- Enables them to find out how their health information is used and disclosed
- Limits release of information to the "minimum reasonably needed" for disclosure
- Gives them the right to examine and obtain a copy of their own health records and request corrections
So, What Does This Mean for Camps?
What Should My Camp Be Doing?
- Who receives completed health forms and who has access to those forms?
- Who of the kitchen staff are typically informed of health issues? Why are they told? Could that pool of people be more limited without jeopardizing safety?
- What health challenges are shared with cabin staff?
- Who in the specialized areas of camp — waterfront, ropes course, horseback riding, tripping, etc. — are told about health challenges? Why are they told?
- Under what circumstances does PHI leave camp? How is the privacy of that information monitored?
- What individuals have access to all and any PHI? Who has limited access and how is that access limited?
- When a person leaves camp — whether on a day trip or at the end of their camp session — how is their health history secured? Who makes decisions regarding the disposition of that information?
1. How should we set up our policies to ensure quick treatment in a medical situation, yet preserve the intent of the privacy rule?
- A: Your health form should include disclosure authorization for securing health care operations. In doing so, individuals — camp staff, campers, and their parent/guardian — may request restrictions to a camp’s disclosure policy and retain the right to revoke consent. For instance, language in your permission form could be modified to read: “I agree to the release of any records necessary for treatment, referral, billing, or insurance purposes . . . .”
2. The rule talks about providing only the “minimum necessary information.” How do we deal with that at camp?
- A: The privacy rule acknowledges that healthcare providers (such as your camp nurse or doctor) need free access to individual health information and in no way seeks to limit that access. In this situation, the rule directs entities to limit access to the minimum necessary or to that which is reasonable. What is meant by “minimal,” “necessary,” and “reasonable” is left to the discretion of the entity — camp, in your case. Because of this, the scope of what a given camp discloses may vary from other camps, but in all cases, only the minimum should be relayed. Thus, for your camp, the camp nurse or doctor has free access to health forms; camp staff generally would not. It should be noted that this rule does not apply only to written documents — it also refers to oral communication about health information. In camps, we often use oral communication to convey health information about people at camp. This rule directs us to provide “reasonable safeguards” so oral information is limited only to those who need to hear the information. For example, the camp nurse may talk with a cabin counselor about a camper’s care but would do so in a setting that limits — if not eliminates — who else listens to that conversation. Camps should also review screening practices of opening day to evaluate who is hearing what about whom during the process (Erceg, 2001).
- A: The camp retains the responsibility to satisfactorily determine that the provider is using PHI only for the purpose for which their services are engaged.
- A: The privacy rule recognizes custodial parents/guardians as the representative of a minor. Consequently, the custodial parent/guardian can sign statements of consent and/or authorization in the child's name. In addition, the rule also recognizes another person acting in loco parentis. This is a position that many camps assume with regard to campers.
- A: Yes. The rule recognizes that various agencies or public officials will need protected health information to deal effectively with a bioterrorism threat. You can disclose protected health information, without the individual's authorization, to a public health authority acting as authorized by law in response to a bioterrorism threat or public health emergency (see 45 CFR 164.512[b], public health activities). The privacy rule also permits a covered entity to disclose protected health information to public officials who are reasonably able to prevent or lessen a serious and imminent threat to public health or safety related to bioterrorism (see 45 CFR 164.512[j], to avert a serious threat to health or safety). In addition, disclosure of protected health information, without the individual's authorization, is permitted where the circumstances of the emergency implicates law enforcement activities (see 45 CFR 164.512[f]); national security and intelligence activities (see 45 CFR 164.512[k]); or judicial and administrative proceedings (see 45 CFR 164.512[e]).
- A: No. The privacy rule does not protect your employment records, even if the information in those records is health related. Generally, the privacy rule also does not apply to the actions of an employer, including the actions of a manager in your workplace. For additional information, see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/employers.html .
- HIPAA Online: www.cms.gov/HIPAAGenInfo/01_Overview.asp#TopOfPage 
- HHS Office for Civil Rights Privacy Web site: www.hhs.gov/ocr/hipaa/ 
- For a copy of the regulations: www.hhs.gov/ocr/hipaa/finalreg.html 
- HIPAA Privacy and Security Resource Kit — everything a health care provider needs to conduct a HIPAA privacy and security risk assessment and generate an implementation plan are available through this Web site:
- www.hipaarx.net