Presentation is loading. Please wait.

Presentation is loading. Please wait.

GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH

Similar presentations


Presentation on theme: "GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH"— Presentation transcript:

1 GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH

2 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes Dr. Quack: Getting HIPAA to Fly

3 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy (What it is NOT) Electronic Data Interchange Medicare electronic claim regulations Computer software regulations EDI due in October 2003 Dr. Quack: Getting HIPAA to Fly

4 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes Dr. Quack: Getting HIPAA to Fly

5 Dr. Quack: Getting HIPAA to Fly
Background / History HIPAA Privacy 1996 Federal law Protects patient privacy Gives patient access to their records Allows patients to amend their records Dr. Quack: Getting HIPAA to Fly

6 Dr. Quack: Getting HIPAA to Fly
Background / History Constantly morphing process over years Finally gelled last quarter of 2002 Final federal rules published in October OCR Guidelines published in December Dr. Quack: Getting HIPAA to Fly

7 Dr. Quack: Getting HIPAA to Fly
Background / History AOA HIPAA Privacy Manual published 160 pages Charts (directions) Worksheets Policy suggestions Dr. Quack: Getting HIPAA to Fly

8 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes Dr. Quack: Getting HIPAA to Fly

9 Review of Notice of Privacy Practices
Policy 14B on pages & copy for posting at end of Manual Dr. Platypus et al Dr. Donald Duck and Daisy Duck Dr. Daffy Duck and Peking Duck THE OPTOMETRISTS PRACTICING IN DUCKVILLE, NEBRASKA Dr. Quack: Getting HIPAA to Fly

10 Review of Notice of Privacy Practices
This notice describes how medical information about you may be used (in our office) or disclosed (outside our office) and how you can gain access to this information. Dr. Quack: Getting HIPAA to Fly

11 Treatment, Payment and Health Care Operations
The most common reason why we use or disclose your health information is for treatment, payment or health care operations Dr. Quack: Getting HIPAA to Fly

12 Treatment, Payment and Health Care Operations
Setting up an appointment for you; Testing or examining your eyes; Prescribing glasses, contact lenses, or eye medications and Rx Dr. Quack: Getting HIPAA to Fly

13 Treatment, Payment and Health Care Operations
Faxing them to be filled; showing you low vision aids; Referring you to another doctor or clinic for eye care or low vision aids or services; or Getting copies of your health information from another professional that you may have seen before us. Rx Dr. Quack: Getting HIPAA to Fly

14 Treatment, Payment and Health Care Operations
Asking you about your health or vision care plans, or other sources of payment; Preparing and sending bills or claims; and Collecting unpaid amounts (either ourselves or through a collection agency or attorney). $ Dr. Quack: Getting HIPAA to Fly

15 Treatment, Payment and Health Care Operations
Administrative and managerial functions Financial or billing audits; Internal quality assurance; Personnel decisions; Dr. Quack: Getting HIPAA to Fly

16 Treatment, Payment and Health Care Operations
Participation in managed care plans; Defense of legal matters; Business planning; and Outside storage of our records. Dr. Quack: Getting HIPAA to Fly

17 Treatment, Payment and Health Care Operations
We routinely use your health information inside our office for these purposes without any special permission. If we need to disclose your health information outside of our office for these reasons, we usually will not ask you for special written permission. Dr. Quack: Getting HIPAA to Fly

18 Treatment, Payment and Health Care Operations
We will ask for special written permission when it is required by law. Dr. Quack: Getting HIPAA to Fly

19 Other Uses or Disclosures Without Permission
In some limited situations, the law allows or requires us to use or disclose your health information without your permission. Not all of these situations will apply to us; Some may never come up at our office at all. Dr. Quack: Getting HIPAA to Fly

20 Other Uses or Disclosures Without Permission
When a state or federal law mandates that certain health information be reported for a specific purpose; Dr. Quack: Getting HIPAA to Fly

21 Other Uses or Disclosures Without Permission
For public health purposes, such as contagious disease reporting, investigation or surveillance; and Notices to and from the federal Food and Drug Administration regarding drugs or medical devices; Dr. Quack: Getting HIPAA to Fly

22 Other Uses or Disclosures Without Permission
Disclosures to governmental authorities about victims of suspected abuse, neglect or domestic violence; Uses and disclosures for health oversight activities, such as for the licensing of doctors; For audits by Medicare or Medicaid; or for investigation of possible violations of health care laws; Dr. Quack: Getting HIPAA to Fly

23 Other Uses or Disclosures Without Permission
Disclosures for judicial and administrative proceedings, such as in response to Subpoenas Orders of courts Administrative agencies; Dr. Quack: Getting HIPAA to Fly

24 Other Uses or Disclosures Without Permission
Disclosures for law enforcement purposes, such as To provide information about someone who is or is suspected to be a victim of a crime; To provide information about a crime at our office; or To report a crime that happened somewhere else; Dr. Quack: Getting HIPAA to Fly

25 Other Uses or Disclosures Without Permission
Disclosure to a medical examiner to identify a dead person or to determine the cause of death; or To funeral directors to aid in burial; or To organizations that handle organ or tissue donations; Uses or disclosures for health related research; Uses and disclosures to prevent a serious threat to health or safety; Dr. Quack: Getting HIPAA to Fly

26 Other Uses or Disclosures Without Permission
Uses or disclosures for specialized government functions, such as For the protection of the president or high ranking government officials; For lawful national intelligence activities; For military purposes; or For the evaluation and health of members of the foreign service; Dr. Quack: Getting HIPAA to Fly

27 Other Uses or Disclosures Without Permission
Disclosures of de-identified information; Disclosures relating to worker’s compensation programs; Disclosures of a “limited data set” for research, public health, or health care operations; Dr. Quack: Getting HIPAA to Fly

28 Other Uses or Disclosures Without Permission
Incidental disclosures that are an unavoidable by-product of permitted uses or disclosures; Disclosures to “business associates” who perform health care operations for us and who commit to respect the privacy of your health information; Other uses and disclosures affected by state law. Dr. Quack: Getting HIPAA to Fly

29 Uses & Disclosures: Unless You Object…
Unless you object, we will also share relevant information about your care with your family or friends who are helping you with your eye care. Dr. Quack: Getting HIPAA to Fly

30 Uses & Disclosures: Unless You Object…
Appointment Reminders We may call or write to remind you of scheduled appointments, or that it is time to make a routine appointment. We may also call or write to notify you of other treatments or services available at our office that might help you. Dr. Quack: Getting HIPAA to Fly

31 Uses & Disclosures: Unless You Object…
Appointment Reminders We will mail you an appointment reminder on a post card, and/or Leave you a reminder message on your home answering machine or with someone who answers your phone if you are not home. Dr. Quack: Getting HIPAA to Fly

32 Uses & Disclosures: Only With Authorization
We will not make any other uses or disclosures of your health information unless you sign a written “authorization form.” Federal law determines the content of an “authorization form”. Sometimes, we may initiate the authorization process if the use or disclosure is our idea. Sometimes, you may initiate the process if it’s your idea for us to send your information to someone else. Dr. Quack: Getting HIPAA to Fly

33 Uses & Disclosures: Only With Authorization
Typically, in this situation you will give us a properly completed authorization form, or you can use one of ours. If we initiate the process and ask you to sign an authorization form, you do not have to sign it. If you do not sign the authorization, we cannot make the use or disclosure. Dr. Quack: Getting HIPAA to Fly

34 Uses & Disclosures: Only With Authorization
If you do sign one, you may revoke it at any time unless we have already acted in reliance upon it. Revocations must be in writing. Send them to the office contact person named at the end of this Notice. Dr. Quack: Getting HIPAA to Fly

35 YOUR RIGHTS Regarding your PHI
The law gives you many rights regarding your health information…. Dr. Quack: Getting HIPAA to Fly

36 YOUR RIGHT to ask us to restrict uses & disclosures
Ask us to restrict our uses and disclosures for purposes of treatment (except emergency treatment), payment or health care operations. We do not have to agree to do this, but if we agree, we must honor the restrictions that you want. To ask for a restriction, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice. Dr. Quack: Getting HIPAA to Fly

37 YOUR RIGHTS: Confidential Communication
Ask us to communicate with you in a confidential way, such as by phoning you at work rather than at home, by mailing health information to a different address, or by using to your personal E Mail address. Dr. Quack: Getting HIPAA to Fly

38 YOUR RIGHTS: Confidential Communication
We will accommodate these requests if they are reasonable, and if you pay us for any extra cost. If you want to ask for confidential communications, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice. Dr. Quack: Getting HIPAA to Fly

39 YOUR RIGHTS: Photocopies
Ask to see or to get photocopies of your health information. By law, there are a few limited situations in which we can refuse to permit access or copying. Dr. Quack: Getting HIPAA to Fly

40 YOUR RIGHTS: Photocopies
For the most part, however, you will be able to review or have a copy of your health information within 30 days of asking us (or sixty days if the information is stored off-site). You may have to pay for photocopies in advance. If we deny your request, we will send you a written explanation, and instructions about how to get an impartial review of our denial if one is legally available. Dr. Quack: Getting HIPAA to Fly

41 YOUR RIGHTS: Photocopies
By law, we can have one 30 day extension of the time for us to give you access or photocopies if we send you a written notice of the extension. [Nebraska?] If you want to review or get photocopies of your health information, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice. Dr. Quack: Getting HIPAA to Fly

42 YOUR RIGHTS: Amending your PHI
Ask us to amend your health information if you think that it is incorrect or incomplete. If we agree, we will amend the information within 60 days from when you ask us. We will send the corrected information to persons who we know got the wrong information, and others that you specify. Dr. Quack: Getting HIPAA to Fly

43 YOUR RIGHTS: Amending your PHI
If we do not agree, you can write a statement of your position, and we will include it with your health information along with any rebuttal statement that we may write. Dr. Quack: Getting HIPAA to Fly

44 YOUR RIGHTS: Amending your PHI
Once your statement of position and/or our rebuttal is included in your health information, we will send it along whenever we make a permitted disclosure of your health information. By law, we can have one 30 day extension of time to consider a request for amendment if we notify you in writing of the extension. Dr. Quack: Getting HIPAA to Fly

45 YOUR RIGHTS: Amending your PHI
If you want to ask us to amend your health information, send a written request, including your reasons for the amendment, to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice Dr. Quack: Getting HIPAA to Fly

46 YOUR RIGHTS: Lists of PHI disclosed
Get a list of the disclosures that we have made of your health information within the past six years (or a shorter period if you want). By law, the list will not include: disclosures for purposes of treatment, payment or health care operations; disclosures with your authorization; incidental disclosures; disclosures required by law; and some other limited disclosures. Dr. Quack: Getting HIPAA to Fly

47 YOUR RIGHTS: Lists of PHI disclosed
You are entitled to one such list of disclosures per year without charge. If you want more frequent lists, you will have to pay for them in advance. We will usually respond to your request within 60 days of receiving it, but by law we can have one 30 day extension of time if we notify you of the extension in writing. Dr. Quack: Getting HIPAA to Fly

48 YOUR RIGHTS: Lists of PHI disclosed
If you want a list of disclosures, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice. Dr. Quack: Getting HIPAA to Fly

49 YOUR RIGHTS: Copies of Privacy Practices
Get additional paper copies of this Notice of Privacy Practices upon request. It does not matter whether you got one electronically or in paper form already. If you want additional paper copies, send a written request to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice Dr. Quack: Getting HIPAA to Fly

50 OUR NOTICE OF PRIVACY PRACTICES
By law, we must abide by the terms of this Notice of Privacy Practices until we choose to change it. We reserve the right to change this notice at any time as allowed by law. Dr. Quack: Getting HIPAA to Fly

51 OUR NOTICE OF PRIVACY PRACTICES
If we change this Notice, the new privacy practices will apply to your health information that we already have as well as to such information that we may generate in the future. If we change our Notice of Privacy Practices, we will post the new notice in our office, have copies available in our office, and post it on our Web site. Dr. Quack: Getting HIPAA to Fly

52 Dr. Quack: Getting HIPAA to Fly
COMPLAINTS If you think that we have not properly respected the privacy of your health information, you are free to complain to us or the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you if you make a complaint. Dr. Quack: Getting HIPAA to Fly

53 Dr. Quack: Getting HIPAA to Fly
COMPLAINTS If you want to complain to us, send a written complaint to the office contact person named at the end of this Notice. Use the address, fax or E Mail shown at the beginning of this Notice. If you prefer, you can discuss your complaint in person or by phone. Dr. Quack: Getting HIPAA to Fly

54 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes Dr. Quack: Getting HIPAA to Fly

55 NOA (AOA) Manual Handout
NOA adaptations of AOA Manual HIPAA job title on policies instead of name Tables added (Job titles, etc.) State law addressed Index added Formatted for letterhead Underline replaces brackets Dr. Quack: Getting HIPAA to Fly

56 Inserted Tables (NOA unique)
Personnel names vs. job title Job Titles vs. PHI HIPAA Officers’ names Dr. Quack: Getting HIPAA to Fly

57 Inserted Tables (NOA unique)
Personnel names vs. job title Every employee listed For each employee Check each job they perform Enter date they completed HIPAA training Dr. Quack: Getting HIPAA to Fly

58 Inserted Tables (NOA unique)
Job Titles vs. PHI Every Job Title listed Using analysis forms provided Worksheet 6 or Dr. Quack Assessment Worksheet 24 Check each type of PHI accessed Dr. Quack: Getting HIPAA to Fly

59 Inserted Tables (NOA unique)
HIPAA Officers’ names List every person with HIPAA role Check HIPAA role(s) they will perform Enter date they completed HIPAA training Dr. Quack: Getting HIPAA to Fly

60 Dr. Quack: Getting HIPAA to Fly
HIPAA and Nebraska Law Briefly describes Nebraska state law section at the back of the manual Inserted here to indicate that there has been a section added Dr. Quack: Getting HIPAA to Fly

61 Policy 3A: Affiliated Covered Entities
2 or more entities (example: corporations) Connected ownership or control Comply with HIPAA as a single unit Dr. Quack Dr. Quack: Getting HIPAA to Fly

62 Policy 3B: Health Care Components
Affects hybrid entities (example: retail & optometry) Should designate portion of business as “health care component” Only health care component must comply with HIPAA Otherwise, entire entity must comply with HIPAA Dr. Merganser Duck Dr. Quack: Getting HIPAA to Fly

63 Policy 5A: Privacy Officer
Qualifications Duties Who is appointed (refers to HIPAA Personnel Roster) Dr. Quack: Getting HIPAA to Fly

64 Policy 5B: Public Information Officer
Qualifications Duties Who is appointed (refers to HIPAA Personnel Roster) Dr. Quack: Getting HIPAA to Fly

65 Worksheet 6 or Dr. Quack’s Assessment
Gather Information on use of PHI in your office Complete one form for each job description Keep on hand, proving you made the effort Dr. Quack: Getting HIPAA to Fly

66 Worksheet 8: No authorization needed for some use of PHI
Treatment Payment Heath Care Operations Dr. Quack: Getting HIPAA to Fly

67 Dr. Quack: Getting HIPAA to Fly
Policy 7A 8A 10A: No Authorization Required for Certain Disclosures of PHI Treatment, Payment, Health Care Oper. Business Associates Use or Disclosure required by Law Others mentioned in Notice of Privacy Practices (Also addressed in State Law Appendix) Dr. Quack: Getting HIPAA to Fly

68 Policy 9A: Facility Directory
Directory policy applies to an entity where a directory is kept of patients in process of a procedure, et cetera. 9A: Describes what must take place if you have a directory 9A No Directory: ODs who do not maintain a directory need not comply with this section. Dr. Quack: Getting HIPAA to Fly

69 Policy 9B: Providing Information to Family & Friends
General policy explained Oral agreement with patient okay Dr. Quack: Getting HIPAA to Fly

70 Worksheet 10: Public Policy Disclosures
For Policy 7A, 8A, 10A (previously reviewed) See state law section for Dr. Quack’s assessment Dr. Quack: Getting HIPAA to Fly

71 Worksheet 11: Marketing & Advertising
Read policy 11A. Authorization not needed for marketing described in item #4 or #7. (Covers most marketing done by ODs) Other marketing requires individual authorization of each occurrence. Dr. Quack: Getting HIPAA to Fly

72 Policy 11A: Marketing & Advertising
Cannot release PHI to others w/o written authorization Pictures Testimonials Patient lists to marketers Can “market” to individual patient Services you provide Materials you provide Give promotional gifts of limited value Dr. Quack: Getting HIPAA to Fly

73 Policy 11A: Marketing & Advertising
Can market w/o use of PHI General TV ads Brochures to occupant Read the policy carefully Dr. Quack: Getting HIPAA to Fly

74 Policy 11A: Marketing & Advertising
OCR Changes since AOA printing CAN leave non-specific message on answering machine (glasses are ready, appointment tomorrow, due for exam) CAN send postcard with appointment time Unless patient requests otherwise Dr. Quack: Getting HIPAA to Fly

75 Policy 12A: Disclosures for Research
Need to read carefully if you Participate in clinical trials Conduct research Dr. Quack: Getting HIPAA to Fly

76 Worksheet 13: Prepare PHI Disclosure Authorization Form
Use as you feel necessary after reading policies Dr. Quack: Getting HIPAA to Fly

77 Policy 13A: PHI Disclosure Authorization Form
Detailed description of what is to be released Specific purpose Expiration date New form for every disclosure Dr. Quack: Getting HIPAA to Fly

78 Policy 13B: Personal Representative for Patients
Addresses “standing in the shoes” of the patient regarding PHI Parents (and divorced parents) Guardians Emancipated minors (not in Nebraska?) Deceased patients representatives Dr. Quack: Getting HIPAA to Fly

79 Policy 13B: Personal Representative for Patients
Policy refers to state law section (p. 80) (see items #29, #68, and #69 in parts II & III) Not specific regarding state law HIPAA does not appear to present new problems Dr. Quack cannot give legal advice See your attorney with real questions Dr. Quack: Getting HIPAA to Fly

80 Policy 14A: Prepare Notice of Privacy Practices
Post in reception area (back of handout) Keep stock in reception area Distribute to every patient Request patient to sign receipt (must try) Receipt/denial kept in record (verify each visit) Update next visit if policy changes Dr. Quack: Getting HIPAA to Fly

81 Policy 14B: Actual Notice of Privacy Practices
Reviewed earlier Dr. Quack: Getting HIPAA to Fly

82 Policy 15A (& 16A): Defines Designated Record Set
Contents of patient’s clinical chart Contents of billing materials Contents of treatment, orders, laboratory information Dr. Quack: Getting HIPAA to Fly

83 Policy 15B: Patient Access to their own PHI
Nebraska Hospital Association’s evaluation of Nebraska statute vs. HIPAA (p. 82) Reasons for denial: follow HIPAA standard Charges for copying:Nebraska statute Dr. Quack’s evaluation: Time to respond: follow state law (30 days) Dr. Quack: Getting HIPAA to Fly

84 Letters responding to Patient Requesting Access to PHI
Letter 1: extension (legal in Nebraska?) (toss??) Letter 2: agree to access Letter 3: denial of access Dr. Quack: Getting HIPAA to Fly

85 Policy 16B: Amendment of PHI
Patient can request to amend record If Dr agrees, Amendment added New information forwarded to others with record If Dr Disagrees and denies amendment, Patient can submit letter of disagreement Dr can attach denial letter & rebut in writing Dr. Quack: Getting HIPAA to Fly

86 Letters responding to Patient Requesting Amendment
Letter 1: decline to amend Letter 2: agree to amend Letter 3: delay in amending Dr. Quack: Getting HIPAA to Fly

87 Policy 17A: Accounting for Disclosures of PHI
Don’t need to account for disclosures For treatment, payment, H. C. operations To patient To family, friends, or care givers Authorized Incidental Marketing & advertising per exceptions Dr. Quack: Getting HIPAA to Fly

88 Policy 17A: Accounting for Disclosures of PHI
Do need to account for disclosures violating policy 11A If you did everything right there should be nothing to disclose Dr. Quack: Getting HIPAA to Fly

89 Dr. Quack: Getting HIPAA to Fly
Letters responding to Patient Requesting An Accounting of Disclosures of PHI Letter 1: delay of accounting Dr. Quack: Getting HIPAA to Fly

90 Policy 18A: Restrictions to Use of PHI
Must allow patient to request to restrict use of PHI that would otherwise not be restricted You do not have to agree to request If you do agree you must abide by agreement Can terminate in writing May be better never to agree Dr. Quack: Getting HIPAA to Fly

91 Policy 19A: Confidential Communication Methods
Must have policy to allow patients to specify special methods of communication with them. Examples: No answering machines No post cards Call at office only Never call at office only Must comply with requests agreed to. Dr. Quack: Getting HIPAA to Fly

92 Worksheet 20: Business Associates
AOA’s Joanne Lax J.D. recommends the following steps to determine who is a business associate. Step One: Identify all outside companies with which you do business Dr. Quack: Getting HIPAA to Fly

93 Worksheet 20: Business Associates
Step Two: Flag companies that perform health care services in your behalf (ie those to which you have outsourced) Billing service Optical lab Quality assurance Staff training Dr. Quack: Getting HIPAA to Fly

94 Worksheet 20: Business Associates
Step Three: Also, flag the companies that perform the following services Legal Accounting Consulting Management (office, building, software, etc) Dr. Quack: Getting HIPAA to Fly

95 Worksheet 20: Business Associates
Step Four: Of the companies you have flagged, flag again those companies that need to generate, maintain, use, or disclose PHI in order to do there job. Examples: Billing agents Software support that sees PHI Collections agencies Outside medical transcriptionist service Companies with two flags are your business associates Dr. Quack: Getting HIPAA to Fly

96 Worksheet 20: Business Associates
Business associates that need attention right now fall into any of the following groups: You do not currently have a written services contract with them. You have a written services contract with them, but you entered into it after October 15, 2002. You have a written services contract, but it will expire or need to be renewed before April 14, 2003. Dr. Quack: Getting HIPAA to Fly

97 Worksheet 20:Business Associates
Business associates that do not need immediate action: You have an contract that existed before October 15, 2002, that Automatically renews, or Will not expire or renewed before April 14, 2003. You have to act on this latter group on the earlier of: The date that you will renew the contract, or April 14, 2004. Note these business associates on the worksheet & complete the columns. Dr. Quack: Getting HIPAA to Fly

98 Worksheet 20: Business Associates
Negotiate a business associate contract with each of your business associates, except: A business associate that only uses, generates, maintains or discloses PHI for treatment purposes. OCR also excludes payers… Dr. Quack: Getting HIPAA to Fly

99 Business Associate Agreements
Policy 21A: BA agreement with AOA language Policy 21A: BA agreement without AOA language Your Notice of Privacy Practices must be supplied to BA Dr. Quack: Getting HIPAA to Fly

100 Dr. Quack: Getting HIPAA to Fly
BA Follow-up Do not have to monitor BA for compliance Do not have to train BA If learn of non-compliance, must Mitigate where possible (per subsequent policy) Insist BA comply or terminate contract If fails to comply, must find another vendor Dr. Quack: Getting HIPAA to Fly

101 Worksheet 23: You must safeguard PHI
Safeguards come in many forms. The three general categories are: Administrative (policies & procedures). Physical (physical plant). Technological (relating to electronics). Dr. Quack: Getting HIPAA to Fly

102 Worksheet 23: You must safeguard PHI
Examples of safeguards include: Locks on records’ storage rooms or cabinets (or monitoring). Phones in confidential locations. Closing doors. Dr. Quack: Getting HIPAA to Fly

103 Worksheet 23: You must safeguard PHI
Computer passwords, Computer screen savers or screen shields. Limited field access for electronic data. Dr. Quack: Getting HIPAA to Fly

104 Worksheet 23: You must safeguard PHI
Turning charts to face the wall in boxes outside patients’ exam rooms. Prohibiting calls to pharmacies or other providers where they can be overheard. Prohibiting staff from discussing clinical issues with patients where they can be overheard. Shredding discarded PHI Dr. Quack: Getting HIPAA to Fly

105 Worksheet 23: You must safeguard PHI
This aspect of HIPAA requires Unique, individualized solutions Based upon your office layout, Opportunities to easily make physical plant changes, Budget for physical & technological gadgets, Workable policies & procedures. Dr. Quack: Getting HIPAA to Fly

106 Worksheet 23: You must safeguard PHI
You are not required to go to extremes to guarantee that no PHI will ever be inadvertently disclosed. “Incidental” disclosures – e.g. unavoidable disclosures secondary to a permitted use or disclosure – are permitted under HIPAA, So long as you use reasonable safeguards and You observe minimum necessary rule. Dr. Quack: Getting HIPAA to Fly

107 Worksheet 24: Minimum Necessary PHI
Using worksheet 6 (or Quack assessment) Determine which job descriptions must access what PHI Determine whether the minimum necessary rule is currently being abided by Determine what changes should be made, if any Dr. Quack: Getting HIPAA to Fly

108 Policy 24A: Minimum Necessary Uses
Complete the table titled “Access to PHI by Job Category” found at the front of this manual Modify records & procedure where practical so that Information for a particular task is segregated, But clinical needs & operations are not compromised in the process of segregation. Dr. Quack: Getting HIPAA to Fly

109 Policy 24A: Minimum Necessary Disclosures
For routine disclosures of PHI, determine the minimum necessary amount of PHI needed to respond. Eye exam report to school (w/ authorization or give to parent) For non-routine disclosures of PHI, decide how your PO will determine the minimum amount of PHI necessary to respond. Dr. Quack: Getting HIPAA to Fly

110 Policy 24A2: Confidentiality Agreement
Referred to but not included in AOA Manual Fabricated by Dr. Quack All staff should sign a confidentiality agreement stating their commitment to accessing only the minimum amount of PHI necessary to do their job Dr. Quack: Getting HIPAA to Fly

111 Policy 25A: Verification Before Disclosing PHI
You must check the identity & authority of someone Signing an authorization on behalf of a patient or Seeking PHI without an authorization, if you don’t know this information already. Dr. Quack: Getting HIPAA to Fly

112 Policy 25A: Verification Before Disclosing PHI
This should include obtaining copies of applicable documents, such as Guardianship papers, Power of attorney for health care, or Official badge. You can rely on documents that appear valid. You must resolve questions or problems before you can accept the authorization or disclose requested PHI. Dr. Quack: Getting HIPAA to Fly

113 Policy 26A: You Must Mitigate Harm from Improper Disclosure
The duty only applies if you "know" of the harm. You do not have to actively monitor for evidence of harm. You only have to mitigate harm if it is "practical" for you to do so. You have full discretion to evaluate each situation, & to take mitigation steps appropriate to it. Dr. Quack: Getting HIPAA to Fly

114 Policy 26A: You Must Mitigate Harm from Improper Disclosure
Mitigation can be As simple as an apology or correction. An attempt to get back the PHI disclosed. Obtaining a signed agreement from receiver not to use or disclose improperly released PHI. It's up to you in each case. Dr. Quack: Getting HIPAA to Fly

115 Policy 27A: Complaints about Violations
Must have a written office policy to accept, thoroughly investigate, and resolve complaints from patients who believe their privacy has not been properly respected. Dr. Quack: Getting HIPAA to Fly

116 Policy 28A: De-Identification of PHI
Should you want to use PHI without HIPAA restrictions… None of HIPAA’s use & disclosure rules apply to information stripped of all identifiers. Dr. Quack: Getting HIPAA to Fly

117 Policy 28A: De-Identification of PHI
You can de-identify PHI in one of two ways: A statistical expert can give an opinion that PHI has been de-identified; or You can remove the specific identifiers listed in HIPAA’s “safe harbor” method. Dr. Quack: Getting HIPAA to Fly

118 Policy 29A & 29B: Limited Data Sets
A limited data set is stripped of some identifiers You can then disclose PHI for research, public health, or health care operations Dr. Quack: Getting HIPAA to Fly

119 Policy 29A & 29B: Limited Data Sets
Examples of sharing for health care operations: Business planning for a health plan or provider. Sale or merger of a health plan, or Financial management of a health plan or provider. Dr. Quack: Getting HIPAA to Fly

120 Policy 29B: Limited Data Set: Data Use Agreement
Similar to Business Associate Agreement Describes recipient’s uses & disclosures Requires recipient to use appropriate safeguards Requires recipient to tell you of wrongful use or disclosure Prohibits recipient from identifying or contacting the patient Requires recipient’s agents abide by same conditions as the recipient Dr. Quack: Getting HIPAA to Fly

121 Worksheet 30: Train All Employees
Work force includes more people than your payroll. Work force includes: All W2 employees. Students (all kinds). Volunteers. Any independent contractor working on-site & under your direct control that you have not treated as a business associate. (See chart 20.) Dr. Quack: Getting HIPAA to Fly

122 Worksheet 30: Train All Employees
Training can take any form. It can be: Live lectures. Purchased on-line training modules. Review of policies/procedures. Workbooks. Any other method that you devise. Training needs to be job specific Dr. Quack: Getting HIPAA to Fly

123 Worksheet 31: State Law vs. HIPAA
State law that relates to the privacy of PHI but is not contrary to HIPAA remain fully effective after HIPAA. You must comply with both the state law & HIPAA. A state law that relates to the privacy of PHI & is contrary to HIPAA & “less stringent than” HIPAA HIPAA wipes out the state law, which is no longer effective. Dr. Quack: Getting HIPAA to Fly

124 Worksheet 31: State Law vs. HIPAA
A state law that relates to the privacy of PHI & is contrary to HIPAA, but is “more stringent than” HIPAA. All such laws remain in effect after HIPAA. You must comply with the state law, not HIPAA. Dr. Quack: Getting HIPAA to Fly

125 Dr. Quack’s State Law Appendix
I: The concept of pre-emption II: Nebr. Hospital Assoc. Review of Statutes 70 statutes & their relationship to HIPAA Quack comments on effect on optometry III: More detail on statutes effecting ODs Subpoenas & HIPAA in Nebraska Dr. Quack: Getting HIPAA to Fly

126 State Law: Before & After HIPAA
It appears little state law is truly pre-empted based on Hospital Association evaluation State law is therefore unchanged & should prove no greater problem that previously Optometrists should read & review last two sections of Quack appendix: Detail on sections possibly related to optometry Subpoenas (discovery) Seek legal advice with additional questions Dr. Quack: Getting HIPAA to Fly

127 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes Dr. Quack: Getting HIPAA to Fly

128 Dr. Quack: Getting HIPAA to Fly
OCR Guidelines The HIPAA Privacy Rule is not intended to impede these customary & essential communications & practices &, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Dr. Quack: Getting HIPAA to Fly

129 Dr. Quack: Getting HIPAA to Fly
OCR Guidelines Privacy Rule permits certain incidental uses & disclosures of PHI when the covered entity uses reasonable safeguards minimum necessary policies & procedures Dr. Quack: Getting HIPAA to Fly

130 Reasonable Safeguards
Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area; Avoiding using patients’ names in public hallways & elevators Dr. Quack: Getting HIPAA to Fly

131 Reasonable Safeguards
Posting signs to remind employees to protect patient confidentiality; By supervising, isolating, or locking file cabinets or records rooms; By providing additional security, such as passwords, on computers maintaining personal information. Dr. Quack: Getting HIPAA to Fly

132 Dr. Quack: Getting HIPAA to Fly
More Safeguards Ask waiting customers to stand a few feet back from a counter used for patient counseling. Use of cubicles, dividers, shields, curtains, or similar barriers where multiple patient-staff communications routinely occur Dr. Quack: Getting HIPAA to Fly

133 Minimum Necessary Rule
Requires limit of access to PHI, based on needs to perform job duties. Unimpeded access to PHI, where not necessary for the job at hand, is not applying the minimum necessary standard. Any incidental use or disclosure that results from not applying the Minimum Necessary Standard would be an unlawful. Dr. Quack: Getting HIPAA to Fly

134 Minimum Necessary Rule
The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes Dr. Quack: Getting HIPAA to Fly

135 OCR Guidelines FAQs....... confidential conversations
Q: Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard? A: Yes, when using reasonable safeguards. Dr. Quack: Getting HIPAA to Fly

136 OCR Guidelines FAQs....... confidential conversations
Free to engage in communications as required for quick, effective, & high quality health care. Overheard communications in these settings may be unavoidable & are allowed as incidental disclosures. Dr. Quack: Getting HIPAA to Fly

137 OCR Guidelines FAQs....... confidential conversations
When using Reasonable Safeguards: Health care staff may orally coordinate services at hospital nursing stations. Staff may discuss a patient’s condition over the phone with the patient, a provider, or a family member. A health care professional may discuss lab test results with a patient or other provider in a joint treatment area. Dr. Quack: Getting HIPAA to Fly

138 OCR Guidelines FAQs....... confidential conversations
HIPAA Privacy does not require Private rooms. Soundproofing of rooms. Encryption of wireless or other emergency medical radio communications Encryption of telephone systems. Dr. Quack: Getting HIPAA to Fly

139 OCR Guidelines FAQs....... Mailings & phone calls
Q: May physician’s offices or pharmacists leave messages at patient’s homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes? Dr. Quack: Getting HIPAA to Fly

140 OCR Guidelines FAQs....... Mailings & phone calls
A: Yes. Limit the PHI disclosed on the answering machine. Consider leaving only name & number & PHI necessary to confirm an appointment Or ask the individual to call back. May leave a message with a family member or other person who answers the phone when the patient is not home. Dr. Quack: Getting HIPAA to Fly

141 OCR Guidelines FAQs....... Confidential Conversation
Where a patient has requested confidential communication, you must accommodate that request, if reasonable. Examples, mailings in an envelope, not postcard. mail sent to a P.O. box, not to home receive calls at the office, not at home Dr. Quack: Getting HIPAA to Fly

142 OCR Guidelines FAQs....... Sign-in sheet
Q: May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms? A: Yes. But the sign-in sheet may not display medical information that is not necessary for the purpose of signing in. Dr. Quack: Getting HIPAA to Fly

143 OCR Guidelines FAQs....... Charts on doors
Q: Are charts outside of exam rooms prohibited A: No. Using reasonable safeguards & the minimum necessary rule, covered entities must simply evaluate what measures make sense in their environment tailor their practices & safeguards to their particular circumstances. Dr. Quack: Getting HIPAA to Fly

144 OCR Guidelines FAQs....... Charts on doors
You May maintain patient charts outside of exam rooms, displaying patient names on the outside of patient charts… Possible safeguards may include: Supervise area place patient charts facing the wall or otherwise covered Dr. Quack: Getting HIPAA to Fly

145 OCR Guidelines FAQs....... Announcing names
You May: Announce patient names & other information over a facility’s public announcement system. Possible safeguards may include: limiting the information disclosed over the system, such as referring the patients to a reception desk. Dr. Quack: Getting HIPAA to Fly

146 OCR Guidelines FAQs....... Overheard conversation
A provider may be overheard, in the reception area, instructing staff to bill a patient for a particular procedure A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information. Dr. Quack: Getting HIPAA to Fly

147 OCR Guidelines FAQs....... Office re-design
Q: Are covered entities required to restructure workflow systems, redesign office space & upgrading computer systems to comply with the HIPAA Privacy Rule’s? A: The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. Use reasonable safeguards and minimum necessary rule listed earlier Dr. Quack: Getting HIPAA to Fly

148 OCR Guidelines FAQs....... Configuring records
When considering record configuration, take into account your ability to configure their record systems to allow access to only certain fields, & the practicality of organizing systems to allow this capacity. Dr. Quack: Getting HIPAA to Fly

149 OCR Guidelines FAQs....... Configuring records
It may not be reasonable for a small, solo practitioner using paper records to limit one employee to only some fields and other employees complete access to the record. In this case, appropriate training of employees may be sufficient. Dr. Quack: Getting HIPAA to Fly

150 OCR Guidelines FAQs....... Configuring records
Alternatively, a hospital [or large clinic] with an electronic patient record system may reasonably implement such controls. Dr. Quack: Getting HIPAA to Fly

151 OCR Guidelines FAQs....... Business Associate
Examples of Business Associates. A third party administrator that assists a health plan with claims processing. A CPA firm whose services involve access to PHI. An attorney whose services involve access to PHI. A consultant that performs utilization reviews for a hospital. Dr. Quack: Getting HIPAA to Fly

152 OCR Guidelines FAQs....... Business Associate
Examples of Business Associates. A health care clearinghouse that translates a claim from non-standard to standard format & forwards to a payer. An independent medical transcriptionist that provides transcription services to a physician. Dr. Quack: Getting HIPAA to Fly

153 OCR Guidelines FAQs....... BA Agreement NOT needed
A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual. A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual. Dr. Quack: Getting HIPAA to Fly

154 OCR Guidelines FAQs....... BA Agreement NOT needed
When a health care provider discloses PHI to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan & a health plan that assesses & pays the claim are each acting on its own behalf as a covered entity, & not as the “business associate” of the other. Dr. Quack: Getting HIPAA to Fly

155 OCR Guidelines FAQs....... BA Agreement NOT needed
With persons or organizations whose functions do not involve the use or disclosure of PHI (e.g., janitorial service, copier maintenance, electrician). With a conduit for PHI, for example, the US Postal Service, certain private couriers, & their electronic equivalents. When a financial institution processes consumer-conducted financial transactions Dr. Quack: Getting HIPAA to Fly

156 OCR Guidelines FAQs....... Business Associate
Q: Is a software vendor a business associate of a covered entity? A: Maybe. The mere selling or providing of software to a covered entity does not give rise to a business associate relationship. If the vendor has access to PHI of the covered entity in order to provide its service, the vendor would be a business associate. Dr. Quack: Getting HIPAA to Fly

157 OCR Guidelines FAQs....…….. No permission needed
Q: Can a patient have a friend or family member pick up a prescription for her? A: Yes. A pharmacist may use professional judgment & experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription. Dr. Quack: Getting HIPAA to Fly

158 OCR Guidelines FAQs....…….. No permission needed
Q: Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill? A: Yes. A covered entity or their business associate (e.g., a collection agency), may disclose PHI as necessary to obtain payment for health care, & there is no limit to whom such a disclosure may be made. Dr. Quack: Getting HIPAA to Fly

159 OCR Guidelines FAQs....…….. No permission needed
However, the Privacy Rule requires you Place a reasonable limit the amount of information disclosed, Abide by any reasonable requests for confidential communications Honor any agreed-to restrictions on the use or disclosure of PHI. Dr. Quack: Getting HIPAA to Fly

160 OCR Guidelines FAQs....…….. No permission needed
Q: Does the HIPAA Privacy Rule prevent health plans & providers from using debt collection agencies? A: The Privacy Rule permits use of debt collection agencies through a business associate arrangement. Disclosures to collection agencies are governed by provisions such as the business associate & minimum necessary requirements. Dr. Quack: Getting HIPAA to Fly

161 OCR Guidelines FAQs....…….. No permission needed
Q: Does the HIPAA Privacy Rule permit an eye doctor to confirm a contact prescription received by a mail-order contact company? A: Yes. The disclosure of PHI by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is a treatment disclosure, & is permitted under the Privacy Rule at 45 CFR Dr. Quack: Getting HIPAA to Fly

162 OCR Guidelines FAQs....…….. No permission needed
Q: Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient’s authorization? Dr. Quack: Getting HIPAA to Fly

163 OCR Guidelines FAQs....…….. No permission needed
A: Yes. The HIPAA Privacy Rule permits disclosure of PHI without authorization to another health care provider for treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity. Dr. Quack: Getting HIPAA to Fly

164 OCR Guidelines FAQs... Marketing
Q: Can contractors (business associates) use PHI to market to individuals for their own business purposes? Dr. Quack: Getting HIPAA to Fly

165 OCR Guidelines FAQs....... Marketing
A: No. While covered entities may share PHI with “business associates”, that PHI must be used to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use PHI for their own purposes. Dr. Quack: Getting HIPAA to Fly

166 OCR Guidelines FAQs....... Marketing
Alternative treatment Communications about alternative treatments are excluded from the definition of marketing & do not require a prior authorization. Similarly, it is not marketing when a doctor or pharmacy is paid by a pharmaceutical company to recommend an alternative medication to patients. Dr. Quack: Getting HIPAA to Fly

167 OCR Guidelines FAQs....... Marketing
The simple receipt of remuneration does not transform a treatment communication into a commercial promotion of a product or service. Furthermore, covered entities may use a legitimate business associate to assist them in making such permissible communications. Dr. Quack: Getting HIPAA to Fly

168 OCR Guidelines FAQs....... Public Health
Q: May providers disclose PHI concerning pre-employment physicals, drug tests, or fitness-for-duty examinations to an individual’s employer? A: In very limited circumstances, providers may disclose PHI to the individual’s employer without authorization. Dr. Quack: Getting HIPAA to Fly

169 OCR Guidelines FAQs....... Public Health
1st, the service must be provided at the employer’s request or as a member of the employer’s workforce. 2nd, the service must relate to medical surveillance of the workplace or to detect or assess work-related illness or injury. Dr. Quack: Getting HIPAA to Fly

170 OCR Guidelines FAQs....... Public Health
3rd, the employer must have a duty under OSHA or similar law to keep records on, or act on, such information. Dr. Quack: Getting HIPAA to Fly

171 OCR Guidelines FAQs....... Workers’ Comp
HIPAA Privacy does not apply to workers’ compensation insurers, administrative agencies, or employers. These entities need access to the PHI of individuals with work related injury or illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. Dr. Quack: Getting HIPAA to Fly

172 OCR Guidelines FAQs....... Workers’ Comp
The Privacy Rule permits disclosures of PHI for workers’ compensation purposes, sometimes requiring patient authorization, other times not. Nebraska Law (4) [Manual pg 84] “Records relevant to the injury shall be made available on demand to employer, employee, carrier, and compensation court” State law not pre-empted. Follow both. Dr. Quack: Getting HIPAA to Fly

173 OCR Guidelines FAQs....... Workers’ Comp
HIPAA: Disclosures Without Individual Authorization. To provide benefits for work-related injuries or illness without regard to fault. Limited to what the law requires. For obtaining payment for any health care provided to the injured or ill worker. Dr. Quack: Getting HIPAA to Fly

174 OCR Guidelines FAQs....... Workers’ Comp
HIPAA: Disclosures With Individual Authorization. May disclose PHI when the individual has provided authorization for the release of PHI. The Minimum Necessary Rule applies. Dr. Quack: Getting HIPAA to Fly

175 OCR Guidelines FAQs....... Oral Communication
Q: Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information? A: No. The term “designated record set” does not include oral information; rather, it connotes information that has been recorded in some manner. Dr. Quack: Getting HIPAA to Fly

176 OCR Guidelines FAQs....... Oral Communication
Q: Does the HIPAA Privacy Rule require that covered entities document all oral communications? A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations Dr. Quack: Getting HIPAA to Fly

177 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes Dr. Quack: Getting HIPAA to Fly

178 Dr. Quack: Getting HIPAA to Fly
Physical Changes HIPAA does not require that you make radical, expensive changes to your office. The following are some reasonable alterations in office layout to assist in complying with HIPAA Dr. Quack: Getting HIPAA to Fly

179 Dr. Quack: Getting HIPAA to Fly
Doors Close doors when discussing PHI, e.g., History Pre-examination Examination Dr. Quack: Getting HIPAA to Fly

180 Dr. Quack: Getting HIPAA to Fly
Always speak quietly Hearing impaired? Speak slowly Get closer Take special care when speaking in hallways and other common areas Dr. Quack: Getting HIPAA to Fly

181 Mult-patient areas (Check-in, Check-out, Dispensary)
Speak reasonably quietly Use “PLEASE WAIT HERE” signs if appropriate Provide “PLEASE WAIT HERE” chairs if appropriate Incidental disclosure is acceptable Dr. Quack: Getting HIPAA to Fly

182 Dr. Quack: Getting HIPAA to Fly
Business Office Areas Place HIPAA reminder signs at work stations Place HIPAA reminder signs on computer monitors Place HIPAA reminder signs on file cabinets Dr. Quack: Getting HIPAA to Fly

183 Dr. Quack: Getting HIPAA to Fly
Computer Monitors Rotate screen away from public Put a plant next to monitor Use Screen saver or “Minimize” screen Place HIPAA reminder sign on monitor Remember, patients can see their own PHI! Dr. Quack: Getting HIPAA to Fly

184 Dr. Quack: Getting HIPAA to Fly
Patient Records Keep records closed except when in use When practical, divide each record into sections, e.g., Demographics Examination Claims Staff should use only that portion of record needed for the task at hand Dr. Quack: Getting HIPAA to Fly

185 Patient Record Storage
Post HIPAA reminder signs in record storage areas Reasonably monitor record storage areas Reasonably monitor records in hallways Dr. Quack: Getting HIPAA to Fly

186 Dr. Quack: Getting HIPAA to Fly
HIPAA Privacy History & Background Brief Review of Notice of Privacy Practices NOA (AOA) Manual Handout OCR Guidelines Office Physical Layout: suggested changes Dr. Quack: Getting HIPAA to Fly

187 Dr. Quack: Getting HIPAA to Fly
THE END Thank You! Dr. Quack: Getting HIPAA to Fly


Download ppt "GETTING HIPAA PRIVACY TO FLY… …A REALISTIC, PRACTICAL APPROACH"

Similar presentations


Ads by Google