Presentation is loading. Please wait.

Presentation is loading. Please wait.

The HIPAA Privacy & Security

Similar presentations

Presentation on theme: "The HIPAA Privacy & Security"— Presentation transcript:

1 The HIPAA Privacy & Security
Brian Martin Privacy Program Manager Navy Medicine Support Command (904) ext. 8139

2 Learning Objectives Know Future CONOPS for Office of Privacy Program Management Know the purpose for Privacy Act and HIPAA Know key provisions or features of each law Know training requirements Understand disclosures and accounting of disclosures Understand TMA and DoN incident reporting requirements Know basic MTF requirements for HIPAA Privacy and Security compliance

3 References Public Law 104-191 Privacy Act of 1974 as Amended
DoD R Health Information Privacy DoD R Health Information Security DoD Privacy Regulation DoN E Privacy Regulation DoD Information Assurance Implementation TRICARE Management Activity – training materials

4 Command Organization Echelon 3 regional/global command
Chief of Naval Operations (CNO) Echelon 1 Bureau of Medicine and Surgery (BUMED) Echelon 2 Navy Medicine Support Command (NMSC) Navy Medicine East (NME) Navy Medicine West (NMW) Navy Medicine National Capitol Area (NMNCA) Echelon 3 Echelon 3 regional/global command 4,000+ personnel 27 activities 83 UICs 9 countries 12 states and District of Columbia NMRC NAVMED MPT&E NMCPHC NMIMC NMLC Echelon 4

5 Navy Medicine Support Command
Echelon 3 regional/global command 4,000+ personnel 27 activities 83 UICs 9 countries 12 states and District of Columbia

6 Navy Medicine Support Command Office of Privacy Program Management
Concept of Operations: Create an Office of Program Management at NMSC and appoint a full time Director to standardize and integrate HIPAA Privacy and Security execution throughout enterprise. Execute all BUMED policies and procedures pertaining to the DoD Health Information Privacy and Security regulations. Ensure risk analysis are conducted that include an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI created, received, stored, or transmitted by the organization as directed by and in coordination with NAVMISA. Provide technical support to Regional Commands and coordinate activities to improve compliance with privacy and security requirements.

7 HIPAA, Title I - V Title I Title II Title III Title IV Title V
Tax provision for medical savings account Group health plan provision enforcement Revenue offset provisions Health insurance portability and renewal Administrative Simplification Certificate of Creditable Coverage Privacy-Apr 03 Security-Apr 05 TCS-Oct 03 Identifiers-May 05 Protection of Health insurance coverage--when change or lose a job Certificate of Cred Coverage--portability piece Administration Simplification was included in the law to: Reduce administrative burden associated with transfer of health information between enterprises. Improve efficiency and effectiveness of health-care system by facilitating electronic exchange of information Acccelearate move from paper-based exhanges to electronic transactions through the establishment of standards. Security--Applies to any health information pertaining to an individual that is electronically maintained or transmitted • Requirements in four areas: --administrative procedures --physical safeguards --technical security services --technical security mechanisms • Proposed Rule Transmission of health information in electronic form in connection with “defined transactions Primarily a central IM/IT issue)

8 HIPAA Law – V Titles Administrative Simplification II
Multifaceted Internal revenue code amendment designed to: Improve portability & continuity of health insurance coverage Combat waste, fraud & abuse in health insurance & health care delivery. Title II Administrative Simplification Privacy Security Transactions & Code Sets Unique Identifiers HIPAA has 5 Titles; only the first 2 really impact the MHS and Navy Medicine. Multifaceted Internal revenue code amendment designed, among other things, to: 1. Improve portability and continuity of health insurance coverage, 2. Combat waste, fraud, and abuse in health insurance & health care delivery. I – Health insurance portability and renewal: - Certification to establish an individual’s prior creditable coverage for purposes of reducing the application of preexisting condition exclusion. Status: Final rule, Jun 97 II Administrative Simplification - Privacy: Protects the use & disclosure of individually identifiable health information. Requirements patient notice, complaint process, disclosure accounting procedures, compliance program with assignment of Privacy Officer & staff training program. Final rule; compliance April 03. - Security: Establishes administrative, physical and technical security standards for entities that electronically maintain or transmit any health information. Requires compliance program with assignment of Security Officer to oversee risk assessment and mitigation planning and staff training program. Status: Final expected Dec 02. - Transactions & Code Sets: Adoption of national uniform standards for electronic data interchange (EDI) of certain health care administrative transactions (enrollment, eligibility verification, referral & authorizations, claims, etc) Status: Final rule; compliance October 02. - Unique Identifies: Establishes national identifier numbers for providers, employers, health plans and individuals. Status: proposed rules; final expected date unknown. Approach: IPT launched 23 July 02 to - Understand HIPAA’s application to Navy Medicine & coordinate Navy Medicine’s implementation plans. Review requirements; expedite dissemination of information; develop system solutions where possible. Provide service representation & coordination to TMA OIP & WIPTS IPT membership add-ons: Fleet operations; Marine Corps; Research & Development; NEHC

9 HIPAA Privacy Rule Key Provisions
Apply to the protection of information whether it be in oral, written or electronic form Provisions: More consumer control = Individual patient rights Specifies “what” health information must be protected Boundaries on use and release Accountability and penalties Preserving strong state laws Balancing public responsibility with protections

10 Who is Covered under HIPAA Privacy Rule?
Directly applies to …… Health Plans (e.g. TRICARE) Healthcare Clearinghouses (e.g. process claims or perform electronic billing) Healthcare providers who transmit information in electronic form for specified financial & administrative transactions. These groups/organizations referred to as “Covered Entities” (CE)

11 What is Covered under HIPAA Privacy?
Health Information ….oral, paper, or electronic media and related to……. past, present, or future physical or mental health condition of an individual provision of health care to individual or payment for health care Individually identifiable - includes demographics Held by CE or their business associates

12 Features of Privacy Act and HIPAA
Requires Fed agencies to comply Restricts disclosure Allows individual access to records about themselves Applies to contractors hired to operate a system of records Provides judicial remedies for PA violations Requires “covered entities” to comply-not just Fed agencies Restricts use and disclosure with key exceptions Expands patient rights --Notice of privacy practices, access, inspect, copy, amend, acct of disclosures, request restrictions, file complaints, alternate communications requests Applies to all members of the workforce

13 Pillars of Privacy-Key Areas
Privacy Act-- Consent Disclosures “Need to Know” HIPAA Privacy Rule-- Notice of Privacy Practices Use and Disclosure Authorization Minimum Necessary Military Exemption

14 HIPAA Notice of Privacy Practices
Includes: Use and Disclosure of PHI for TPO Individual’s rights to access, control and request restrictions on use. Covered entities duties Complaint procedures Contact information Effective date

15 Notice of Privacy Practices
Obtain written acknowledgment of receipt of the Notice of Privacy Practices. “Good faith effort” Exception--Emergency situations--delay having to provide Notice until reasonably practicable and exempt providers from good faith effort to obtain acknowledgment

16 Use & Disclosure-Privacy Act vs.HIPAA
No record disclosed without consent of individual to whom record pertains Exceptions: Ex: Need to know, released under FOIA, routine use, criminal law enforcement activity Disclosures not required if to DoD or DON personnel having a “need to know” in performance of official duties CE can use & disclose PHI for TPO of self plus other CE w/out authorization of individual - No “consent” required For Non-TPO uses, need authorization but there are exceptions Must provide accounting of disclosures for up to 6 years - only if non TPO PHIMT Utilization is strongly recommended to assist with the 6 year accounting of disclosure requirement

17 Exceptions under Privacy Act & HIPAA
Need to know Released under FOIA Routine use Criminal/law enforcement activity Health or safety Committee of Congress Bureau of Census Statistical research National Archives Required by law Avert serious threat to health or safety Specialized govt. functions Judicial/administrative proceedings Cadaver, organ, eye or tissue donation purposes Law enforcement purposes Privacy Act --No consent required HIPAA- Opportunity to agree or object to Use/Disclosure Not Required

18 Exceptions under Privacy Act & HIPAA-
Victims of abuse,neglect of domestic violence Inmates in correctional institutions/custody Worker’s compensation Research involving minimal risk Public health activities Health oversight activities About decedents Comptroller general for GAO Order of court of competent jurisdiction Consumer reporting agency

19 HIPAA Privacy Authorization
Covered entities must obtain an individual’s authorization, signed written permission before using or disclosing PHI for purposes other than treatment, payment or healthcare operations Cannot condition provision of treatment, payment, enrollment or eligibility upon an authorization Individuals have the right to use an authorization to request a restriction on the use of their PHI

20 HIPAA Privacy Authorization Examples
Authorization required : For research To send marketing materials Authorization NOT required: To fill prescriptions For referrals to specialists To communicate treatment options

21 HIPAA Privacy Minimum Necessary
All Uses and Disclosures subject to this standard Balancing act between protecting privacy against “reasonable ability” to limit information that is disclosed and still deliver quality care Exceptions: Disclosure to or request by provider for treatment Disclosure to the individual Under authorization - unless requested by CE Required by HIPAA standard transaction Required by law Required for law enforcement

22 HIPAA Privacy Military Exemptions
Covered entities may disclose PHI of service members to Military Command Authorities if: For determination of member’s fitness for duty Necessary to assure proper execution of the military mission

23 Training Requirements-Privacy Act and HIPAA Privacy Rule
Orientation Specialized training for specialized areas of job performance Management Training Provided shortly after assuming duties associated w/level of involvement All members of workforce must receive basic HIPAA privacy training Focused specialty training New employees When material change in policy-annual training

24 Civil Remedies/Criminal Penalties under Privacy Act and HIPAA
Civil: denial of amendment request;denial of access; failure to meet record keeping standards--(against a naval activity) Criminal: wrongful disclosure, unauthorized records, wrongful request or obtaining records Civil: $100 for each violation for failure to comply with requirements of law privacy regulations Criminal: fines up to $50,000,imprisonment up to 1 year for wrongful disclosure by any person Requires CE to apply sanctions against members of its workforce who fail to comply with privacy policies and procedures.

25 MTF HIPAA Compliance Requirements
Must have and introduce written Notice of privacy practices Must designate privacy/security officer in writing Must develop consent and authorization process for uses and disclosures Must provide privacy training to all staff Must maintain documentation regarding compliance with the regulation Must establish safeguards to protect health information Must conduct privacy assessment and modify policies and procedures to be in compliance with the Privacy rule Must develop and apply sanctions for violations


27 Disclosures Training Objectives -
Accounting of Disclosures of Protected Health Information (PHI) Review of Disclosures Uses & Disclosures – General Information Suspension of Individual Rights Reporting of Disclosures Responding to a Request for Disclosures PHI Management Tool (PHIMT) Rights of Individuals

28 What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ personal health information in any form: paper, electronic, oral It sets boundaries on the use and release of health information It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made It generally gives patients the right to gain access and obtain a copy of their own health records and request amendments and restrictions

29 §164.528 Accounting of Disclosures of Protected Health Information
An individual has a right to receive an Accounting of Disclosures of Protected Health Information (PHI) made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures To carry out treatment, payment and health care operations For the facility’s directory or to persons involved in the individual’s care or other notification purposes For national security or intelligence purposes To correctional institutions or law enforcement officials That occurred prior to the compliance date of April 14, 2003

30 What is a Disclosure? A “disclosure" is generally defined as the sharing of health information with someone outside of the Military Health System Example: A disclosure of health information to a public health official to assist in tracking exposure of individuals to a contagious disease Example: Disclosures for family advocacy program offices and the Exceptional Family Member Program (EFMP)

31 Uses & Disclosures - General
HIPAA allows the use and disclosure of PHI for treatment, payment & healthcare operations (TPO) without the patient’s permission Treatment Payment Healthcare Operations Provision of care Coordination or management of healthcare and related services Consultations between providers Referral of a patient from one provider to another Obtaining premiums Reimbursement Eligibility and coverage determinations Billing and claims management Utilization review activities Quality assurance Health improvement Education and training Legal services Medical review Business planning and development Management and general administrative activities

32 Suspension of Individual Rights Communicated in Writing
An oversight agency or law enforcement official has the authority to request a suspension of an individual’s right to receive an accounting of disclosures if Such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to undermine the agency's investigation activities The agency must specify the time period for which the requested suspension is required Example: A law enforcement investigation of criminal activity when the knowledge of the individual might alter the nature of the investigation

33 Suspension of Individual Rights Communicated Orally
If the request for suspension is made orally by an authorized agency, the covered entity must Document the request, including the identity of the agency or official making the statement Temporarily suspend the individual’s right to an accounting of disclosures subject to the request Limit the temporary suspension to a period of no longer than 30 days from the date of the oral statement, unless a written request is submitted during that time

34 Reporting the Disclosure
For each disclosure, the account must include: The date of the disclosure The name of the entity or person who received the PHI and, if known, the address of such entity or person A brief description of the PHI disclosed A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for a disclosure

35 Reporting Multiple Disclosures
If the covered entity has made multiple disclosures of PHI during the period covered by the accounting to the same person or entity for a single purpose, the accounting may provide The information requested for the first disclosure during the accounting period The frequency, periodicity, or number of the disclosures made during the accounting period The date of the last such disclosure during the accounting period The PHIMT will separately track disclosures made for one record

36 Responsibility for Responding to a Request
The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request If the covered entity is unable to provide the accounting within the 60-day timeframe, the covered entity may extend the time to provide the accounting by no more than 30 days and must Provide the individual with a written statement of the reasons for the delay, and The date by which the covered entity will provide the accounting The covered entity may have only one such extension on a request for an accounting

37 Accounting of Disclosures – PHI Management Tool (PHIMT)
TRICARE will use the PHIMT to process the Accounting of Disclosures In addition to Accounting of Disclosures, the PHIMT utilized to process complaints, requests for amendments, requests for restrictions to PHI and for suspension of an individual’s right to a disclosure Overall Navy Medicine has a low utilization rate

38 Rights of Individuals Right to an Accounting of Disclosures An individual has a right to receive an Accounting of Disclosures of PHI made by a covered entity in the six years (or a shorter time period at the request of the individual) prior to the date on which the accounting is requested Including disclosures to or by business associates of the covered entity Only applies to disclosures made after April 14, 2003

39 Rights of Individuals Amendments
Individuals have the right to request that a Covered Entity (CE) amend PHI Amending PHI usually does not involve actually removing information, but adding an amendment with the accurate data if appropriate A CE may deny an individual’s request for an amendment, if it determines that the PHI was not created by the CE is not part of the designated record set is not available for inspection within the CE is accurate and complete

40 Rights of Individuals Right to Restrictions
Individuals have the right to request that certain uses related to TPO and disclosures of PHI be restricted Exception to Right to Restrictions - Individuals do not have a right to request that a covered entity restrict a disclosure of PHI about them for workers’ compensation purposes or when that disclosure is required by law

41 Summary of Disclosure Tracking
The following subjects have been reviewed HIPAA Privacy Rule Accounting of Disclosures of PHI What is a Disclosure is Uses & Disclosures – General Information Suspension of Individual Rights Reporting of Disclosures Responding to a Request for Disclosures Charge for an Accounting of Disclosure TRICARE’S Disclosure Tracking Tool - PHI Management Tool (PHIMT) Rights of Individuals

42 Resources DoD R, “DoD Health Information Privacy Regulation”, January 2003 DoD R DoD Health Information Security Regulation TMA Privacy website for subject matter questions for tool related questions Service HIPAA Privacy Representatives

43 HIPAA Security This document contains proprietary information and should be handled in accordance with U.S. Navy Regulations. It is intended solely for official purposes only.

44 Agenda HIPAA Security Background Key Concepts and Terms
Security Rule Organization Specifics Impact Compliance

45 Training Objectives Describe the organization and context of the HIPAA Security Rule Understand HIPAA security standards and implementation specifications Identify tools and other resources that support HIPAA security implementation Administrative Safegpards A. Implement a security management process, including policies and procedures, to prevent, detect, contain, and correct security violations. (1) Conduct a risk analysis that includes an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI created, received, stored, or transmitted by the organization. (2) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Organizations must ensure the confidentiality, integrity and compliance by its workforce and protect against reasonably anticipated threats and hazards to the security of ePHI and unauthorized uses and disclosures of ePHI. (3) Ensure that sanction policies are in place and applied appropriately against workforce members who fail to comply with the security policies and procedures of the organization. (4) Implement procedures for regular review of records of information system activity such as audit logs, access reports, and security incident tracking reports.

46 HIPAA Implementation Life Cycle

47 HIPAA Security Background

48 HIPAA Security Background Where Does This Fit In?
Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability, and Renewability Title II Title III Tax-Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Medical Liability Reform Preventing Health Care Fraud and Abuse Administrative Simplification Administrative Simplification Title II, Subtitle F (known as Administrative Simplification) is comprised of regulations or rules that standardize how data is identified and handled, and how the data is protected. It includes standards for the following key areas: Transactions Electronic health care transaction and code sets (final rule issued); Identifiers: Unique designations for employers (final rule issued), and for providers (proposed rule issued, final rule in development), Code sets for health care plans/services (proposed rule in development); Safeguards Health information privacy (final rule issued); Security requirements (final rule issued); Also, an “enforcement rule” is in development: Enforcement procedures (interim rule issued; proposed rule in development) Electronic Data Exchange Unique Identifiers for Providers Employers Code sets for Health Care Plans Privacy Security Administrative Safeguards Physical Safeguards Technical Safeguards Source: National Institute of Standards and Technology (NIST)

49 HIPAA Security Background Applicability of the HIPAA Security Rule
HIPAA ENTITY MHS ENTITY Providers who use a covered transaction MTFs, DTFs, and clinics Health plans TRICARE Health Plan Healthcare clearinghouses Companies that perform electronic billing on behalf of MTFs Business associates Managed care support contractors and other contractors Who are the “covered entities”? HIPAA defines three types of covered entities. Providers who engage in electronic exchanges of information using one of the HIPAA transaction types. These transactions are related to checking insurance eligibility, authorization, and payment of claims. Those few providers who never use one of the HIPAA transactions, instead always filing paper claims and checking eligibility via telephone are not covered entities. HIPAA also defines health plans and health care clearinghouses as covered entities. MHS qualifies as a covered entity from both the provider standpoint and that of a health plan. While at this time MHS does not engage in clearinghouse activity we do contract with clearinghouses that perform electronic billing on our behalf. Businesses that meet the definition of a covered entity must comply with all of the HIPAA final rules; transactions and code sets, the various identifier rules, privacy and security. While business associates are not covered entities by definition they are affected by HIPAA. The HIPAA Privacy and Security rules require covered entities to define how information may be used by the business associates and obtain assurances that the business associate will protect the PHI in accordance with HIPAA through specific contract language. The April 14th brown bag session will focus the HIPAA Privacy and Security business associate requirements.

50 HIPAA Security Background Purpose of the HIPAA Security Rule
To adopt national standards for safeguards to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI)

51 HIPAA Security Background Privacy vs Security
Covered entities April, PHI Uses and Disclosures Confidentiality OCR Security HIPAA 1996 Covered entities April 21, 2005 EPHI Safeguards Confidentiality, Integrity, and Availability CMS Please indicate how we transition from the previous slide to this slide. 2006 for small health plans OCR = Office of Civil Rights enforces privacy stuff CMS = Center for Medicare and Medicaid Services?

52 HIPAA Security Background Summary
You should now be able to: Describe the purpose and applicability of the HIPAA Security Rule Identify how HIPAA Security fits in to the HIPAA Law Explain the differences between HIPAA Privacy versus HIPAA Security

53 Key Concepts and Terms The Universe of Health Information
HI:health information IIHI: individually identifiable health information John Doe Paper Files CDs Education Records HI E-PHI PHI IIHI Biomed Devices ****Click mouse to go to the next oval. Circles in each oval will appear after a 2 seconds delay; no need to click mouse.***** ...that the integrity, confidentiality, and availability of electronic protected health information they collect, maintain, use, or transmit is protected. Definition of PHI and EPHI or IIHI. Electronic protected health information received, created, or maintained by a covered entity, or that is transmitted by covered entities, is covered by the security standards and must be protected. Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and That identifies the individual; or With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Protected health information means individually identifiable health information: Except as provided in paragraph (2) of this definition, that is: Transmitted by electronic media; Maintained in any medium described in the definition of electronic media at § of this subchapter; or Transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in: Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and Records described at 20 U.S.C. 1232g(a)(4)(B)(iv). PHI: protected health information EPHI: electronic protected health information


Download ppt "The HIPAA Privacy & Security"

Similar presentations

Ads by Google