2 What is HIPAA? Health Insurance Portability and Accountability Act (Passed into law in 1996)
3 Four Parts of HIPAA1. Standardized Electronic Data Interchange transactions and codes for all covered entities2. Standards for security of data systems3. Privacy protections for individual health information4. Standard national identifiers for health careIncludes health claims, health plan eligibility enrollment/disenrollment, payments for care & health plan premiums, etc. In the past, health providers and plans have used many different electronic formats to transact medical claims. Implementing a national standard is intended to result in the use of one format to simplify and improve transaction efficiency nationwide.Final Rule published in Feb Takes effect April Provides for uniform level of protection of all EPHI. Requires CE’s to ensure the confidentiality, integrity and availability of all EPHI the CE creates, receives, maintains or transmits.Establishes 1st set of basic national privacy standards and provides patients with a basic level of protection.In the past, healthcare organizations have used multiple identification formats when conducting business which was a costly & error-prone process. Standard identifiers are expected to reduce these problems. The standard adopts an employer’s identification # (EIN) or tax ID # as the standard for electronic transactions. Final standards have not been published.
4 The Privacy Rule…establishes a Federal floor of safeguards to protect the confidentiality of medical informationallows patients to make informed choices when seeking care and reimbursement for care based on how personal health information may be usedtook effect on April 14, 2003
5 What Does The Privacy Rule Protect? Individually Identifiable Health Information, commonly referred to as “Protected Health Information” or “PHI”
6 1) Created or received by a covered entity; PHI is information transmitted in any form, oral, written, or electronic that is:1) Created or received by a covered entity;and2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual; and(i) That identifies the individual; or(ii) There is a reasonable basis to believe the information can be used to identify the individual
7 Examples of PHIName, address, telephone, fax, and other contact informationSocial security numberHealth plan beneficiary numberMedical diagnosesMedical records and account numbersCertificate and license numbersPhotographs and imagesAs you can see, PHI, in a nutshell, covers demographic information for patients, their relatives, households and employers that was obtained during the course of medical treatment.
8 Who Must Comply with HIPAA? Health PlansHealth Care ClearinghousesHealth Care Providers who conduct certain financial and administrative transactions electronicallyThese entities are commonly knownas Covered Entities (CE).HIPAA does not give HHS the right to regulate other types of private businesses or public agencies, such as employers, life insurance companies, or public agencies that deliver social security or welfare benefits.
9 What must a covered entity do to be in compliance with HIPAA? Notify patients about their privacy rights and how their information can be usedAdopt and implement privacy proceduresTrain employees so they understand the privacy proceduresDesignate a Privacy OfficerSecure patient records containing PHI
10 Vocabulary of HIPAAProtected Health Information (PHI) is individually identifiable health information that contains unique features or details by which the individual can be identified.Treatment, Payment and Health Care Operations (TPO) are common uses of PHI for which HIPAA does not require an authorization.
11 Vocabulary of HIPAADisclosure means the release, transfer, provision of access to, or divulging of information outside the entity holding the information.Use means the sharing, employment, application, utilization, examination, or analysis of individually identifiable information within an entity
12 Notice of Privacy Practices Plain languageSpecified uniform headerDescription & at least one example of each type of use and disclosure made for TPODescription of each permitted or required use or disclosure without authorizationSufficient detail of each use and disclosure to put individual on noticeStatement that all other uses or disclosures will only be made with the individual’s authorizationDelineation of individual’s privacy rights
13 New Patient’s RightsRight to written Notice of Privacy Practices (NPP) that informs consumers how PHI will be used and to whom it is disclosedRight of timely access to see and copy records for reasonable feeRight to request amendment of recordRight to restrict access and useRight to an accounting of disclosuresRight to revoke authorization
14 Requests for Amendment A patient may request, in writing, to have health information or a record about the patient amended.The CE does not have to agree to the amendment, however, the request to amend becomes a part of the patient’s medical record.Patients may request amendments to the information they find in the medical record. Although we do not have to agree to the amendment, we must review all requests to determine if an amendment is warranted. This is done in consultation with the treating physician.
15 Requests for Restrictions Patients may request, in writing, a restriction or limitation on the health information that a CE uses or discloses.The CE is not required to agree to the restriction.Even though we do not have to agree to the restriction, we do have to review all requests and determine if they should be accepted. If they are accepted, the restriction must be communicated to all affected areas and it must be included in the medical record.
16 Accounting of Disclosures Patients are entitled to request a list of people and organizations who have received their PHI.Patients must submit a written Request for Accounting of Disclosures.A CE must respond to a patient’s request for an accounting within 60 days of receipt of the request.The accounting does not include TPO disclosures.
17 The accounting of disclosures should include disclosures… Required by lawFor public health activitiesAbout victims of abuse, neglect or domestic violenceFor health oversight activitiesFor judicial and administrative proceedingsFor law enforcement purposesFor research purposes(if authorization was waived)For specialized government functionsFor workers’ compensation
18 AUTHORIZATION…Is a detailed document that gives covered entities permission to use PHI for specified purposes.Is required for the use and disclosure of PHI not otherwise allowed by the Privacy RuleDoes not apply to TPODoes not apply to uses and disclosures required by lawMay be revoked at any time in writingRequired by law:Public Health Activities – reporting births and deaths or adverse eventsAbuse, Neglect of Domestic ViolenceHealth Oversight AgencyJudicial and Administrative Proceedings – criminal trials, litigation, subpoenasLaw EnforcementDecedentsOrgan, Eye or Tissue DonationAversion of Serious ThreatSpecialized Government FunctionWorkers’ Compensation
19 Authorization Requirements An authorization must describe:the PHI to be used and disclosed;the person authorized to make the use or disclosure;the person to whom the covered entity may make the disclosure;an expiration date; andthe purpose for which the information may be used or disclosed.
20 Minimum Necessary Standard HIPAA requires covered entities to take reasonable steps to disclose only the information that is necessary for the purpose for which the disclosure is to be made (i.e. the minimum necessary amount of information).
21 Minimum Necessary Does Not Apply To: TreatmentDisclosures to the individual who is the subject of the PHIUses or disclosures made pursuant to an individual’s authorizationUses or disclosures that are required by law
22 Do I need to know? Ask yourself: Do I need this information to do my job and provide good patient care?What is the least amount of information I need to do my job?If the answer to the first question is no, you should not be accessing the PHI in question.Please take these question seriously and think about them as you come into contact with PHI.
23 Incidental Disclosure A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure.
24 EXAMPLEMiguel shares a semi-private room with Victor. Dr. Nixon, Miguel’s doctor, comes in to talk to Miguel. Dr. Nixon draws the curtain between the two patients. During this bedside consult, Victor overhears Dr. Nixon say that Miguel needs a hernia operation.Is this a HIPAA privacy violation? No. It is a classic example of an incidental disclosure. Dr. Nixon is engaging in a permitted acitivity.The correct answer is that an incidental disclosure occurred and that it is allowed under HIPAA.Next Slide
25 Protecting Patient Privacy “Do’s” Close curtains and speak softly when discussing treatments in semi-private roomsLog off of the computer when you are finishedDispose of patient information by shredding or storing in locked containers for destructionClear patient information off of your desk when you leave your deskSince the ultimate goal of the Privacy Rule is to protect the privacy of our patients, here are some things to keep in mind when you are dealing with patient information.
26 Protecting Patient Privacy “Don’ts” Tell anyone what you overhear about a patientDiscuss a patient in public areas such as elevators, hallways, or cafeteriasLook at information about a patient unless you need it to do your job
27 Rules for Using Computers Keep your password a secretDo not log in using someone else’s passwordLog off of the computer when you are finished using itTurn the computer screen away from public viewDo not remove equipment, disks, or software without permissionHere are some basic guidelines for when you are using your computers. The Security Rule of HIPAA goes into affect in April Once that regulation is enacted, you will receive more detailed information.
28 Rules for Using Faxes Sending: Receiving: Call the intended recipient before sending the faxDouble-check the fax number before sendingUse cover sheets for faxesReceiving:Tell the person faxing information to alert you when he/she is about to send the faxTake faxes off of the machine immediatelyDo not let faxed patient information lie around unattendedThere has been a lot of misconceptions about faxing PHI. Here are the rules for sending and receiving faxes.
29 Business AssociateA person or entity that performs a function or activity on behalf of a CE that requires the creation, use or disclosure of PHI but who is not considered part of the CE’s workforce.BA functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice managementBA services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.Exceptions to the BA standard: disclosures for treatment; persons/organizations those function does not involve the use or disclosure of PHI (janitorial service); person/organization acting merely as a conduit for PHI (US Postal Service)
30 Business AssociatesMust be helping the covered entity carry out its health care functionsMust have a written contract or agreement with the covered entity that assures that they will appropriately safeguard any PHI they receive or createPHI cannot be disclosed to the BA for their own independent use or purpose. They must use the PHI only for the purposes for which their services were engaged.The usual method of obtaining satisfactory assurances is through a Business Associate Agreement that describes the permitted and required uses of PHI by the BA, provides that the BA will not use or further disclose PHI other than as permitted or required by the K or by law, and requires the BA to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.
31 HIPAA’s Impact on Research Activities NO ONE is permitted to use PHI for research without complying with the new HIPAA requirementsThese HIPAA requirements are entirely separate from the existing federal human subject research regulations.HIPAA requirements: Preparatory to Research, Authorization, Waiver of Authorization, or Limited Data SetInformed Consent is not authorization.
32 Please Note:The Privacy Policies and Procedures do not replace or override other rules or procedures established by the Institutional Review Board (“IRB”). Both must be complied with in order to conduct human subject research.
33 State Law vs. HIPAAIf there is a conflict or inconsistency between an applicable state law and the HIPAA Privacy Rule, follow the law that provides the patient:Greater privacy rights,Greater access to information, orGreater privacy protections.
34 Penalties for Privacy Violations Civil Penalties under HIPAA: Maximum fine of $25,000 per violationCriminal Penalties under HIPAA: Maximum of 10 years in jail and/or a $250,000 fine for serious offensesOrganization Actions: Employee disciplinary actions including suspension or termination for violations of UNM’s policies and proceduresCriminal sanctions may be imposed for offenses where there is intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm.
35 The Privacy Rule Requirement You may not retaliate against or intimidate an employee who files a HIPAA complaint.
37 CASE STUDYLori, a nurse who works on 5-West, has a lot of access to PHI. Terri, a nurse who works on 4-North, learns that her friend and elderly neighbor, Ms. Pate, was admitted to 5-West. Terri is concerned and wants to help so she asks Lori to see Ms. Pate’s medical record. Together, they review and discuss their findings.Trainer Talking Point:Is this an appropriate disclosure? Lori should not have permitted Terri to have access to Ms. Pate’s medical record. No. Ms. Pate’s PHI has nothing to do with Terri’s job.
38 CASE STUDYIn deep conversation, Drs. Andrews and Day enter a crowded elevator and continue discussing a code yellow. Their conversation is quite detailed and graphic, but never mentions the patient’s name. Engaged in their conversation, they do not notice the onlookers intently listening to their conversation.Trainer Talking Point:This is inappropriate behavior. Even though the patient’s name was not used, the situation was described in such detail that someone could possibly determine who the patient was that coded during that day. Additionally, a relative of that patient could have also been on the elevator and known that the doctors were discussing their family member. This conversation should be confined to areas where the chance of someone overhearing is minimized.