About Us

 Health Insurance Portability and Accountability Act of 1996 (HIPAA)

What activities are regulated by the HIPAA Privacy Regulations?

The HIPAA Privacy Regulations are concerned with controlling the use and disclosure of a consumers' health information where the information could potentially reveal the identity of the consumer.  This type of individually identifiable health information is referred to as “Protected Health Information” or “PHI.”

The HIPAA Privacy Regulations regulate the use and disclosure of PHI by health care providers, health plans, and health care clearinghouses (companies which take non-compliant data configurations and process them into compliant data configurations.). 

The HIPAA Privacy Regulations generally prohibit health care providers, like ARISE, from using or disclosing PHI except as authorized by the consumer who is the subject of the information, or as specifically permitted or required by the HIPAA Privacy Regulations.  The HIPAA Privacy Regulations, however, do not regulate or restrict ARISE’s use or disclosure of health information that has been “de-identified” so that it no longer has the potential to reveal the identity of the consumer.

When can ARISE disclose PHI without first obtaining specific authorization from the consumer? 

With the exception of certain types of information, ARISE may use and disclose PHI for treatment, payment and routine business operations if it has obtained from the consumer a signed general written consent form that will permit these activities on an ongoing basis.  A specific authorization form is not required every time these activities are performed.

As a result, once ARISE has obtained the consumer' general written consent, information may be shared among ARISE’s staff members when necessary for those individuals to provide treatment or care to the consumer, obtain payment for the treatment or care, and carry out routine business operations of ARISE. 

In addition, ARISE may disclose PHI without a consumer's consent or authorization when it is necessary to further certain public policy objectives, including:

  1. Where disclosure is required by law
  2. For a judicial or administrative proceeding
  3. For public health activities
  4. For health oversight activities
  5. To report incidents of abuse, neglect or domestic violence
  6. For law enforcement purposes
  7. To avert a serious threat to health or safety
  8. For national security and intelligence activities and protective services
  9. For the health, safety or security of prison inmates or other detainees
  10. To facilitate organ, eye or tissue donation
  11. To coroners, medical examiners, and funeral directors

Certain types of information receive special protection:

  • Psychotherapy notes – which are notes by a mental health professional that document or analyze the contents of a counseling session and are kept separate from the medical record – are subject to heightened protection. The use and disclosure of these notes generally requires specific authorization from the consumer.
  • The HIPAA Privacy Regulations also generally recognize the special protection provided to certain types of health information under state law.  New York law provides special protection to mental health information, HIV/AIDS-related information, alcohol and substance abuse treatment information, and genetic information.

Are there any limitations on the amount of PHI that can be used or disclosed?

As a general rule, ARISE must take reasonable steps to limit the PHI that we use and disclose, or that we request from others, to the minimum amount that is necessary to accomplish the purpose of the use, disclosure, or request.  This rule, however, does not apply when ARISE is disclosing or requesting PHI for treatment purposes, or when ARISE is using or disclosing PHI in a manner that is required by law.

To what extent can ARISE share PHI with health care professionals and facilities with whom it is clinically or operationally integrated?

Legally separate health care providers that are clinically or operationally integrated may operate as an organized health care arrangement. For example, ARISE is part of an organized health care arrangement with outside health care professionals which you know as XYZ Health Services. This group provides treatment or care to our consumers within our setting. As members of an organized health care arrangement, our staff and the XYZ staff are permitted to share PHI for the health care operations of our joint enterprise, and may develop and use a joint notice of privacy practices and a common consent form covering all PHI created or received in connection with their joint enterprise.

What administrative requirements do the HIPAA Privacy Regulations impose? 

ARISE must implement certain administrative requirements designed to protect the privacy of PHI, including:

  • Development, adoption and implementation of written policies and procedures designed to ensure ARISE’s compliance with the HIPAA Privacy Regulations
  • Designation of a privacy officer, who will in turn oversee the development, implementation and enforcement of ARISE’s privacy policies and procedures.
  • Provision of employee training about ARISE’s privacy policies and procedures
  • Establishment and enforcement of sanctions for employees who fail to follow the ARISE’s privacy policies and procedures

The HIPAA Privacy Regulations also requires ARISE to limit our employees’ access to PHI. Specifically, ARISE may permit access to PHI only by those employees with a “need to know” the information. Moreover, ARISE should, to the extent feasible, permit such employees to access only the information that is relevant to their job responsibilities.

What privacy rights do clients/patients have under the HIPAA Privacy Regulations?

The HIPAA Privacy Regulations grant our consumers the following rights regarding their PHI:

  • The right to notice of ARISE’s privacy practices for PHI.
    • This notice will (i) explain the purposes for which ARISE may use and disclose the client’s/patient’s PHI, (ii) inform the consumer of his or her rights with respect to his or her PHI, and (iii) explain ARISE’s legal duties under the HIPAA Privacy Regulations.
  • The right to inspect and obtain a copy of their PHI.
  • The right to request amendments to their PHI.
  • The right to receive an "accounting list" that provides information about disclosures of their PHI that were made to third parties for purposes other than treatment, payment and normal business operations.
  • The right to request that ARISE further restricts the way it uses or discloses their PHI.
  • The right to request that ARISE communicates with them or with their personal representatives by alternative means or at alternative locations. ARISE must accommodate all reasonable requests.

To what extent can ARISE share PHI with third party vendors and other “business associates”?

If a person or organization will create or receive PHI in order to perform an activity, function or service for ARISE, that entity will be considered a “business associate” of the agency. Examples of our business associates include our billing services company, our copying service. 

Under the HIPAA Privacy Regulations, ARISE is required to enter into a contract with each business associate.The contract must include certain specific provisions to ensure that the business associate limits its uses and disclosures, and adequately safeguards the privacy, of the PHI that it receives from, or creates for, ARISE. 

To what extent can ARISE share PHI with other health care providers?

ARISE can generally share PHI with other health care providers so long as we have obtained a general written consent from the consumer and the PHI is being shared so that ARISE or another health care provider can provide treatment to the consumer.

What penalties may be imposed if ARISE fails to comply with the HIPAA Privacy Regulations?

HIPAA establishes civil penalties of up to $100 for each violation that may be imposed for a failure to comply with the HIPAA Privacy Regulations. (These fines are capped at $25,000 per person/entity per year for each standard violated). In addition, HIPAA provides for the imposition of criminal penalties of up to a $250,000 fine and 10 years in prison for intentionally obtaining or disclosing PHI in violation of the HIPAA Privacy Regulations.