Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The HIPAA Privacy & Security Brian Martin Privacy Program Manager Navy Medicine Support Command (904) 542-7200 ext. 8139

Similar presentations

Presentation on theme: "1 The HIPAA Privacy & Security Brian Martin Privacy Program Manager Navy Medicine Support Command (904) 542-7200 ext. 8139"— Presentation transcript:

1 1 The HIPAA Privacy & Security Brian Martin Privacy Program Manager Navy Medicine Support Command (904) ext

2 2 Learning Objectives Know Future CONOPS for Office of Privacy Program Management Know the purpose for Privacy Act and HIPAA Know key provisions or features of each law Know training requirements Understand disclosures and accounting of disclosures Understand TMA and DoN incident reporting requirements Know basic MTF requirements for HIPAA Privacy and Security compliance

3 3 References Public Law Privacy Act of 1974 as Amended DoD R Health Information Privacy DoD R Health Information Security DoD Privacy Regulation DoN E Privacy Regulation DoD Information Assurance Implementation TRICARE Management Activity – training materials

4 4 Chief of Naval Operations (CNO) Bureau of Medicine and Surgery (BUMED) NMLCNMCPHCNMRC NAVMED MPT&E NMIMC Command Organization Navy Medicine West (NMW) Navy Medicine East (NME) Navy Medicine Support Command (NMSC) Navy Medicine National Capitol Area (NMNCA) Echelon 4 Echelon 1 Echelon 3 Echelon 2

5 5 Echelon 3 regional/global command – 4,000+ personnel – 27 activities – 83 UICs – 9 countries – 12 states and District of Columbia Navy Medicine Support Command

6 6 Concept of Operations: Create an Office of Program Management at NMSC and appoint a full time Director to standardize and integrate HIPAA Privacy and Security execution throughout enterprise. Execute all BUMED policies and procedures pertaining to the DoD Health Information Privacy and Security regulations. Ensure risk analysis are conducted that include an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI created, received, stored, or transmitted by the organization as directed by and in coordination with NAVMISA. Provide technical support to Regional Commands and coordinate activities to improve compliance with privacy and security requirements. Navy Medicine Support Command Office of Privacy Program Management

7 7 Title I Health insurance portability and renewal Title II Title IIITitle IVTitle V Administrative Simplification Tax provision for medical savings account Group health plan provision enforcement Revenue offset provisions Certificate of Creditable Coverage Privacy-Apr 03 Security-Apr 05 TCS-Oct 03 Identifiers-May 05 HIPAA, Title I - V

8 8 HIPAA Law – V Titles Administrative Simplification II Multifaceted Internal revenue code amendment designed to: –Improve portability & continuity of health insurance coverage –Combat waste, fraud & abuse in health insurance & health care delivery. Title II Administrative Simplification –Privacy –Security –Transactions & Code Sets –Unique Identifiers

9 9 HIPAA Privacy Rule Key Provisions Apply to the protection of information whether it be in oral, written or electronic form Provisions: –More consumer control = Individual patient rights –Specifies “what” health information must be protected –Boundaries on use and release –Accountability and penalties –Preserving strong state laws –Balancing public responsibility with protections

10 10 Who is Covered under HIPAA Privacy Rule? Directly applies to …… Health Plans (e.g. TRICARE) Healthcare Clearinghouses (e.g. process claims or perform electronic billing) Healthcare providers who transmit information in electronic form for specified financial & administrative transactions. These groups/organizations referred to as “Covered Entities” (CE)

11 11 What is Covered under HIPAA Privacy? Health Information ….oral, paper, or electronic media and related to……. –past, present, or future physical or mental health condition of an individual –provision of health care to individual or –payment for health care Individually identifiable - includes demographics Held by CE or their business associates

12 12 Features of Privacy Act and HIPAA Requires Fed agencies to comply Restricts disclosure Allows individual access to records about themselves Applies to contractors hired to operate a system of records Provides judicial remedies for PA violations Requires “covered entities” to comply-not just Fed agencies Restricts use and disclosure with key exceptions Expands patient rights --Notice of privacy practices, access, inspect, copy, amend, acct of disclosures, request restrictions, file complaints, alternate communications requests Applies to all members of the workforce

13 13 Pillars of Privacy-Key Areas Privacy Act-- Consent Disclosures “Need to Know” HIPAA Privacy Rule-- Notice of Privacy Practices Use and Disclosure Authorization Minimum Necessary Military Exemption

14 14 HIPAA Notice of Privacy Practices Includes: 1.Use and Disclosure of PHI for TPO 2.Individual’s rights to access, control and 3.request restrictions on use. 4.Covered entities duties 5.Complaint procedures 6.Contact information 7.Effective date ·

15 15 Notice of Privacy Practices Obtain written acknowledgment of receipt of the Notice of Privacy Practices. “Good faith effort” Exception--Emergency situations--delay having to provide Notice until reasonably practicable and exempt providers from good faith effort to obtain acknowledgment

16 16 Use & Disclosure-Privacy Act vs.HIPAA No record disclosed without consent of individual to whom record pertains Exceptions: Ex: Need to know, released under FOIA, routine use, criminal law enforcement activity Disclosures not required if to DoD or DON personnel having a “need to know” in performance of official duties CE can use & disclose PHI for TPO of self plus other CE w/out authorization of individual - No “consent” required For Non-TPO uses, need authorization but there are exceptions Must provide accounting of disclosures for up to 6 years - only if non TPO

17 17 Exceptions under Privacy Act & HIPAA Need to know Released under FOIA Routine use Criminal/law enforcement activity Health or safety Committee of Congress Bureau of Census Statistical research National Archives Required by law Avert serious threat to health or safety Specialized govt. functions Judicial/administrative proceedings Cadaver, organ, eye or tissue donation purposes Law enforcement purposes

18 18 Exceptions under Privacy Act & HIPAA- Comptroller general for GAO Order of court of competent jurisdiction Consumer reporting agency Victims of abuse,neglect of domestic violence Inmates in correctional institutions/custody Worker’s compensation Research involving minimal risk Public health activities Health oversight activities About decedents

19 19 HIPAA Privacy Authorization Covered entities must obtain an individual’s authorization, signed written permission before using or disclosing PHI for purposes other than treatment, payment or healthcare operations Cannot condition provision of treatment, payment, enrollment or eligibility upon an authorization Individuals have the right to use an authorization to request a restriction on the use of their PHI

20 20 HIPAA Privacy Authorization Examples Authorization required : –For research –To send marketing materials Authorization NOT required: –To fill prescriptions –For referrals to specialists –To communicate treatment options

21 21 HIPAA Privacy Minimum Necessary All Uses and Disclosures subject to this standard Balancing act between protecting privacy against “reasonable ability” to limit information that is disclosed and still deliver quality care Exceptions: –Disclosure to or request by provider for treatment –Disclosure to the individual –Under authorization - unless requested by CE –Required by HIPAA standard transaction –Required by law –Required for law enforcement

22 22 HIPAA Privacy Military Exemptions Covered entities may disclose PHI of service members to Military Command Authorities if: –For determination of member’s fitness for duty –Necessary to assure proper execution of the military mission

23 23 Training Requirements-Privacy Act and HIPAA Privacy Rule Orientation Specialized training for specialized areas of job performance Management Training Provided shortly after assuming duties associated w/level of involvement All members of workforce must receive basic HIPAA privacy training Focused specialty training New employees When material change in policy-annual training

24 24 Civil Remedies/Criminal Penalties under Privacy Act and HIPAA Civil: denial of amendment request;denial of access; failure to meet record keeping standards-- (against a naval activity) Criminal: wrongful disclosure, unauthorized records, wrongful request or obtaining records Civil: $100 for each violation for failure to comply with requirements of law privacy regulations Criminal: fines up to $50,000,imprisonment up to 1 year for wrongful disclosure by any person Requires CE to apply sanctions against members of its workforce who fail to comply with privacy policies and procedures.

25 25 MTF HIPAA Compliance Requirements Must have and introduce written Notice of privacy practices Must designate privacy/security officer in writing Must develop consent and authorization process for uses and disclosures Must provide privacy training to all staff Must maintain documentation regarding compliance with the regulation Must establish safeguards to protect health information Must conduct privacy assessment and modify policies and procedures to be in compliance with the Privacy rule Must develop and apply sanctions for violations


27 27 Disclosures Training Objectives - Accounting of Disclosures of Protected Health Information (PHI) Review of Disclosures Uses & Disclosures – General Information Suspension of Individual Rights Reporting of Disclosures Responding to a Request for Disclosures PHI Management Tool (PHIMT) Rights of Individuals

28 28 What is the HIPAA Privacy Rule? The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ personal health information in any form: paper, electronic, oral It sets boundaries on the use and release of health information It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made It generally gives patients the right to gain access and obtain a copy of their own health records and request amendments and restrictions

29 29 § Accounting of Disclosures of Protected Health Information An individual has a right to receive an Accounting of Disclosures of Protected Health Information (PHI) made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures –To carry out treatment, payment and health care operations –For the facility’s directory or to persons involved in the individual’s care or other notification purposes –For national security or intelligence purposes –To correctional institutions or law enforcement officials –That occurred prior to the compliance date of April 14, 2003

30 30 What is a Disclosure? A “disclosure" is generally defined as the sharing of health information with someone outside of the Military Health System Example: A disclosure of health information to a public health official to assist in tracking exposure of individuals to a contagious disease Example: Disclosures for family advocacy program offices and the Exceptional Family Member Program (EFMP)

31 31 Uses & Disclosures - General TreatmentPayment Healthcare Operations Provision of care Coordination or management of healthcare and related services Consultations between providers Referral of a patient from one provider to another Obtaining premiums Reimbursement Eligibility and coverage determinations Billing and claims management Utilization review activities Quality assurance Health improvement Education and training Legal services Medical review Business planning and development Management and general administrative activities HIPAA allows the use and disclosure of PHI for treatment, payment & healthcare operations (TPO) without the patient’s permission

32 32 Suspension of Individual Rights Communicated in Writing An oversight agency or law enforcement official has the authority to request a suspension of an individual’s right to receive an accounting of disclosures if –Such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to undermine the agency's investigation activities –The agency must specify the time period for which the requested suspension is required –Example: A law enforcement investigation of criminal activity when the knowledge of the individual might alter the nature of the investigation

33 33 Suspension of Individual Rights Communicated Orally If the request for suspension is made orally by an authorized agency, the covered entity must –Document the request, including the identity of the agency or official making the statement –Temporarily suspend the individual’s right to an accounting of disclosures subject to the request –Limit the temporary suspension to a period of no longer than 30 days from the date of the oral statement, unless a written request is submitted during that time

34 34 Reporting the Disclosure For each disclosure, the account must include: –The date of the disclosure –The name of the entity or person who received the PHI and, if known, the address of such entity or person –A brief description of the PHI disclosed –A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for a disclosure

35 35 Reporting Multiple Disclosures If the covered entity has made multiple disclosures of PHI during the period covered by the accounting to the same person or entity for a single purpose, the accounting may provide –The information requested for the first disclosure during the accounting period –The frequency, periodicity, or number of the disclosures made during the accounting period –The date of the last such disclosure during the accounting period –The PHIMT will separately track disclosures made for one record

36 Responsibility for Responding to a Request The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request If the covered entity is unable to provide the accounting within the 60-day timeframe, the covered entity may extend the time to provide the accounting by no more than 30 days and must –Provide the individual with a written statement of the reasons for the delay, and –The date by which the covered entity will provide the accounting The covered entity may have only one such extension on a request for an accounting 36

37 37 Accounting of Disclosures – PHI Management Tool (PHIMT) TRICARE will use the PHIMT to process the Accounting of Disclosures In addition to Accounting of Disclosures, the PHIMT utilized to process complaints, requests for amendments, requests for restrictions to PHI and for suspension of an individual’s right to a disclosure Overall Navy Medicine has a low utilization rate

38 38 Rights of Individuals Right to an Accounting of Disclosures An individual has a right to receive an Accounting of Disclosures of PHI made by a covered entity in the six years (or a shorter time period at the request of the individual) prior to the date on which the accounting is requested –Including disclosures to or by business associates of the covered entity –Only applies to disclosures made after April 14, 2003

39 39 Rights of Individuals Amendments Individuals have the right to request that a Covered Entity (CE) amend PHI Amending PHI usually does not involve actually removing information, but adding an amendment with the accurate data if appropriate A CE may deny an individual’s request for an amendment, if it determines that the PHI –was not created by the CE –is not part of the designated record set –is not available for inspection within the CE –is accurate and complete

40 40 Rights of Individuals Right to Restrictions Individuals have the right to request that certain uses related to TPO and disclosures of PHI be restricted Exception to Right to Restrictions - Individuals do not have a right to request that a covered entity restrict a disclosure of PHI about them for –workers’ compensation purposes or –when that disclosure is required by law

41 41 Summary of Disclosure Tracking The following subjects have been reviewed –HIPAA Privacy Rule –Accounting of Disclosures of PHI –What is a Disclosure is –Uses & Disclosures – General Information –Suspension of Individual Rights –Reporting of Disclosures –Responding to a Request for Disclosures Charge for an Accounting of Disclosure –TRICARE’S Disclosure Tracking Tool - PHI Management Tool (PHIMT) –Rights of Individuals

42 42 Resources DoD R, “DoD Health Information Privacy Regulation”, January 2003 DoD R DoD Health Information Security Regulation TMA Privacy website for subject matter questions for tool related questions Service HIPAA Privacy Representatives

43 43 HIPAA Security This document contains proprietary information and should be handled in accordance with U.S. Navy Regulations. It is intended solely for official purposes only.

44 44 Agenda HIPAA Security Background Key Concepts and Terms Security Rule Organization Specifics Impact Compliance

45 45 Training Objectives –Describe the organization and context of the HIPAA Security Rule –Understand HIPAA security standards and implementation specifications –Identify tools and other resources that support HIPAA security implementation

46 46 HIPAA Implementation Life Cycle

47 47 HIPAA Security Background

48 48 HIPAA Security Background Where Does This Fit In? HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability, and Renewability Title IITitle III Tax-Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Unique Identifiers for Providers Employers Electronic Data Exchange Security  Administrative Safeguards  Physical Safeguards  Technical Safeguards Source: National Institute of Standards and Technology (NIST) Privacy Code sets for Health Care Plans Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification

49 49 Providers who use a covered transaction MTFs, DTFs, and clinics Health plansTRICARE Health Plan Healthcare clearinghouses Companies that perform electronic billing on behalf of MTFs Business associates Managed care support contractors and other contractors HIPAA ENTITYMHS ENTITY HIPAA Security Background Applicability of the HIPAA Security Rule

50 50 HIPAA Security Background Purpose of the HIPAA Security Rule To adopt national standards for safeguards to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI)

51 51 HIPAA Security Background Privacy vs Security Privacy HIPAA 1996 Covered entities April, PHI Uses and Disclosures Confidentiality OCR Security HIPAA 1996 Covered entities April 21, 2005 EPHI Safeguards Confidentiality, Integrity, and Availability CMS

52 52 HIPAA Security Background Summary You should now be able to: –Describe the purpose and applicability of the HIPAA Security Rule –Identify how HIPAA Security fits in to the HIPAA Law –Explain the differences between HIPAA Privacy versus HIPAA Security

53 53 Key Concepts and Terms The Universe of Health Information HI IIHIPHIE-PHI Education Records John Doe HI:health information IIHI: individually identifiable health information PHI: protected health information EPHI: electronic protected health information Paper Files CDs Biomed Devices


Download ppt "1 The HIPAA Privacy & Security Brian Martin Privacy Program Manager Navy Medicine Support Command (904) 542-7200 ext. 8139"

Similar presentations

Ads by Google