Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by the Office of the General Counsel An Overview of HIPAA.

Similar presentations


Presentation on theme: "Presented by the Office of the General Counsel An Overview of HIPAA."— Presentation transcript:

1

2 Presented by the Office of the General Counsel An Overview of HIPAA

3 HIPAAHIPAA Health Health Insurance Insurance Portability and Portability and Accountability Accountability Act Act

4 HIPAA’s Goals Simplify the Administration of Electronic Health Information Simplify the Administration of Electronic Health Information Protect an Individual’s Privacy Rights with regard to Health Information Protect an Individual’s Privacy Rights with regard to Health Information

5 When is HIPAA effective? First Deadline: October 2002 First Deadline: October 2002 – Possible Extension until Oct – AU must have Compliance plan Privacy Regulations: April 2003 Privacy Regulations: April 2003 – AU target date for compliance

6 Who Must Comply? “ Each Covered Entity who maintains or transmits health information” Health Plans Health Plans Health Care Clearinghouse Health Care Clearinghouse Health Care Providers Health Care Providers

7 Who is a Provider? “Any person or entity that furnishes, bills, or is paid for health care in the normal course of business.” – Health Care = any “care, services, or supplies related to the health of an individual”

8 Examples of Providers / Plans Student Health Center Student Health Center Psychology Clinics Psychology Clinics EAP EAP Athletic Department Hearing / Eye Clinics Self – Insurance Health Plans

9 4 Key HIPAA Elements Electronic Transaction & Code Set Standards Electronic Transaction & Code Set Standards Security Standards Security Standards Privacy Regulations Privacy Regulations National Identifiers National Identifiers

10 Electronic Transaction & Code Set Standards General Rule: General Rule: “If a covered entity (either itself or through an agent) conducts a Covered Transaction electronically, the transaction must be conducted using the HIPAA form.”

11 Electronic Transaction & Code Set Standards Required Elements 1.Covered Entity 2.Electronically transmits 3.Covered Transaction

12 Covered Transactions Submission of Claims for payment Submission of Claims for payment Checking eligibility Checking eligibility Enrollment & Disenrollment Enrollment & Disenrollment Referrals and pre- certification Claims attachments Payment & claims remittance Coordination of Benefits Checking claims’ status

13 Electronic Transaction & Code Set Standards Requirements of ETS Standard Formats Standard Formats Standard Data Content Standard Data Content Standard Codes Standard Codes

14 Electronic Transaction & Code Set Standards Where to find the ETS standards:

15 Security Standards Intended to protect against Intended to protect against Unauthorized access Unauthorized access Accidental / Intentional disclosure to unauthorized persons Accidental / Intentional disclosure to unauthorized persons Alteration, destruction, or loss Alteration, destruction, or loss

16 Security Standards Who is Covered? Any covered entity Any covered entity That Stores information electronically That Stores information electronically Does not have to be a covered transaction Does not have to be a covered transaction

17 Security Standards - Elements - Administrative Procedures Administrative Procedures – Protects health info – Manages personnel Conduct Physical Safeguards Physical Safeguards – Protects physical systems / buildings Technical Security Technical Security – Controls access to health information

18 Administrative Procedures Security Analysis Security Analysis Information access privileges Information access privileges Password & Authentication policies Password & Authentication policies Plans for disasters & security breaches Plans for disasters & security breaches Disciplinary process & penalties Disciplinary process & penalties Employee & Vendor Training Employee & Vendor Training Security Officer Security Officer

19 Physical Safeguards Document ways computer & physical records are protected Document ways computer & physical records are protected Use of keys, locks, etc. to control access to computers Use of keys, locks, etc. to control access to computers Restriction of access to authorized persons Restriction of access to authorized persons Tracking of medical records Tracking of medical records Workstation location policy Workstation location policy

20 Technical Security Single sign-on technology Single sign-on technology New user ID’s, passwords New user ID’s, passwords Audit trails for health info Audit trails for health info

21 Security Standards General Comments Still in proposed form Still in proposed form Not technically specific Not technically specific Amount of security required is scalable based on dept. size and resources Amount of security required is scalable based on dept. size and resources

22 Privacy Regulations General Rule: General Rule: “A covered entity may not use “A covered entity may not use or disclose Protected Health or disclose Protected Health Information (PHI) except as Information (PHI) except as permitted by the privacy permitted by the privacy regulations.” regulations.”

23 Privacy Regulations PHI – Protected Health Information PHI – Protected Health Information – Individually Identifiable – Any form or medium Electronic, Oral, or Written Electronic, Oral, or Written – Created or Received – Relates to past, present, future condition or payment of individual – Exception: FERPA records

24 Privacy Regulations General Requirement: General Requirement: “Must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish intended purpose.”

25 Privacy Regulations Main Elements Rules for Use & Disclosure of PHI Rules for Use & Disclosure of PHI Patient’s Rights to Health Info Patient’s Rights to Health Info Administrative Procedures Administrative Procedures Business Partner Requirement Business Partner Requirement

26 Rules for Use & Disclosure Consent vs. Authorization Consent: If a general written consent is obtained, a provider may use/disclose PHI for “TPO” Authorization: If use/disclosure is not for “TPO”, use/disclosure forbidden without a more specific authorization “TPO” = Treatment/Payment/Health Care Operations

27 Rules for Use & Disclosure “TPO” = Treatment / Payment / Health Care Operations Health Care Operations Treatment: Provision, coordination, management of healthcare management of healthcare Payment: Actions to obtain payment Operations: Internal day-to-day business Ex: QA, Peer Review, Customer Service

28 Rules for Use & Disclosure Consent Must be in plain language Must be in plain language Must specify use of PHI Must specify use of PHI Can make a prerequisite to treatment (Can refuse treatment) Can make a prerequisite to treatment (Can refuse treatment) Exceptions: Emergency, Required by Law, Communication barriers, Exceptions: Emergency, Required by Law, Communication barriers,

29 Rules for Use & Disclosure Authorization Cannot be a condition of treatment Cannot be a condition of treatment Must Inform about specific use and right to refuse, revoke, and inspect Must Inform about specific use and right to refuse, revoke, and inspect Psychotherapy Notes require Authorization Psychotherapy Notes require Authorization Examples Examples Research Research Marketing Marketing Fundraising Fundraising

30 Patient’s Rights Right to Notice of Privacy Practices Right to Notice of Privacy Practices Right of Access to PHI Right of Access to PHI Right to Accounting of Disclosures for 6 years Right to Accounting of Disclosures for 6 years Right to request restriction of TPO use to family members Right to request restriction of TPO use to family members – Not required to agree if TPO

31 Administrative Procedures Document policies, procedures, & systems to achieve compliance Document policies, procedures, & systems to achieve compliance Complaint Mechanisms Complaint Mechanisms Employee Sanctions Employee Sanctions Documented training of employees Documented training of employees Mitigation of harmful effects Mitigation of harmful effects Designated Privacy officer Designated Privacy officer

32 Business Associates General Rule: General Rule: – A covered entity must have a business associate contract to ensure that its business associates also are in compliance with HIPAA’s protection of PHI.

33 Business Associates Business Associates… Business Associates… – Perform a function involving use / disclosure of PHI on behalf of the covered entity – Perform legal, accounting, consulting, data aggregation, administrative, management, or financial services involving PHI for the covered entity

34 Business Associates Examples: Examples: – Billing companies – Computer Vendors – Attorneys, Accountants, Auditors – Consultants – Document storage / destruction companies

35 Business Associates Business Associate Contracts: Business Associate Contracts: – Restrict use & disclosure of PHI – Require appropriate safeguards – Require similar requirements of subcontractors – Require B.A. to disclose breaches – Require B.A. to remedy breaches or risk termination of contract

36

37 Hybrid Entity Requirements Requirements – Single Legal Entity – Primary business is not healthcare Advantages Advantages – Only “Healthcare Components” must comply with HIPAA Disadvantage Disadvantage – Firewall between HC Components and Non-Components

38 Hybrid Entity Auburn must… Auburn must… – Identify Healthcare Components – Identify Business Associates of the HC Components – Erect the ‘firewalls’ between HC Components & Non-Components

39 Penalties for Non-Compliance ** Both Individuals & Entities can incur criminal and/or civil penalties Civil Penalties: $100 - $25,000 Criminal Penalties: Max 10 yrs. Prison Max $250,000 fine Max $250,000 fine

40 HIPAA Timeline ETS Standards : October 16, 2002 ETS Standards : October 16, 2002 – Extended to Oct w/ University extension Privacy Regs: April 14, 2003 Privacy Regs: April 14, 2003 Security Regs: Date expected by August 2002 Security Regs: Date expected by August 2002

41 Next Steps toward Compliance 1.Fill out the AU HIPAA Survey 2.Review how PHI is stored, accessed, protected, & destroyed 3.Think about easy steps to better protect PHI 4.Designate 1+ person to review specific HIPAA policies

42 For more HIPAA info… – Links to complete final rules & proposed rules – News, primers, and complete rules – UAB’s training site

43 Additional Questions? Contact the Provost’s Office

44

45


Download ppt "Presented by the Office of the General Counsel An Overview of HIPAA."

Similar presentations


Ads by Google