Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSES Written by PRIYAL PARMAR 7557 Rambler Road, Suite 1465 Dallas, Texas 75231 (214) 891-5960 (214) 891-5966.

Similar presentations


Presentation on theme: "HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSES Written by PRIYAL PARMAR 7557 Rambler Road, Suite 1465 Dallas, Texas 75231 (214) 891-5960 (214) 891-5966."— Presentation transcript:

1 HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSES Written by PRIYAL PARMAR 7557 Rambler Road, Suite 1465 Dallas, Texas (214) (214) – Facsimile

2 INTRODUCTION HIPAA was enacted on August 21, 1996 as a set of basic national privacy standards and fair information practices to protect the privacy of the health information of consumers, and to protect an individual’s right to access and control the use of personal health information (PHI) HIPAA was enacted on August 21, 1996 as a set of basic national privacy standards and fair information practices to protect the privacy of the health information of consumers, and to protect an individual’s right to access and control the use of personal health information (PHI) This presentation provides a summary of the HIPAA Privacy rule. The goal of this presentation is to provide a guideline that businesses can use to ensure compliance with HIPAA. This information is not exhaustive and the attorneys at Owen & Fazio, P.C. can provide more detailed guidance upon request. This presentation provides a summary of the HIPAA Privacy rule. The goal of this presentation is to provide a guideline that businesses can use to ensure compliance with HIPAA. This information is not exhaustive and the attorneys at Owen & Fazio, P.C. can provide more detailed guidance upon request.

3 WHO HAS TO COMPLY WITH HIPAA? Covered entities – This includes: Covered entities – This includes: All health plans – individual or group health plan that provides, or pays the cost of, medical care (includes health insurers) All health plans – individual or group health plan that provides, or pays the cost of, medical care (includes health insurers) A health plan that has >50 participants is automatically a covered entity A health plan that has >50 participants is automatically a covered entity An entity is not considered to be a health plan for Hipaa purposes if: An entity is not considered to be a health plan for Hipaa purposes if: It falls under the Public Health Service Act It falls under the Public Health Service Act It provides incidental health care services It provides incidental health care services All health care clearing houses – any public or private entity that processes (or facilitates the processing) of health information received from another entity in a non standard format All health care clearing houses – any public or private entity that processes (or facilitates the processing) of health information received from another entity in a non standard format Health care providers – provide medical and health services and any person or organization that furnishes, bills, or is paid for health care services or supplies in the normal course of business Health care providers – provide medical and health services and any person or organization that furnishes, bills, or is paid for health care services or supplies in the normal course of business Those health care providers that transmit health information in electronic form in connection with a standard transaction Those health care providers that transmit health information in electronic form in connection with a standard transaction Examples of standard transactions: eligibility request, claim submission, claim status inquiry, claim payment, referral request, medical services authorization Examples of standard transactions: eligibility request, claim submission, claim status inquiry, claim payment, referral request, medical services authorization

4 WHAT IS COVERED? Protected Health Information (PHI) – Information that: Relates to the past, present, or future physical or mental health or condition of an individual, OR Relates to the past, present, or future physical or mental health or condition of an individual, OR Relates to the provision of health care to an individual, OR Relates to the provision of health care to an individual, OR Relates to the past, present, or future payment for health care, AND Relates to the past, present, or future payment for health care, AND Is individually identifiable, AND Is individually identifiable, AND Is transmitted by electronic media, maintained in any medium described in the definition of electronic media or transmitted or maintained in any other form or medium. Is transmitted by electronic media, maintained in any medium described in the definition of electronic media or transmitted or maintained in any other form or medium. What is excluded from PHI? PHI in education records covered by Family Educational Right and Privacy Act - FERPA PHI in education records covered by Family Educational Right and Privacy Act - FERPA Employment records held by the covered entity in its role as an employer Employment records held by the covered entity in its role as an employer De-identified information. This can be accomplished by using two methods: De-identified information. This can be accomplished by using two methods: MIT method – qualified people use statistics and scientific methods to show that there is a very small risk that the information could be used by others to identify a subject of the information. MIT method – qualified people use statistics and scientific methods to show that there is a very small risk that the information could be used by others to identify a subject of the information. Safe-harbor method – remove all of the 18 enumerated identifiers Safe-harbor method – remove all of the 18 enumerated identifiers

5 USES AND DISCLOSURES Those that require no patient permission Those that require no patient permission Treatment Treatment Payment Payment Health care operations Health care operations Public policy activities Public policy activities Those that require patient’s oral agreement Those that require patient’s oral agreement Directory information – name, location, general condition, religious affiliation Directory information – name, location, general condition, religious affiliation Disclosures to persons involved in the individual’s care or payment of care Disclosures to persons involved in the individual’s care or payment of care Disclosure to family members of the patient’s general condition and death for the purpose of notification Disclosure to family members of the patient’s general condition and death for the purpose of notification Those that require patient’s written authorization Those that require patient’s written authorization Disclosure of psychotherapy notes Disclosure of psychotherapy notes Disclosure for marketing purposes Disclosure for marketing purposes

6 REQUIRED ELEMENTS OF A WRITTEN AUTHORIZATION 1. Specific description of the information to be disclosed 2. Specific identification of the covered entity authorized to make the use or disclosure 3. Specific identification of the person(s) to whom the covered entity may make disclosure 4. Specific description of each purpose 5. Expiration date or event 6. Signature of the individual 7. Date 8. Information regarding right to revoke the authorization and the exceptions to it 9. Ability or inability of the covered entity to condition treatment, payment, enrollment in the health plan, or eligibility for benefits, on the authorization 10. Potential for the information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient NOTE: NOTE: The authorization must be written in plain language The authorization must be written in plain language Covered entity must provide the individual with a copy of the signed authorization Covered entity must provide the individual with a copy of the signed authorization Covered entity must retain a copy of the signed authorization for itself Covered entity must retain a copy of the signed authorization for itself The authorization is considered defective if: The authorization is considered defective if: Expiration date has passed Expiration date has passed It is not filled out completely It is not filled out completely It is known to be revoked It is known to be revoked It contains false material It contains false material

7 REQUIRED DISCLOSURES Must be disclosed: Must be disclosed: When individual requests his/her own PHI When individual requests his/her own PHI When the Department of Health and Human Services (DHHS) requests the PHI to investigate a covered entity’s compliance with HIPAA When the Department of Health and Human Services (DHHS) requests the PHI to investigate a covered entity’s compliance with HIPAA

8 MINIMUM NECESSARY RULE Covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request Covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request If it is a routine disclosure, the covered entity is required to implement policies and procedures to restrict such disclosures to the minimum necessary standard If it is a routine disclosure, the covered entity is required to implement policies and procedures to restrict such disclosures to the minimum necessary standard

9 INDIVIDUAL RIGHTS Right to Receive Notice Purpose – to notify individual about protections of health information by the covered entity Purpose – to notify individual about protections of health information by the covered entity Must post notice in a conspicuous place where patients are likely to look. Ex: payment window Must post notice in a conspicuous place where patients are likely to look. Ex: payment window Must also keep copies for patients to take Must also keep copies for patients to take If the covered entity has a website, the notice must be posted on the website as well If the covered entity has a website, the notice must be posted on the website as well Note: The next 5 slides explore the Right to Receive Notice in more detail Note: The next 5 slides explore the Right to Receive Notice in more detail

10 What are the components of the notice? It must contain a statement that additional uses and disclosures require written authorization It must contain a statement that additional uses and disclosures require written authorization It must clearly outline the covered entities legal duties with respect to the information It must clearly outline the covered entities legal duties with respect to the information It must give instructions on how to file a complaint with the Department of Health and Human Services if the individual feels that his/her privacy rights have been violated It must give instructions on how to file a complaint with the Department of Health and Human Services if the individual feels that his/her privacy rights have been violated

11 Who must give notice? Any health care provider with a direct treatment (not indirect) relationship with the individual must give notice Any health care provider with a direct treatment (not indirect) relationship with the individual must give notice Indirect treatment relationship – when a health care provider delivers health care to the individual based on the orders of another health care provider and the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual Indirect treatment relationship – when a health care provider delivers health care to the individual based on the orders of another health care provider and the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual Ex: radiologists, pathologists, clinical laboratories Ex: radiologists, pathologists, clinical laboratories Health care clearing houses, correctional institutions, and group health plans that provide benefits through health maintenance organization (HMO) contracts are not required to give notice, but must provide one upon request by an individual Health care clearing houses, correctional institutions, and group health plans that provide benefits through health maintenance organization (HMO) contracts are not required to give notice, but must provide one upon request by an individual Affiliated covered entities under common ownership or control may designate themselves as one single entity and produce a single notice Affiliated covered entities under common ownership or control may designate themselves as one single entity and produce a single notice

12 When must notice be given? At the time of enrollment of new client or time of first service delivery At the time of enrollment of new client or time of first service delivery Within 60 days of making a material revision to the notice Within 60 days of making a material revision to the notice Any time patient requests a notice Any time patient requests a notice A health plan should remind enrollees about how to obtain a copy of the notice at least once every 3 years. A health plan should remind enrollees about how to obtain a copy of the notice at least once every 3 years.

13 Who must the notice be given to? o EACH ENROLLEE, NOT each covered spouse or dependent

14 Acknowledgment Once notice is given, a covered entity should obtain a written acknowledgement by either: Once notice is given, a covered entity should obtain a written acknowledgement by either: Signature on the notice Signature on the notice Initials on the notice cover sheet Initials on the notice cover sheet Signature on a separate list Signature on a separate list If covered entity is unable to obtain acknowledgement, it must document its good faith attempts to obtain it and reason(s) why it was not obtained If covered entity is unable to obtain acknowledgement, it must document its good faith attempts to obtain it and reason(s) why it was not obtained

15 RIGHT TO ACCESS PHI Patients have right to inspect and copy their PHI in a designated record set (group of records maintained by or for a covered entity that are medical records, billing records, enrollment, payment, claims adjudication, case management record systems or records used by covered entities to make decisions about individuals) Patients have right to inspect and copy their PHI in a designated record set (group of records maintained by or for a covered entity that are medical records, billing records, enrollment, payment, claims adjudication, case management record systems or records used by covered entities to make decisions about individuals) Exceptions Exceptions Psychotherapy notes Psychotherapy notes Information in anticipation of legal proceedings Information in anticipation of legal proceedings PHI that is subject to Clinical Laboratory Improvement Amendments (CLIA) to the extent the provision of access to the individual would be prohibited by law or exempt from CLIA PHI that is subject to Clinical Laboratory Improvement Amendments (CLIA) to the extent the provision of access to the individual would be prohibited by law or exempt from CLIA Covered entity must comply in a timely manner, usually 30 days For records not maintained on site, covered entity has 60 days to comply A one time extension of 30 days is allowed, but covered entity must give individual the need and the reason(s) for the extension. Covered entity must have a procedure in place to challenge denial of access Two situations when access can be denied and no appeal is available: Inmates of a correctional institution Research participants, but only until research is completed. If access is denied, individual must receive a written explanation of the basis for denial. It should be easy to understand and inform of any existing appeal rights. It must also alert the individual of the availability of the right to complain to the covered entity or the DHHS.

16 RIGHT TO AMEND PHI Individuals have the right to amend incorrect or incomplete PHI Individuals have the right to amend incorrect or incomplete PHI A covered entity must respond timely to the request for amendment within 30 to 60 days A covered entity must respond timely to the request for amendment within 30 to 60 days

17 RIGHT TO AN ACCOUNTING OF DISCLOSURES OF PHI Individuals have the right to receive an accounting of disclosures of PHI made by a covered entity in the 6 years prior to the date on which the accounting is requested. Individuals have the right to receive an accounting of disclosures of PHI made by a covered entity in the 6 years prior to the date on which the accounting is requested. Accounting must include: Accounting must include: Date of disclosure Date of disclosure Name of the entity or person who received the PHI and address if known Name of the entity or person who received the PHI and address if known Brief description of PHI disclosed Brief description of PHI disclosed Brief statement of the purpose of the disclosure Brief statement of the purpose of the disclosure Exceptions to the right to receive an accounting: Exceptions to the right to receive an accounting: To individuals or their personal representatives for treatment, payment, or healthcare operations To individuals or their personal representatives for treatment, payment, or healthcare operations For national security or intelligence reasons For national security or intelligence reasons For a facility’s directory For a facility’s directory PHI made prior to the April 14, 2003 compliance deadline PHI made prior to the April 14, 2003 compliance deadline Pursuant to an authorization Pursuant to an authorization To correctional institutions or law enforcement officials To correctional institutions or law enforcement officials Incident to a use or disclosure otherwise permitted or required by this subpart Incident to a use or disclosure otherwise permitted or required by this subpart Covered entity must act on the request within 60 days Covered entity must act on the request within 60 days The first accounting in a 12 month period is free but subsequent requests may be charged a reasonable cost-based fee The first accounting in a 12 month period is free but subsequent requests may be charged a reasonable cost-based fee

18 APPOINTMENT OF PRIVACY OFFICER A covered entity must appoint a privacy officer who is in charge of developing and implementing policies and procedures A covered entity must appoint a privacy officer who is in charge of developing and implementing policies and procedures It must also designate a person/office for receiving complaints It must also designate a person/office for receiving complaints

19 WORKFORCE TRAINING All members of the workforce must be trained by the compliance date All members of the workforce must be trained by the compliance date New members must be trained within a reasonable time New members must be trained within a reasonable time If material changes are made, all workforce members affected by the change must be trained within a reasonable time. If material changes are made, all workforce members affected by the change must be trained within a reasonable time.

20 PENALTIES AND ENFORCEMENT Individuals can lodge complaints with the attorney general, state insurance commissioner, state medical board or the United States Department of Health and Human Services (DHHS) Office for Civil Rights Individuals can lodge complaints with the attorney general, state insurance commissioner, state medical board or the United States Department of Health and Human Services (DHHS) Office for Civil Rights DHHS can impose civil penalties between $100,000 to $250,000 DHHS can impose civil penalties between $100,000 to $250,000 Civil penalties can only be imposed for willful violations Civil penalties can only be imposed for willful violations If a reasonable cause is found, no penalties are given as long as the covered entity corrects the non-compliance within 30 days If a reasonable cause is found, no penalties are given as long as the covered entity corrects the non-compliance within 30 days Civil penalties cannot be imposed if criminal penalties have already been imposed Civil penalties cannot be imposed if criminal penalties have already been imposed Criminal penalties Criminal penalties Knowing violations of HIPAA = $50,000 or less and/or 1 year or less in prison Knowing violations of HIPAA = $50,000 or less and/or 1 year or less in prison Using false pretenses to violate HIPAA = $100,000 or less and/or 5 years or less in prison Using false pretenses to violate HIPAA = $100,000 or less and/or 5 years or less in prison Intent to gain personally or commercially or with intent to cause malicious harm by the misuse of IIHI = $250,000 or less and/or 10 years or less in prison. Intent to gain personally or commercially or with intent to cause malicious harm by the misuse of IIHI = $250,000 or less and/or 10 years or less in prison.

21 COMPLIANCE DATES Health care providers, health care clearinghouses, and health plans must comply by April 14, 2003 Health care providers, health care clearinghouses, and health plans must comply by April 14, 2003 Small health plans must comply by April 14, 2004 Small health plans must comply by April 14, 2004

22 BUSINESS ASSOCIATES A person or organization outside the covered entity that performs, or assists in the performance of, function and activities of HIPAA. Ex: legal, actuarial, accounting, etc. A person or organization outside the covered entity that performs, or assists in the performance of, function and activities of HIPAA. Ex: legal, actuarial, accounting, etc. HIPAA does not apply directly to a business associate, but may apply to them indirectly if there is a business associate agreement HIPAA does not apply directly to a business associate, but may apply to them indirectly if there is a business associate agreement A business associate agreement is a contract between a covered entity and a business associate and must contain the following required elements: A business associate agreement is a contract between a covered entity and a business associate and must contain the following required elements: Establish permitted uses and disclosures Establish permitted uses and disclosures State that the business associate will not use information for further uses and disclosures not in the agreement State that the business associate will not use information for further uses and disclosures not in the agreement State that the business associate will use appropriate safeguards to prevent the use or disclosure of information other than as provided by the contract State that the business associate will use appropriate safeguards to prevent the use or disclosure of information other than as provided by the contract The business associate will report to the covered entity regarding any use or disclosure not in the agreement The business associate will report to the covered entity regarding any use or disclosure not in the agreement Business associate must agree to get all of its subcontractors to comply with the business associate agreement Business associate must agree to get all of its subcontractors to comply with the business associate agreement Business associate must make PHI available for inspection and copying Business associate must make PHI available for inspection and copying Business associate must make PHI available for amendment Business associate must make PHI available for amendment Business associate must make its records available to the Secretary of DHHS to check the covered entity’s compliance with HIPAA Business associate must make its records available to the Secretary of DHHS to check the covered entity’s compliance with HIPAA Business associate must agree to return or destroy all information at the end of the contract if feasible to do so Business associate must agree to return or destroy all information at the end of the contract if feasible to do so Agreement must establish that the covered entity can terminate the contract with the business associate for any violations Agreement must establish that the covered entity can terminate the contract with the business associate for any violations

23 STATE PREEMPTION HIPAA preempts any state law unless the state law is more stringent. HIPAA preempts any state law unless the state law is more stringent.

24 HIPAA WEB SITES Association of American Medical Colleges, Association of American Medical Colleges, American Health Information Management Association, American Health Information Management Association, Department of Health and Human Services, Department of Health and Human Services, Health Privacy Project, Health Privacy Project, United States Department of Health and Human Services, United States Department of Health and Human Services, Phoenix Health Systems HIPAAdvisory, Phoenix Health Systems HIPAAdvisory,

25 REFERENCES Alex Bednar, HIPAA Implications for Attorney-Client Privilege, St. Mary’s University Law Journal, 35 St. Mary’s L. J. 871 (2004) Alex Bednar, HIPAA Implications for Attorney-Client Privilege, St. Mary’s University Law Journal, 35 St. Mary’s L. J. 871 (2004) Texas Administrative Agencies Tackle Compliance with the Health Insurance Portability and Accountability Act’s Privacy Rule, Texas Tech Journal of Texas Administrative Law, 5 Tex. Tech J. Tex. Admin. L. 87 (2004) Texas Administrative Agencies Tackle Compliance with the Health Insurance Portability and Accountability Act’s Privacy Rule, Texas Tech Journal of Texas Administrative Law, 5 Tex. Tech J. Tex. Admin. L. 87 (2004) Nancy A. Lawson, Jennifer M. Orr and Doedy Sheehan Klar, The HIPAA Privacy Rule: An Overview of Compliance Initiatives and Requirements, Defense Counsel Journal, 70 Def. Couns. J. 127 (2003) Nancy A. Lawson, Jennifer M. Orr and Doedy Sheehan Klar, The HIPAA Privacy Rule: An Overview of Compliance Initiatives and Requirements, Defense Counsel Journal, 70 Def. Couns. J. 127 (2003) Department of Health and Human Services, Department of Health and Human Services, Health Privacy Project, Health Privacy Project, United States Department of Health and Human Services, United States Department of Health and Human Services, 45 C.F.R. 160 and C.F.R. 160 and 164


Download ppt "HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSES Written by PRIYAL PARMAR 7557 Rambler Road, Suite 1465 Dallas, Texas 75231 (214) 891-5960 (214) 891-5966."

Similar presentations


Ads by Google