Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH.

Similar presentations


Presentation on theme: "HIPAA Privacy GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH."— Presentation transcript:

1 HIPAA Privacy GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH

2 Dr. Quack: Getting HIPAA to Fly2 HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes

3 Dr. Quack: Getting HIPAA to Fly3 HIPAA Privacy (What it is NOT) Electronic Data Interchange Medicare electronic claim regulations Computer software regulations EDI due in October 2003

4 Dr. Quack: Getting HIPAA to Fly4 HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes

5 Dr. Quack: Getting HIPAA to Fly5 Background / History HIPAA Privacy 1996 Federal law Protects patient privacy Gives patient access to their records Allows patients to amend their records

6 Dr. Quack: Getting HIPAA to Fly6 Background / History Constantly morphing process over years Finally gelled last quarter of 2002 Final federal rules published in October OCR Guidelines published in December

7 Dr. Quack: Getting HIPAA to Fly7 Background / History AOA HIPAA Privacy Manual published 160 pages Charts (directions) Worksheets Policy suggestions

8 Dr. Quack: Getting HIPAA to Fly8 HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes

9 Dr. Quack: Getting HIPAA to Fly9 Review of Notice of Privacy Practices Policy 14B on pages & copy for posting at end of Manual Dr. Platypus et al Dr. Donald Duck and Daisy Duck Dr. Daffy Duck and Peking Duck THE OPTOMETRISTS PRACTICING IN DUCKVILLE, NEBRASKA

10 Dr. Quack: Getting HIPAA to Fly10 Review of Notice of Privacy Practices This notice describes how medical information about you may be used (in our office) or disclosed (outside our office) and how you can gain access to this information.

11 Dr. Quack: Getting HIPAA to Fly11 Treatment, Payment and Health Care Operations The most common reason why we use or disclose your health information is for treatment, payment or health care operations

12 Dr. Quack: Getting HIPAA to Fly12 Treatment, Payment and Health Care Operations Setting up an appointment for you; Testing or examining your eyes; Prescribing glasses, contact lenses, or eye medications and Rx

13 Dr. Quack: Getting HIPAA to Fly13 Treatment, Payment and Health Care Operations Faxing them to be filled; showing you low vision aids; Referring you to another doctor or clinic for eye care or low vision aids or services; or Getting copies of your health information from another professional that you may have seen before us. Rx

14 Dr. Quack: Getting HIPAA to Fly14 Treatment, Payment and Health Care Operations Asking you about your health or vision care plans, or other sources of payment; Preparing and sending bills or claims; and Collecting unpaid amounts (either ourselves or through a collection agency or attorney). $

15 Dr. Quack: Getting HIPAA to Fly15 Treatment, Payment and Health Care Operations Administrative and managerial functions Financial or billing audits; Internal quality assurance; Personnel decisions;

16 Dr. Quack: Getting HIPAA to Fly16 Treatment, Payment and Health Care Operations Participation in managed care plans; Defense of legal matters; Business planning; and Outside storage of our records.

17 Dr. Quack: Getting HIPAA to Fly17 Treatment, Payment and Health Care Operations We routinely use your health information inside our office for these purposes without any special permission. If we need to disclose your health information outside of our office for these reasons, we usually will not ask you for special written permission.

18 Dr. Quack: Getting HIPAA to Fly18 Treatment, Payment and Health Care Operations We will ask for special written permission when it is required by law.

19 Dr. Quack: Getting HIPAA to Fly19 Other Uses or Disclosures Without Permission In some limited situations, the law allows or requires us to use or disclose your health information without your permission. Not all of these situations will apply to us; Some may never come up at our office at all.

20 Dr. Quack: Getting HIPAA to Fly20 Other Uses or Disclosures Without Permission When a state or federal law mandates that certain health information be reported for a specific purpose;

21 Dr. Quack: Getting HIPAA to Fly21 Other Uses or Disclosures Without Permission For public health purposes, such as contagious disease reporting, investigation or surveillance; and Notices to and from the federal Food and Drug Administration regarding drugs or medical devices;

22 Dr. Quack: Getting HIPAA to Fly22 Other Uses or Disclosures Without Permission Disclosures to governmental authorities about victims of suspected abuse, neglect or domestic violence; Uses and disclosures for health oversight activities, such as for the licensing of doctors; For audits by Medicare or Medicaid; or for investigation of possible violations of health care laws;

23 Dr. Quack: Getting HIPAA to Fly23 Other Uses or Disclosures Without Permission Disclosures for judicial and administrative proceedings, such as in response to Subpoenas Orders of courts Administrative agencies ;

24 Dr. Quack: Getting HIPAA to Fly24 Other Uses or Disclosures Without Permission Disclosures for law enforcement purposes, such as To provide information about someone who is or is suspected to be a victim of a crime; To provide information about a crime at our office; or To report a crime that happened somewhere else;

25 Dr. Quack: Getting HIPAA to Fly25 Other Uses or Disclosures Without Permission Disclosure to a medical examiner to identify a dead person or to determine the cause of death; or To funeral directors to aid in burial; or To organizations that handle organ or tissue donations; Uses or disclosures for health related research; Uses and disclosures to prevent a serious threat to health or safety;

26 Dr. Quack: Getting HIPAA to Fly26 Other Uses or Disclosures Without Permission Uses or disclosures for specialized government functions, such as For the protection of the president or high ranking government officials; For lawful national intelligence activities; For military purposes; or For the evaluation and health of members of the foreign service;

27 Dr. Quack: Getting HIPAA to Fly27 Other Uses or Disclosures Without Permission Disclosures of de-identified information; Disclosures relating to worker’s compensation programs; Disclosures of a “limited data set” for research, public health, or health care operations;

28 Dr. Quack: Getting HIPAA to Fly28 Other Uses or Disclosures Without Permission Incidental disclosures that are an unavoidable by-product of permitted uses or disclosures; Disclosures to “business associates” who perform health care operations for us and who commit to respect the privacy of your health information; Other uses and disclosures affected by state law.

29 Dr. Quack: Getting HIPAA to Fly29 Uses & Disclosures: Unless You Object… Unless you object, we will also share relevant information about your care with your family or friends who are helping you with your eye care.

30 Dr. Quack: Getting HIPAA to Fly30 Uses & Disclosures: Unless You Object… Appointment Reminders We may call or write to remind you of scheduled appointments, or that it is time to make a routine appointment. We may also call or write to notify you of other treatments or services available at our office that might help you.

31 Dr. Quack: Getting HIPAA to Fly31 Uses & Disclosures: Unless You Object… Appointment Reminders We will mail you an appointment reminder on a post card, and/or Leave you a reminder message on your home answering machine or with someone who answers your phone if you are not home.

32 Dr. Quack: Getting HIPAA to Fly32 Uses & Disclosures: Only With Authorization We will not make any other uses or disclosures of your health information unless you sign a written “authorization form.” Federal law determines the content of an “authorization form”. Sometimes, we may initiate the authorization process if the use or disclosure is our idea. Sometimes, you may initiate the process if it’s your idea for us to send your information to someone else.

33 Dr. Quack: Getting HIPAA to Fly33 Uses & Disclosures: Only With Authorization Typically, in this situation you will give us a properly completed authorization form, or you can use one of ours. If we initiate the process and ask you to sign an authorization form, you do not have to sign it. If you do not sign the authorization, we cannot make the use or disclosure.

34 Dr. Quack: Getting HIPAA to Fly34 Uses & Disclosures: Only With Authorization If you do sign one, you may revoke it at any time unless we have already acted in reliance upon it. Revocations must be in writing. Send them to the office contact person named at the end of this Notice.

35 Dr. Quack: Getting HIPAA to Fly35 YOUR RIGHTS Regarding your PHI The law gives you many rights regarding your health information….

36 Dr. Quack: Getting HIPAA to Fly36 YOUR RIGHT to ask us to restrict uses & disclosures Ask us to restrict our uses and disclosures for purposes of treatment (except emergency treatment), payment or health care operations. We do not have to agree to do this, but if we agree, we must honor the restrictions that you want. To ask for a restriction, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.

37 Dr. Quack: Getting HIPAA to Fly37 YOUR RIGHTS: Confidential Communication Ask us to communicate with you in a confidential way, such as by phoning you at work rather than at home, by mailing health information to a different address, or by using to your personal E Mail address.

38 Dr. Quack: Getting HIPAA to Fly38 YOUR RIGHTS: Confidential Communication We will accommodate these requests if they are reasonable, and if you pay us for any extra cost. If you want to ask for confidential communications, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.

39 Dr. Quack: Getting HIPAA to Fly39 YOUR RIGHTS: Photocopies Ask to see or to get photocopies of your health information. By law, there are a few limited situations in which we can refuse to permit access or copying.

40 Dr. Quack: Getting HIPAA to Fly40 YOUR RIGHTS: Photocopies For the most part, however, you will be able to review or have a copy of your health information within 30 days of asking us (or sixty days if the information is stored off- site). You may have to pay for photocopies in advance. If we deny your request, we will send you a written explanation, and instructions about how to get an impartial review of our denial if one is legally available.

41 Dr. Quack: Getting HIPAA to Fly41 YOUR RIGHTS: Photocopies By law, we can have one 30 day extension of the time for us to give you access or photocopies if we send you a written notice of the extension. [Nebraska?] If you want to review or get photocopies of your health information, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.

42 Dr. Quack: Getting HIPAA to Fly42 YOUR RIGHTS: Amending your PHI Ask us to amend your health information if you think that it is incorrect or incomplete. If we agree, we will amend the information within 60 days from when you ask us. We will send the corrected information to persons who we know got the wrong information, and others that you specify.

43 Dr. Quack: Getting HIPAA to Fly43 YOUR RIGHTS: Amending your PHI If we do not agree, you can write a statement of your position, and we will include it with your health information along with any rebuttal statement that we may write.

44 Dr. Quack: Getting HIPAA to Fly44 YOUR RIGHTS: Amending your PHI Once your statement of position and/or our rebuttal is included in your health information, we will send it along whenever we make a permitted disclosure of your health information. By law, we can have one 30 day extension of time to consider a request for amendment if we notify you in writing of the extension.

45 Dr. Quack: Getting HIPAA to Fly45 YOUR RIGHTS: Amending your PHI If you want to ask us to amend your health information, send a written request, including your reasons for the amendment, to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice

46 Dr. Quack: Getting HIPAA to Fly46 YOUR RIGHTS: Lists of PHI disclosed Get a list of the disclosures that we have made of your health information within the past six years (or a shorter period if you want). By law, the list will not include: disclosures for purposes of treatment, payment or health care operations; disclosures with your authorization; incidental disclosures; disclosures required by law; and some other limited disclosures.

47 Dr. Quack: Getting HIPAA to Fly47 YOUR RIGHTS: Lists of PHI disclosed You are entitled to one such list of disclosures per year without charge. If you want more frequent lists, you will have to pay for them in advance. We will usually respond to your request within 60 days of receiving it, but by law we can have one 30 day extension of time if we notify you of the extension in writing.

48 Dr. Quack: Getting HIPAA to Fly48 YOUR RIGHTS: Lists of PHI disclosed If you want a list of disclosures, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice.

49 Dr. Quack: Getting HIPAA to Fly49 YOUR RIGHTS: Copies of Privacy Practices Get additional paper copies of this Notice of Privacy Practices upon request. It does not matter whether you got one electronically or in paper form already. If you want additional paper copies, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice

50 Dr. Quack: Getting HIPAA to Fly50 OUR NOTICE OF PRIVACY PRACTICES By law, we must abide by the terms of this Notice of Privacy Practices until we choose to change it. We reserve the right to change this notice at any time as allowed by law.

51 Dr. Quack: Getting HIPAA to Fly51 OUR NOTICE OF PRIVACY PRACTICES If we change this Notice, the new privacy practices will apply to your health information that we already have as well as to such information that we may generate in the future. If we change our Notice of Privacy Practices, we will post the new notice in our office, have copies available in our office, and post it on our Web site.

52 Dr. Quack: Getting HIPAA to Fly52 COMPLAINTS If you think that we have not properly respected the privacy of your health information, you are free to complain to us or the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you if you make a complaint.

53 Dr. Quack: Getting HIPAA to Fly53 COMPLAINTS If you want to complain to us, send a written complaint to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice. If you prefer, you can discuss your complaint in person or by phone.

54 Dr. Quack: Getting HIPAA to Fly54 HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes

55 Dr. Quack: Getting HIPAA to Fly55 NOA (AOA) Manual Handout NOA adaptations of AOA Manual HIPAA job title on policies instead of name Tables added (Job titles, etc.) State law addressed Index added Formatted for letterhead Underline replaces brackets

56 Dr. Quack: Getting HIPAA to Fly56 Inserted Tables (NOA unique) Personnel names vs. job title Job Titles vs. PHI HIPAA Officers’ names

57 Dr. Quack: Getting HIPAA to Fly57 Inserted Tables (NOA unique) Personnel names vs. job title Every employee listed For each employee Check each job they perform Enter date they completed HIPAA training

58 Dr. Quack: Getting HIPAA to Fly58 Inserted Tables (NOA unique) Job Titles vs. PHI Every Job Title listed Using analysis forms provided Worksheet 6 or Dr. Quack Assessment Worksheet 24 Check each type of PHI accessed

59 Dr. Quack: Getting HIPAA to Fly59 Inserted Tables (NOA unique) HIPAA Officers’ names List every person with HIPAA role Check HIPAA role(s) they will perform Enter date they completed HIPAA training

60 Dr. Quack: Getting HIPAA to Fly60 HIPAA and Nebraska Law Briefly describes Nebraska state law section at the back of the manual Inserted here to indicate that there has been a section added

61 Dr. Quack: Getting HIPAA to Fly61 Policy 3A: Affiliated Covered Entities 2 or more entities (example: corporations) Connected ownership or control Comply with HIPAA as a single unit Dr. Quack

62 Dr. Quack: Getting HIPAA to Fly62 Policy 3B: Health Care Components Affects hybrid entities (example: retail & optometry) Should designate portion of business as “health care component” Only health care component must comply with HIPAA Otherwise, entire entity must comply with HIPAA Dr. Merganser Duck

63 Dr. Quack: Getting HIPAA to Fly63 Policy 5A: Privacy Officer Qualifications Duties Who is appointed (refers to HIPAA Personnel Roster)

64 Dr. Quack: Getting HIPAA to Fly64 Policy 5B: Public Information Officer Qualifications Duties Who is appointed (refers to HIPAA Personnel Roster)

65 Dr. Quack: Getting HIPAA to Fly65 Worksheet 6 or Dr. Quack’s Assessment Gather Information on use of PHI in your office Complete one form for each job description Keep on hand, proving you made the effort

66 Dr. Quack: Getting HIPAA to Fly66 Worksheet 8: No authorization needed for some use of PHI Treatment Payment Heath Care Operations

67 Dr. Quack: Getting HIPAA to Fly67 Policy 7A 8A 10A: No Authorization Required for Certain Disclosures of PHI Treatment, Payment, Health Care Oper. Business Associates Use or Disclosure required by Law Others mentioned in Notice of Privacy Practices (Also addressed in State Law Appendix)

68 Dr. Quack: Getting HIPAA to Fly68 Policy 9A: Facility Directory Directory policy applies to an entity where a directory is kept of patients in process of a procedure, et cetera. 9A: Describes what must take place if you have a directory 9A No Directory: ODs who do not maintain a directory need not comply with this section.

69 Dr. Quack: Getting HIPAA to Fly69 Policy 9B: Providing Information to Family & Friends General policy explained Oral agreement with patient okay

70 Dr. Quack: Getting HIPAA to Fly70 Worksheet 10: Public Policy Disclosures For Policy 7A, 8A, 10A (previously reviewed) See state law section for Dr. Quack’s assessment

71 Dr. Quack: Getting HIPAA to Fly71 Worksheet 11: Marketing & Advertising Read policy 11A. Authorization not needed for marketing described in item #4 or #7. (Covers most marketing done by ODs) Other marketing requires individual authorization of each occurrence.

72 Dr. Quack: Getting HIPAA to Fly72 Policy 11A: Marketing & Advertising Cannot release PHI to others w/o written authorization Pictures Testimonials Patient lists to marketers Can “market” to individual patient Services you provide Materials you provide Give promotional gifts of limited value

73 Dr. Quack: Getting HIPAA to Fly73 Policy 11A: Marketing & Advertising Can market w/o use of PHI General TV ads Brochures to occupant Read the policy carefully

74 Dr. Quack: Getting HIPAA to Fly74 Policy 11A: Marketing & Advertising OCR Changes since AOA printing CAN leave non-specific message on answering machine (glasses are ready, appointment tomorrow, due for exam) CAN send postcard with appointment time Unless patient requests otherwise

75 Dr. Quack: Getting HIPAA to Fly75 Policy 12A: Disclosures for Research Need to read carefully if you Participate in clinical trials Conduct research

76 Dr. Quack: Getting HIPAA to Fly76 Worksheet 13: Prepare PHI Disclosure Authorization Form Use as you feel necessary after reading policies

77 Dr. Quack: Getting HIPAA to Fly77 Policy 13A: PHI Disclosure Authorization Form Detailed description of what is to be released Specific purpose Expiration date New form for every disclosure

78 Dr. Quack: Getting HIPAA to Fly78 Policy 13B: Personal Representative for Patients Addresses “standing in the shoes” of the patient regarding PHI Parents (and divorced parents) Guardians Emancipated minors (not in Nebraska?) Deceased patients representatives

79 Dr. Quack: Getting HIPAA to Fly79 Policy 13B: Personal Representative for Patients Policy refers to state law section (p. 80) (see items #29, #68, and #69 in parts II & III) Not specific regarding state law HIPAA does not appear to present new problems Dr. Quack cannot give legal advice See your attorney with real questions

80 Dr. Quack: Getting HIPAA to Fly80 Policy 14A: Prepare Notice of Privacy Practices Post in reception area (back of handout) Keep stock in reception area Distribute to every patient Request patient to sign receipt (must try) Receipt/denial kept in record (verify each visit) Update next visit if policy changes

81 Dr. Quack: Getting HIPAA to Fly81 Policy 14B: Actual Notice of Privacy Practices Reviewed earlier

82 Dr. Quack: Getting HIPAA to Fly82 Policy 15A (& 16A): Defines Designated Record Set Contents of patient’s clinical chart Contents of billing materials Contents of treatment, orders, laboratory information

83 Dr. Quack: Getting HIPAA to Fly83 Policy 15B: Patient Access to their own PHI Nebraska Hospital Association’s evaluation of Nebraska statute vs. HIPAA (p. 82) Reasons for denial: follow HIPAA standard Charges for copying:Nebraska statute Dr. Quack’s evaluation: Time to respond: follow state law (30 days)

84 Dr. Quack: Getting HIPAA to Fly84 Letters responding to Patient Requesting Access to PHI Letter 1: extension (legal in Nebraska?) (toss??) Letter 2: agree to access Letter 3: denial of access

85 Dr. Quack: Getting HIPAA to Fly85 Policy 16B: Amendment of PHI Patient can request to amend record If Dr agrees, Amendment added New information forwarded to others with record If Dr Disagrees and denies amendment, Patient can submit letter of disagreement Dr can attach denial letter & rebut in writing

86 Dr. Quack: Getting HIPAA to Fly86 Letters responding to Patient Requesting Amendment Letter 1: decline to amend Letter 2: agree to amend Letter 3: delay in amending

87 Dr. Quack: Getting HIPAA to Fly87 Policy 17A: Accounting for Disclosures of PHI Don’t need to account for disclosures For treatment, payment, H. C. operations To patient To family, friends, or care givers Authorized Incidental Marketing & advertising per exceptions

88 Dr. Quack: Getting HIPAA to Fly88 Policy 17A: Accounting for Disclosures of PHI Do need to account for disclosures violating policy 11A If you did everything right there should be nothing to disclose

89 Dr. Quack: Getting HIPAA to Fly89 Letters responding to Patient Requesting An Accounting of Disclosures of PHI Letter 1: delay of accounting

90 Dr. Quack: Getting HIPAA to Fly90 Policy 18A: Restrictions to Use of PHI Must allow patient to request to restrict use of PHI that would otherwise not be restricted You do not have to agree to request If you do agree you must abide by agreement Can terminate in writing May be better never to agree

91 Dr. Quack: Getting HIPAA to Fly91 Policy 19A: Confidential Communication Methods Must have policy to allow patients to specify special methods of communication with them. Examples: No answering machines No post cards Call at office only Never call at office only Must comply with requests agreed to.

92 Dr. Quack: Getting HIPAA to Fly92 Worksheet 20: Business Associates AOA’s Joanne Lax J.D. recommends the following steps to determine who is a business associate. Step One: Identify all outside companies with which you do business

93 Dr. Quack: Getting HIPAA to Fly93 Worksheet 20: Business Associates Step Two: Flag companies that perform health care services in your behalf (ie those to which you have outsourced) Billing service Optical lab Quality assurance Staff training

94 Dr. Quack: Getting HIPAA to Fly94 Worksheet 20: Business Associates Step Three: Also, flag the companies that perform the following services Legal Accounting Consulting Management (office, building, software, etc)

95 Dr. Quack: Getting HIPAA to Fly95 Worksheet 20: Business Associates Step Four: Of the companies you have flagged, flag again those companies that need to generate, maintain, use, or disclose PHI in order to do there job. Examples: Billing agents Software support that sees PHI Collections agencies Outside medical transcriptionist service Companies with two flags are your business associates

96 Dr. Quack: Getting HIPAA to Fly96 Worksheet 20: Business Associates Business associates that need attention right now fall into any of the following groups: You do not currently have a written services contract with them. You have a written services contract with them, but you entered into it after October 15, You have a written services contract, but it will expire or need to be renewed before April 14, 2003.

97 Dr. Quack: Getting HIPAA to Fly97 Worksheet 20:Business Associates Business associates that do not need immediate action: You have an contract that existed before October 15, 2002, that Automatically renews, or Will not expire or renewed before April 14, You have to act on this latter group on the earlier of: The date that you will renew the contract, or April 14, Note these business associates on the worksheet & complete the columns.

98 Dr. Quack: Getting HIPAA to Fly98 Worksheet 20: Business Associates Negotiate a business associate contract with each of your business associates, except: A business associate that only uses, generates, maintains or discloses PHI for treatment purposes. OCR also excludes payers…

99 Dr. Quack: Getting HIPAA to Fly99 Business Associate Agreements Policy 21A: BA agreement with AOA language Policy 21A: BA agreement without AOA language Your Notice of Privacy Practices must be supplied to BA

100 Dr. Quack: Getting HIPAA to Fly100 BA Follow-up Do not have to monitor BA for compliance Do not have to train BA If learn of non-compliance, must Mitigate where possible (per subsequent policy) Insist BA comply or terminate contract If fails to comply, must find another vendor

101 Dr. Quack: Getting HIPAA to Fly101 Worksheet 23: You must safeguard PHI Safeguards come in many forms. The three general categories are: Administrative (policies & procedures). Physical (physical plant). Technological (relating to electronics).

102 Dr. Quack: Getting HIPAA to Fly102 Worksheet 23: You must safeguard PHI Examples of safeguards include: Locks on records’ storage rooms or cabinets (or monitoring). Phones in confidential locations. Closing doors.

103 Dr. Quack: Getting HIPAA to Fly103 Worksheet 23: You must safeguard PHI Computer passwords, Computer screen savers or screen shields. Limited field access for electronic data.

104 Dr. Quack: Getting HIPAA to Fly104 Worksheet 23: You must safeguard PHI Turning charts to face the wall in boxes outside patients’ exam rooms. Prohibiting calls to pharmacies or other providers where they can be overheard. Prohibiting staff from discussing clinical issues with patients where they can be overheard. Shredding discarded PHI

105 Dr. Quack: Getting HIPAA to Fly105 Worksheet 23: You must safeguard PHI This aspect of HIPAA requires Unique, individualized solutions Based upon your office layout, Opportunities to easily make physical plant changes, Budget for physical & technological gadgets, Workable policies & procedures.

106 Dr. Quack: Getting HIPAA to Fly106 Worksheet 23: You must safeguard PHI You are not required to go to extremes to guarantee that no PHI will ever be inadvertently disclosed. “Incidental” disclosures – e.g. unavoidable disclosures secondary to a permitted use or disclosure – are permitted under HIPAA, So long as you use reasonable safeguards and You observe minimum necessary rule.

107 Dr. Quack: Getting HIPAA to Fly107 Worksheet 24: Minimum Necessary PHI Using worksheet 6 (or Quack assessment) Determine which job descriptions must access what PHI Determine whether the minimum necessary rule is currently being abided by Determine what changes should be made, if any

108 Dr. Quack: Getting HIPAA to Fly108 Policy 24A: Minimum Necessary Uses Complete the table titled “Access to PHI by Job Category” found at the front of this manual Modify records & procedure where practical so that Information for a particular task is segregated, But clinical needs & operations are not compromised in the process of segregation.

109 Dr. Quack: Getting HIPAA to Fly109 Policy 24A: Minimum Necessary Disclosures For routine disclosures of PHI, determine the minimum necessary amount of PHI needed to respond. Eye exam report to school (w/ authorization or give to parent) For non-routine disclosures of PHI, decide how your PO will determine the minimum amount of PHI necessary to respond.

110 Dr. Quack: Getting HIPAA to Fly110 Policy 24A2: Confidentiality Agreement Referred to but not included in AOA Manual Fabricated by Dr. Quack All staff should sign a confidentiality agreement stating their commitment to accessing only the minimum amount of PHI necessary to do their job

111 Dr. Quack: Getting HIPAA to Fly111 Policy 25A: Verification Before Disclosing PHI You must check the identity & authority of someone Signing an authorization on behalf of a patient or Seeking PHI without an authorization, if you don’t know this information already.

112 Dr. Quack: Getting HIPAA to Fly112 Policy 25A: Verification Before Disclosing PHI This should include obtaining copies of applicable documents, such as Guardianship papers, Power of attorney for health care, or Official badge. You can rely on documents that appear valid. You must resolve questions or problems before you can accept the authorization or disclose requested PHI.

113 Dr. Quack: Getting HIPAA to Fly113 Policy 26A: You Must Mitigate Harm from Improper Disclosure The duty only applies if you "know" of the harm. You do not have to actively monitor for evidence of harm. You only have to mitigate harm if it is "practical" for you to do so. You have full discretion to evaluate each situation, & to take mitigation steps appropriate to it.

114 Dr. Quack: Getting HIPAA to Fly114 Policy 26A: You Must Mitigate Harm from Improper Disclosure Mitigation can be As simple as an apology or correction. An attempt to get back the PHI disclosed. Obtaining a signed agreement from receiver not to use or disclose improperly released PHI. It's up to you in each case.

115 Dr. Quack: Getting HIPAA to Fly115 Policy 27A: Complaints about Violations Must have a written office policy to accept, thoroughly investigate, and resolve complaints from patients who believe their privacy has not been properly respected.

116 Dr. Quack: Getting HIPAA to Fly116 Policy 28A: De-Identification of PHI Should you want to use PHI without HIPAA restrictions… None of HIPAA’s use & disclosure rules apply to information stripped of all identifiers.

117 Dr. Quack: Getting HIPAA to Fly117 Policy 28A: De-Identification of PHI You can de-identify PHI in one of two ways: A statistical expert can give an opinion that PHI has been de-identified; or You can remove the specific identifiers listed in HIPAA’s “safe harbor” method.

118 Dr. Quack: Getting HIPAA to Fly118 Policy 29A & 29B: Limited Data Sets A limited data set is stripped of some identifiers You can then disclose PHI for research, public health, or health care operations

119 Dr. Quack: Getting HIPAA to Fly119 Policy 29A & 29B: Limited Data Sets Examples of sharing for health care operations: Business planning for a health plan or provider. Sale or merger of a health plan, or Financial management of a health plan or provider.

120 Dr. Quack: Getting HIPAA to Fly120 Policy 29B: Limited Data Set: Data Use Agreement Similar to Business Associate Agreement Describes recipient’s uses & disclosures Requires recipient to use appropriate safeguards Requires recipient to tell you of wrongful use or disclosure Prohibits recipient from identifying or contacting the patient Requires recipient’s agents abide by same conditions as the recipient

121 Dr. Quack: Getting HIPAA to Fly121 Worksheet 30: Train All Employees Work force includes more people than your payroll. Work force includes: All W2 employees. Students (all kinds). Volunteers. Any independent contractor working on- site & under your direct control that you have not treated as a business associate. (See chart 20.)

122 Dr. Quack: Getting HIPAA to Fly122 Worksheet 30: Train All Employees Training can take any form. It can be: Live lectures. Purchased on-line training modules. Review of policies/procedures. Workbooks. Any other method that you devise. Training needs to be job specific

123 Dr. Quack: Getting HIPAA to Fly123 Worksheet 31: State Law vs. HIPAA State law that relates to the privacy of PHI but is not contrary to HIPAA remain fully effective after HIPAA. You must comply with both the state law & HIPAA. A state law that relates to the privacy of PHI & is contrary to HIPAA & “less stringent than” HIPAA HIPAA wipes out the state law, which is no longer effective.

124 Dr. Quack: Getting HIPAA to Fly124 Worksheet 31: State Law vs. HIPAA A state law that relates to the privacy of PHI & is contrary to HIPAA, but is “more stringent than” HIPAA. All such laws remain in effect after HIPAA. You must comply with the state law, not HIPAA.

125 Dr. Quack: Getting HIPAA to Fly125 Dr. Quack’s State Law Appendix I: The concept of pre-emption II: Nebr. Hospital Assoc. Review of Statutes 70 statutes & their relationship to HIPAA Quack comments on effect on optometry III: More detail on statutes effecting ODs Subpoenas & HIPAA in Nebraska

126 Dr. Quack: Getting HIPAA to Fly126 State Law: Before & After HIPAA It appears little state law is truly pre-empted based on Hospital Association evaluation State law is therefore unchanged & should prove no greater problem that previously Optometrists should read & review last two sections of Quack appendix: Detail on sections possibly related to optometry Subpoenas (discovery) Seek legal advice with additional questions

127 Dr. Quack: Getting HIPAA to Fly127 HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes

128 Dr. Quack: Getting HIPAA to Fly128 OCR Guidelines The HIPAA Privacy Rule is not intended to impede these customary & essential communications & practices &, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards.

129 Dr. Quack: Getting HIPAA to Fly129 OCR Guidelines Privacy Rule permits certain incidental uses & disclosures of PHI when the covered entity uses reasonable safeguards minimum necessary policies & procedures

130 Dr. Quack: Getting HIPAA to Fly130 Reasonable Safeguards Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area; Avoiding using patients’ names in public hallways & elevators

131 Dr. Quack: Getting HIPAA to Fly131 Reasonable Safeguards Posting signs to remind employees to protect patient confidentiality; By supervising, isolating, or locking file cabinets or records rooms; By providing additional security, such as passwords, on computers maintaining personal information.

132 Dr. Quack: Getting HIPAA to Fly132 More Safeguards Ask waiting customers to stand a few feet back from a counter used for patient counseling. Use of cubicles, dividers, shields, curtains, or similar barriers where multiple patient- staff communications routinely occur

133 Dr. Quack: Getting HIPAA to Fly133 Minimum Necessary Rule Requires limit of access to PHI, based on needs to perform job duties. Unimpeded access to PHI, where not necessary for the job at hand, is not applying the minimum necessary standard. Any incidental use or disclosure that results from not applying the Minimum Necessary Standard would be an unlawful.

134 Dr. Quack: Getting HIPAA to Fly134 Minimum Necessary Rule The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes

135 Dr. Quack: Getting HIPAA to Fly135 OCR Guidelines FAQs confidential conversations Q: Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard? A: Yes, when using reasonable safeguards.

136 Dr. Quack: Getting HIPAA to Fly136 OCR Guidelines FAQs confidential conversations Free to engage in communications as required for quick, effective, & high quality health care. Overheard communications in these settings may be unavoidable & are allowed as incidental disclosures.

137 Dr. Quack: Getting HIPAA to Fly137 OCR Guidelines FAQs confidential conversations When using Reasonable Safeguards: Health care staff may orally coordinate services at hospital nursing stations. Staff may discuss a patient’s condition over the phone with the patient, a provider, or a family member. A health care professional may discuss lab test results with a patient or other provider in a joint treatment area.

138 Dr. Quack: Getting HIPAA to Fly138 OCR Guidelines FAQs confidential conversations HIPAA Privacy does not require Private rooms. Soundproofing of rooms. Encryption of wireless or other emergency medical radio communications Encryption of telephone systems.

139 Dr. Quack: Getting HIPAA to Fly139 OCR Guidelines FAQs Mailings & phone calls Q: May physician’s offices or pharmacists leave messages at patient’s homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?

140 Dr. Quack: Getting HIPAA to Fly140 OCR Guidelines FAQs Mailings & phone calls A: Yes. Limit the PHI disclosed on the answering machine. Consider leaving only name & number & PHI necessary to confirm an appointment Or ask the individual to call back. May leave a message with a family member or other person who answers the phone when the patient is not home.

141 Dr. Quack: Getting HIPAA to Fly141 OCR Guidelines FAQs Confidential Conversation Where a patient has requested confidential communication, you must accommodate that request, if reasonable. Examples, mailings in an envelope, not postcard. mail sent to a P.O. box, not to home receive calls at the office, not at home

142 Dr. Quack: Getting HIPAA to Fly142 OCR Guidelines FAQs Sign-in sheet Q: May physicians offices use patient sign- in sheets or call out the names of their patients in their waiting rooms? A: Yes. But the sign-in sheet may not display medical information that is not necessary for the purpose of signing in.

143 Dr. Quack: Getting HIPAA to Fly143 OCR Guidelines FAQs Charts on doors Q: Are charts outside of exam rooms prohibited A: No. Using reasonable safeguards & the minimum necessary rule, covered entities must simply evaluate what measures make sense in their environment tailor their practices & safeguards to their particular circumstances.

144 Dr. Quack: Getting HIPAA to Fly144 OCR Guidelines FAQs Charts on doors You May maintain patient charts outside of exam rooms, displaying patient names on the outside of patient charts… Possible safeguards may include: Supervise area place patient charts facing the wall or otherwise covered

145 Dr. Quack: Getting HIPAA to Fly145 OCR Guidelines FAQs Announcing names You May: Announce patient names & other information over a facility’s public announcement system. Possible safeguards may include: limiting the information disclosed over the system, such as referring the patients to a reception desk.

146 Dr. Quack: Getting HIPAA to Fly146 OCR Guidelines FAQs Overheard conversation A provider may be overheard, in the reception area, instructing staff to bill a patient for a particular procedure A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information.

147 Dr. Quack: Getting HIPAA to Fly147 OCR Guidelines FAQs Office re-design Q: Are covered entities required to restructure workflow systems, redesign office space & upgrading computer systems to comply with the HIPAA Privacy Rule’s? A: The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. Use reasonable safeguards and minimum necessary rule listed earlier

148 Dr. Quack: Getting HIPAA to Fly148 OCR Guidelines FAQs Configuring records When considering record configuration, take into account your ability to configure their record systems to allow access to only certain fields, & the practicality of organizing systems to allow this capacity.

149 Dr. Quack: Getting HIPAA to Fly149 OCR Guidelines FAQs Configuring records It may not be reasonable for a small, solo practitioner using paper records to limit one employee to only some fields and other employees complete access to the record. In this case, appropriate training of employees may be sufficient.

150 Dr. Quack: Getting HIPAA to Fly150 OCR Guidelines FAQs Configuring records Alternatively, a hospital [or large clinic] with an electronic patient record system may reasonably implement such controls.

151 Dr. Quack: Getting HIPAA to Fly151 OCR Guidelines FAQs Business Associate Examples of Business Associates. A third party administrator that assists a health plan with claims processing. A CPA firm whose services involve access to PHI. An attorney whose services involve access to PHI. A consultant that performs utilization reviews for a hospital.

152 Dr. Quack: Getting HIPAA to Fly152 OCR Guidelines FAQs Business Associate Examples of Business Associates. A health care clearinghouse that translates a claim from non-standard to standard format & forwards to a payer. An independent medical transcriptionist that provides transcription services to a physician.

153 Dr. Quack: Getting HIPAA to Fly153 OCR Guidelines FAQs BA Agreement NOT needed A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual. A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.

154 Dr. Quack: Getting HIPAA to Fly154 OCR Guidelines FAQs BA Agreement NOT needed When a health care provider discloses PHI to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan & a health plan that assesses & pays the claim are each acting on its own behalf as a covered entity, & not as the “business associate” of the other.

155 Dr. Quack: Getting HIPAA to Fly155 OCR Guidelines FAQs BA Agreement NOT needed With persons or organizations whose functions do not involve the use or disclosure of PHI (e.g., janitorial service, copier maintenance, electrician). With a conduit for PHI, for example, the US Postal Service, certain private couriers, & their electronic equivalents. When a financial institution processes consumer-conducted financial transactions

156 Dr. Quack: Getting HIPAA to Fly156 OCR Guidelines FAQs Business Associate Q: Is a software vendor a business associate of a covered entity? A: Maybe. The mere selling or providing of software to a covered entity does not give rise to a business associate relationship. If the vendor has access to PHI of the covered entity in order to provide its service, the vendor would be a business associate.

157 Dr. Quack: Getting HIPAA to Fly157 OCR Guidelines FAQs....…….. No permission needed Q: Can a patient have a friend or family member pick up a prescription for her? A : Yes. A pharmacist may use professional judgment & experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription.

158 Dr. Quack: Getting HIPAA to Fly158 OCR Guidelines FAQs....…….. No permission needed Q: Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill? A: Yes. A covered entity or their business associate (e.g., a collection agency), may disclose PHI as necessary to obtain payment for health care, & there is no limit to whom such a disclosure may be made.

159 Dr. Quack: Getting HIPAA to Fly159 OCR Guidelines FAQs....…….. No permission needed However, the Privacy Rule requires you Place a reasonable limit the amount of information disclosed, Abide by any reasonable requests for confidential communications Honor any agreed-to restrictions on the use or disclosure of PHI.

160 Dr. Quack: Getting HIPAA to Fly160 OCR Guidelines FAQs....…….. No permission needed Q: Does the HIPAA Privacy Rule prevent health plans & providers from using debt collection agencies? A: The Privacy Rule permits use of debt collection agencies through a business associate arrangement. Disclosures to collection agencies are governed by provisions such as the business associate & minimum necessary requirements.

161 Dr. Quack: Getting HIPAA to Fly161 OCR Guidelines FAQs....…….. No permission needed Q: Does the HIPAA Privacy Rule permit an eye doctor to confirm a contact prescription received by a mail-order contact company? A: Yes. The disclosure of PHI by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is a treatment disclosure, & is permitted under the Privacy Rule at 45 CFR

162 Dr. Quack: Getting HIPAA to Fly162 OCR Guidelines FAQs....…….. No permission needed Q: Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient’s authorization?

163 Dr. Quack: Getting HIPAA to Fly163 OCR Guidelines FAQs....…….. No permission needed A: Yes. The HIPAA Privacy Rule permits disclosure of PHI without authorization to another health care provider for treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity.

164 Dr. Quack: Getting HIPAA to Fly164 OCR Guidelines FAQs... Marketing Q: Can contractors (business associates) use PHI to market to individuals for their own business purposes?

165 Dr. Quack: Getting HIPAA to Fly165 OCR Guidelines FAQs Marketing A: No. While covered entities may share PHI with “business associates”, that PHI must be used to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use PHI for their own purposes.

166 Dr. Quack: Getting HIPAA to Fly166 OCR Guidelines FAQs Marketing Alternative treatment Communications about alternative treatments are excluded from the definition of marketing & do not require a prior authorization. Similarly, it is not marketing when a doctor or pharmacy is paid by a pharmaceutical company to recommend an alternative medication to patients.

167 Dr. Quack: Getting HIPAA to Fly167 OCR Guidelines FAQs Marketing The simple receipt of remuneration does not transform a treatment communication into a commercial promotion of a product or service. Furthermore, covered entities may use a legitimate business associate to assist them in making such permissible communications.

168 Dr. Quack: Getting HIPAA to Fly168 OCR Guidelines FAQs Public Health Q: May providers disclose PHI concerning pre-employment physicals, drug tests, or fitness-for-duty examinations to an individual’s employer? A: In very limited circumstances, providers may disclose PHI to the individual’s employer without authorization.

169 Dr. Quack: Getting HIPAA to Fly169 OCR Guidelines FAQs Public Health 1st, the service must be provided at the employer’s request or as a member of the employer’s workforce. 2nd, the service must relate to medical surveillance of the workplace or to detect or assess work-related illness or injury.

170 Dr. Quack: Getting HIPAA to Fly170 OCR Guidelines FAQs Public Health 3rd, the employer must have a duty under OSHA or similar law to keep records on, or act on, such information.

171 Dr. Quack: Getting HIPAA to Fly171 OCR Guidelines FAQs Workers’ Comp HIPAA Privacy does not apply to workers’ compensation insurers, administrative agencies, or employers. These entities need access to the PHI of individuals with work related injury or illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems.

172 Dr. Quack: Getting HIPAA to Fly172 OCR Guidelines FAQs Workers’ Comp The Privacy Rule permits disclosures of PHI for workers’ compensation purposes, sometimes requiring patient authorization, other times not. Nebraska Law (4) [Manual pg 84] “Records relevant to the injury shall be made available on demand to employer, employee, carrier, and compensation court” State law not pre-empted. Follow both.

173 Dr. Quack: Getting HIPAA to Fly173 OCR Guidelines FAQs Workers’ Comp HIPAA: Disclosures Without Individual Authorization. To provide benefits for work-related injuries or illness without regard to fault. Limited to what the law requires. For obtaining payment for any health care provided to the injured or ill worker.

174 Dr. Quack: Getting HIPAA to Fly174 OCR Guidelines FAQs Workers’ Comp HIPAA: Disclosures With Individual Authorization. May disclose PHI when the individual has provided authorization for the release of PHI. The Minimum Necessary Rule applies.

175 Dr. Quack: Getting HIPAA to Fly175 OCR Guidelines FAQs Oral Communication Q: Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information? A: No. The term “designated record set” does not include oral information; rather, it connotes information that has been recorded in some manner.

176 Dr. Quack: Getting HIPAA to Fly176 OCR Guidelines FAQs Oral Communication Q: Does the HIPAA Privacy Rule require that covered entities document all oral communications? A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations

177 Dr. Quack: Getting HIPAA to Fly177 HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes

178 Dr. Quack: Getting HIPAA to Fly178 Physical Changes HIPAA does not require that you make radical, expensive changes to your office. The following are some reasonable alterations in office layout to assist in complying with HIPAA

179 Dr. Quack: Getting HIPAA to Fly179 Doors Close doors when discussing PHI, e.g., History Pre-examination Examination

180 Dr. Quack: Getting HIPAA to Fly180 Always speak quietly Hearing impaired? Speak slowly Get closer Take special care when speaking in hallways and other common areas

181 Dr. Quack: Getting HIPAA to Fly181 Mult-patient areas (Check-in, Check-out, Dispensary) Speak reasonably quietly Use “PLEASE WAIT HERE” signs if appropriate Provide “PLEASE WAIT HERE” chairs if appropriate Incidental disclosure is acceptable

182 Dr. Quack: Getting HIPAA to Fly182 Business Office Areas Place HIPAA reminder signs at work stations Place HIPAA reminder signs on computer monitors Place HIPAA reminder signs on file cabinets

183 Dr. Quack: Getting HIPAA to Fly183 Computer Monitors Rotate screen away from public Put a plant next to monitor Use Screen saver or “Minimize” screen Place HIPAA reminder sign on monitor Remember, patients can see their own PHI!

184 Dr. Quack: Getting HIPAA to Fly184 Patient Records Keep records closed except when in use When practical, divide each record into sections, e.g., Demographics Examination Claims Staff should use only that portion of record needed for the task at hand

185 Dr. Quack: Getting HIPAA to Fly185 Patient Record Storage Post HIPAA reminder signs in record storage areas Reasonably monitor record storage areas Reasonably monitor records in hallways

186 Dr. Quack: Getting HIPAA to Fly186 HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes

187 Dr. Quack: Getting HIPAA to Fly187 THE END Thank You!


Download ppt "HIPAA Privacy GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH."

Similar presentations


Ads by Google