Welcome to Cyberonics.com

USE AND DISCLOSURE OF PHI UNDER THE HIPAA PRIVACY RULE

1. INFORMATION REQUIRED TO BE PROTECTED. Under the HIPAA Privacy Rule, the privacy of all medical records, billing records, and other individually identifiable health information (“protected health information” or “PHI”) must be protected.

2. RESTRICTIONS ON USE AND DISCLOSURE OF PHI. Under HIPAA an individual’s PHI may be used or disclosed, without patient authorization, for treatment, payment, and health care operational purposes.

a. Treatment includes the provision, management, and coordination of health care, including coordination required between Cyberonics and the physicians who implant the VNS Therapy, as well as the hospitals at which the VNS Therapy is implanted. In other words, Physicians may still freely discuss and disclose PHI to Cyberonics regarding patients whom they are considering for VNS because such disclosures are related to the treatment of the patient.

b. Payment includes determining eligibility or coverage for reimbursement, including insurance verification and prior authorization.

c. Health care operations is defined by the HIPAA Privacy Rule to include such activities as quality assurance, business planning and development, and the business management and general administrative activities of Cyberonics.

d. Patient information generally cannot be used for purposes not related to treatment, payment, or health care operations without valid authorization from the individual. Cyberonics has developed a patient authorization form that, when signed by a patient, will allow Cyberonics to use or disclose PHI for purposes other than treatment, payment, or healthcare operations (i.e. Research).

e. Except in certain situations, Cyberonics, other covered entities, and their business associates must make reasonable efforts to limit use and disclosure of PHI to the minimum amount necessary to accomplish intended purpose for which the PHI is being used or disclosed. The minimum necessary rule does not apply to uses and disclosures: for treatment purposes; to the individual who is the subject of the PHI; pursuant to an individual’s authorization; required for compliance with HIPAA; to the Department of Health and Human Services for enforcement purposes; or uses and disclosures that are required by other law.

3. BUSINESS ASSOCIATES

a. PHI can only be disclosed by Cyberonics to vendors if the vendors first sign a Business Associate Agreement with Cyberonics. This would primarily apply to IT consultants that are given access to our software systems, thereby also having access to PHI that is accessible through the application.

b. In certain circumstances, Cyberonics will be acting as a Business Associate of other healthcare providers, such as when we provide Quality Assurance services related to VNS to Physicians or Hospitals. In such situations, Cyberonics will be required to enter into a Business Associate Agreement with the Physician or Hospital.

4. DE-IDENTIFICATION OF PHI. If health care information is de-identified, it is no longer subject to the HIPAA Privacy Standards, and can be freely shared with others. However, there are 18 specific identifiers that must be removed from the data for it to be considered de-identified for purposes of HIPAA.

5. USE OF PHI TO CREATE A LIMITED DATA SET. As an alternative to de-identification, a covered entity, such as Cyberonics, can create a “limited data set” through the removal of 16 specific identifiers. However, a limited data set may be used only for purposes of research, public health, or health care operations, and prior to disclosure of a limited data Cyberonics would be required to enter into a Data Use Agreement with the recipient of the data set.