HIPAA Forms in Nevada
HIPAA forms in Nevada are required under certain circumstances. HIPAA regulations outline the uses and disclosures of PHI that require authorization from a patient/plan member before that person’s PHI can be shared or used.
HIPAA authorization forms in Nevada are required before:
- The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
- The covered entity can use or disclose PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
The law requires that a HIPAA release form in Nevada contain specific “core elements” to be valid.
These elements include:
- A description of the specific information to be used or disclosed.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- The signature of the individual, and the date.
Nevada Data Breach Notification Law
Nevada data breach notification law requires organizations that are breached, compromising personal information, to report the incident. Entities that are subject to HIPAA and report incidents following HIPAA standards, also meet the requirements of the Nevada data breach notification law.
The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information.
Incidents that are considered reportable breaches include:
- Hacking or IT incidents
- Unauthorized access or disclosure of PHI
- Theft or loss of an unencrypted device with access to PHI
- Improper disposal of medical records
When a patient’s PHI is potentially affected by one of these incidents, the affected patient must be informed within 60 days of discovery. Breach notification letters must be mailed to affected patients. If ten or more patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.
Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.
- Breaches affecting 1 – 499 patients: organizations must keep an account of any breach involving less than 500 patients over the calendar year. Organizations have 60 days from the end of the calendar year the breach occurred to report these incidents to the HHS – March 1st.
- Breaches affecting 500+ patients: any incident that affected 500 or more patients must be reported to the HHS within 60 days of discovering the incident. These incidents are posted on the OCR’s online breach portal.
Nevada HIPAA Violation
What is a Nevada HIPAA violation? While many HIPAA violations occur due to breaches, it is not the breach that would conclude that a healthcare organization violated it. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.
Nevada SB 220 Compared to the HIPAA Privacy Rule
The HIPAA Privacy Rule also regulates the sale of certain personal information. The information the HIPAA Privacy Rule regulates is known as PHI, or protected health information.
Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.
Just as Nevada SB 220 provides consumers more control over how their personal information is used, by allowing them to opt out of sales of their covered information, so too does the HIPAA Privacy Rule.
Under the HIPAA Privacy Rule, patients control how their PHI is used for marketing purposes, requiring that covered entities or business associates receive written patient authorization for certain types of marketing.
Under the Privacy Rule, covered entities and business associates must obtain the individual’s written authorization for (among certain other types of marketing) marketing in which a covered entity or business associate:
- Uses or discloses PHI to a third party; and
- Receives financial remuneration for doing so.
Financial remuneration is defined as a direct or indirect payment that flows from or on behalf of a third party whose product or service is being described in a marketing communication.