authorization is defective if:
|
|
201
|
+
- Expiration date has passed
|
|
202
|
+
- Not filled out completely
|
|
203
|
+
- CE knows it has been revoked
|
|
204
|
+
- Compound authorization (combining with another document) when not permitted
|
|
205
|
+
|
|
206
|
+
---
|
|
207
|
+
|
|
208
|
+
## 8. Special Categories of PHI
|
|
209
|
+
|
|
210
|
+
These categories receive **heightened protection** (often under state law as well):
|
|
211
|
+
|
|
212
|
+
| Category | Notes |
|
|
213
|
+
|----------|-------|
|
|
214
|
+
| **Psychotherapy notes** | Stored separately; require specific authorization for almost all uses/disclosures |
|
|
215
|
+
| **HIV/AIDS information** | Most states have additional restrictions beyond HIPAA |
|
|
216
|
+
| **Substance use disorder** (42 CFR Part 2) | Separate federal law with stricter rules than HIPAA |
|
|
217
|
+
| **Mental health records** | State law often adds restrictions |
|
|
218
|
+
| **Reproductive health** | Post-Dobbs guidance; HHS issued rules limiting disclosure for lawful reproductive care |
|
|
219
|
+
| **Genetic information** (GINA) | Cannot be used for underwriting by health plans |
|
|
220
|
+
| **Minors** | Generally parents are personal representatives; exceptions for emancipated minors, sensitive services |
|
|
221
|
+
|
|
222
|
+
> **Important**: State laws can be MORE protective than HIPAA. HIPAA sets a floor. Always check state law.
|
|
223
|
+
|
|
224
|
+
---
|
|
225
|
+
|
|
226
|
+
## 9. Administrative Requirements
|
|
227
|
+
|
|
228
|
+
### Policies & Procedures (§164.530(i)):
|
|
229
|
+
- Must implement written policies and procedures complying with Privacy Rule
|
|
230
|
+
- Must document policies; retain for 6 years from creation or last effective date
|
|
231
|
+
|
|
232
|
+
### Workforce Training (§164.530(b)):
|
|
233
|
+
- Train all workforce members on privacy policies as necessary for them to carry out their functions
|
|
234
|
+
- Train new members within reasonable time after joining
|
|
235
|
+
- Document training
|
|
236
|
+
|
|
237
|
+
### Sanctions (§164.530(e)):
|
|
238
|
+
- Apply appropriate sanctions against workforce members who violate privacy policies
|
|
239
|
+
- Document sanctions
|
|
240
|
+
|
|
241
|
+
### Complaint Process (§164.530(d)):
|
|
242
|
+
- Provide process for individuals to make complaints
|
|
243
|
+
- Document all complaints and their disposition
|
|
244
|
+
|
|
245
|
+
### Privacy Official (§164.530(a)):
|
|
246
|
+
- Designate a Privacy Official responsible for developing and implementing policies
|
|
247
|
+
- Designate a contact person for receiving complaints
|
|
248
|
+
|
|
249
|
+
### Retaliation Prohibition (§164.530(g)):
|
|
250
|
+
- May not retaliate against individuals for exercising HIPAA rights
|
|
251
|
+
- May not retaliate against workforce members for filing complaints or participating in investigations
|
|
252
|
+
|
|
253
|
+
### Waiver Prohibition (§164.530(h)):
|
|
254
|
+
- May not require individuals to waive HIPAA rights as condition of treatment/payment/enrollment
|
|
255
|
+
|
|
256
|
+
---
|
|
257
|
+
|
|
258
|
+
## 10. Marketing & Fundraising
|
|
259
|
+
|
|
260
|
+
### Marketing Definition (§164.501):
|
|
261
|
+
Communication about a product/service that encourages recipients to purchase or use the product/service.
|
|
262
|
+
|
|
263
|
+
### Marketing Requires Authorization EXCEPT:
|
|
264
|
+
- Face-to-face communication with individual
|
|
265
|
+
- Promotional gifts of nominal value
|
|
266
|
+
- Refill reminders (if financial remuneration is reasonably related to CE's cost)
|
|
267
|
+
- Communications about health-related products/services offered by CE (own services, treatment alternatives, case management) — if no financial remuneration from third party
|
|
268
|
+
|
|
269
|
+
### Sale of PHI (§164.502(a)(5)(ii)):
|
|
270
|
+
- Generally prohibited without authorization
|
|
271
|
+
- Exceptions: public health, research, treatment, sale/merger of business, BAA, providing individual access
|
|
272
|
+
|
|
273
|
+
### Fundraising (§164.514(f)):
|
|
274
|
+
- May use demographic info + dates of service without authorization
|
|
275
|
+
- Must include opt-out mechanism in each communication
|
|
276
|
+
- Cannot condition treatment on making a donation
|