Presentation on theme: "4/28/20151 HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. 45 C.F.R. Subtitle A, Subchapter C, PARTS 160 -164."— Presentation transcript:
4/28/20151 HIPAA is the acronym for the Health Insurance Portability and Accountability Act of C.F.R. Subtitle A, Subchapter C, PARTS
4/28/ C.F.R. PARTS 160 & 164 the “HIPAA Privacy Rule” ADMINISTRATIVE REQUIREMENTS: STANDARDS FOR PRIVACY OF INDIVIDUALLY INDENTIFIABLE HEALTH INFORMATION
4/28/20153 Who Has To Comply with the HIPAA Privacy Rule? COVERED ENTITIES
4/28/20154 What is the PURPOSE of the HIPAA Privacy Rule? Public Policy: To improve efficiency and effectiveness of healthcare delivery To protect the rights of patients by providing them with: access to their PHI (private health information) assurance of confidentiality by providing: information and control over the use & disclosure of their PHI To restore public trust in the health care system
4/28/20155 WHAT IF A COVERED ENTITY DOES NOT COMPLY WITH THE HIPPA PRIVACY RULE? The Covered Entity faces: Possible civil penalties of up to $25,000 annually and/or Possible criminal penalties of up to $ 250,000 and/or 10 years imprisonment
4/28/20156 What or who is a “Covered Entity”? Covered Entities: *Ambulance services that bill electronically Non-Covered: * Fire Department is not specifically covered, as fire departments in NYS cannot bill for services. *There are, however, privacy laws that do apply to fire departments
4/28/20157 NOTE: Page 3 of the New York State Department of Health Bureau of Emergency Medical Services, POLICY STATEMENT: No. 02 – 05 Date: 10/29/02 (Supercedes/Updates: 85-01, 96-01) RE: Prehospital Care Reports (PCRs) states the following: Confidentiality & Disclosure Of PCRs/Personal Healthcare Information: Maintaining confidentiality is an essential part of all medical care, including prehospital care. The confidentiality of personal health information (PHI) is covered by numerous state and federal statutes, Polices, Rules and Regulations, including the Health Insurance Portability & Accountability Act of 1996 (HIPAA) and 10 NYCRR.
4/28/20158 Policy Statement No quotes 10 NYCRR Part which states in relevant part that: Every person certified at any level pursuant to these regulations shall: (a) At all times maintain the confidentiality of information about the names, treatment, and conditions of patients treated except: (1) A prehospital care report shall be completed for each patient treated when acting as part of an organized prehospital emergency medical service, and a copy shall be provided to the hospital receiving the patient and to the authorized agent of the department for use in the State's quality assurance program;
4/28/20159 Policy Statement No has interpreted the Health Insurance Portability & Accountability Act of 1996 (HIPAA) as requiring all healthcare providers to have a written policy on protecting Personal Health Information (PHI), including PCRs. Such a policy should include (but not be limited to): Indicate that requests from patients for PCR copies be in writing; That the agency will maintain a copy of the written request with the original PCR; Maintaining the confidentiality of the information contained on a PCR as well as the actual PCRs; Conducting security training for all employees/members in proper security procedures to protect personal health information; and Documenting security training of employees/members. Page 4 of Policy Statement No
4/28/ OKAY, SO I AM A COVERED ENTITY, NOW WHAT DO I DO? A covered entity must provide a measure of privacy protections to all patients and may only share “protected health information” (PHI) to the “minimum necessary” to accomplish the intended purpose… and comply by April 14, 2003.
4/28/ WHAT MUST BE PROTECTED? PROTECTED HEALTH INFORMATION (“PHI”)
4/28/ What is PHI? PHI IS individually identifiable health information that is: Transmitted by electronic media; Maintained in any medium described in the definition of electronic media; or Transmitted or maintained in any other form or medium. Although individually identifiable health information is contained in: Education records Employment records held by a covered entity in its role as employer those records are NOT included in the definition of Protected Health Information!
4/28/ WHAT IS: Individually Identifiable Health Information “(IIHI”)? IT IS: health information, including demographic information collected from a patient, and: is created or received by a covered entity; and relates to the past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient; and identifies the patient; or there is a reasonable basis to believe that the information can be used to identify the patient.
4/28/ Names; Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip codes All elements of dates (except year) for dates directly related to a patient, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable images; and Any other unique identifying number, characteristic, or code; Individually Identifiable Health Information (“IIHI”) is information that could be used directly or indirectly to identity the patient and must be protected. IIHI includes:
4/28/ AS A COVERED ENTITY, HOW CAN I USE & DISCLOSE PHI? As a direct treatment provider, a covered entity may use or disclose a patient’s PHI for purposes of treatment, payment or healthcare operations (“TPO”) without obtaining advance written consent from the patient. However, a covered entity must obtain a patient’s authorization to use and disclosure information for purposes of other than treatment, payment and health care operations.
4/28/ Treatment means the: provision, coordination, or management of health care & related services including the: coordination/management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or referral of a patient for health care from one health care provider to another. For example, you can transmit information to a hospital or ALS
4/28/ Payment means: The activities undertaken by: A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care; and Activities related to payment such as: Determinations of insurance eligibility or coverage Risk adjusting amounts due; Billing, claims management, collection activities and related health care data processing; Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; Utilization review activities; and Disclosure to consumer reporting agencies of any of the following PHI: reimbursement: Name and address; Date of birth; Social security number; Payment history; Account number; and Name and address of the health care provider and/or health plan.
4/28/ Health Care Operations include: Conducting quality assessment/improvement activities (i.e., CQI); Reviewing competence/qualifications of health care professionals; Underwriting, premium rating, and other activities relating health insurance or health benefits; Conducting or arranging for medical review, legal services, and auditing functions ; Business planning & development; Business management/general administrative activities of the entity; Resolution of internal grievances; Due diligence in connection with sale/transfer of assets to a covered entity; Creating de- identified health information; and Training
4/28/ Accordingly, Providing PCR copies to the receiving hospital, other providers giving care in a tiered system and to the EMS program agency for QI does not constitute a violation of the HIPAA regulations. …Page 5 of the New York State Department of Health Bureau of Emergency Medical Services, POLICY STATEMENT: No. 02 – 05 (10/29/02) RE: Prehospital Care Reports (PCRs)
4/28/ Okay, I can use and disclose PHI for purposes of treatment, payment and health care operations without getting the patient’s prior consent, but … Are there limits on what I may USE and DISCLOSE? YES!... Based on the “minimum necessary” standard
4/28/ THE “MINIMUM NECESSARY” STANDARD The "minimum necessary" standard requires covered entities: to make reasonable efforts to limit the use and disclosure of and request for PHI to the minimum necessary to accomplish the intended purpose.
4/28/ The “MINIMUM NECESSARY” STANDARD The Covered Entity must determine those classes within their workforce who may routinely have access and use of the minimum necessary PHI, noting that such access and use is only permitted while on duty or during actual work shifts based on: the nature of job functions and responsibilities the nature of the information required to fulfill those functions and responsibilities
4/28/ The “MINIMUM NECESSARY” STANDARD to accomplish the intended purpose EMTs and Paramedics: directly involved in the treatment of a patient need access to: as much PHI as is necessary to provide patient treatment, transport and post-event patient activities, including but not limited to intake forms from the dispatch center, from family and caretakers and the PCRs (Prehospital Care Reports).
4/28/ The “MINIMUM NECESSARY” STANDARD to accomplish the intended purpose Dispatchers: may use and access PHI necessary to: effectively dispatch the EMS provider and complete intake forms in the course of pre and post- patient event activities.
4/28/ The “MINIMUM NECESSARY” STANDARD to accomplish the intended purpose Billing Clerks and other office support personnel : may have access to: intake forms, PCRs, billing claims forms, insurance information and other relevant records obtained from other facilities, such as hospitals and nursing homes such as patient face sheets, discharge summaries, physician certification statements, mobility assessments and statements of medical necessity as part of their duties to in order to determine: medical necessity for the services provided, complete patient billing forms for internal use or to submit to third-party billing companies and for reimbursement or collection activities.
4/28/ The “MINIMUM NECESSARY” STANDARD to accomplish the intended purpose Training Coordinators: may have access and use to: intake forms from the dispatch center and PCRs but only to the extent necessary to carry out: training, re-training and quality assurance activities. Since, in most cases, access and use of the individually identifiable patient information is contained in such documents but is not necessary for the intended use, such identifying information should be blackened out before using for such activities
4/28/ The “MINIMUM NECESSARY” STANDARD to accomplish the intended purpose Field Supervisors: may access and use intake forms from the dispatch center and PCRs: in overseeing the pre- and post-patient event and in fulfilling their overall supervisory, quality assurance review, counseling, disciplinary and training functions.
4/28/ The “MINIMUM NECESSARY” STANDARD to accomplish the intended purpose Department Managers: may access and use all PHI necessary to appropriately supervise and manage “Emergency Medical Services Entity” and its Personnel.
4/28/ The “MINIMUM NECESSARY” STANDARD to accomplish the intended purpose Privacy Officer: must have access and use of all PHI maintained by “Emergency Medical Services Entity” in order to properly monitor compliance pursuant to his/her job. (See, Privacy Officer Job Description for further detail.)
4/28/ The “Minimum Necessary” standard does NOT apply, so do not hold back when the: disclosures to or requests by a health care provider are for treatment; uses or disclosures are made to the patient; specific uses and disclosures are pursuant to a valid authorization. certain disclosures are made to the U.S. Secretary of Health & Human Services for oversight/enforcement purposes; uses or disclosures are required by law (i.e. court order); uses or disclosures are required for HIPAA compliance
4/28/ WHAT ELSE MUST A COVERED ENTITY DO? A covered entity must take steps to protect and safeguard a patient’s PHI by establishing and implementing policies and procedures that: will protect against intentional and unintentional improper uses and disclosures of PHI and which limit the disclosure of PHI to the amount reasonably necessary to achieve the purpose of the disclosure.
4/28/ A Notice of Privacy Practices is: A document created by you and given to patients to inform them of your uses and disclosures of PHI and their rights with respect to such disclosures
4/28/ When must a Notice of Privacy Practices be given to a patient? On the date of first service EXCEPT: in the event of an emergency, in which case the Notice must be provided as soon as reasonably practical after the emergency. As a practical matter, the Notice may: be left at the hospital with direction that it be given to the patient as soon as the emergency subsides be sent by mail
4/28/ Does a covered entity need to document that it has given a patient the Notice? Yes, except in emergency situations
4/28/ Does the Covered Entity have to document the provision of the Notice? A covered entity must make a good faith effort to obtain a patient's a written receipt acknowledging receipt of a covered entity’s Notice of Privacy Practices (“Acknowledgment”) However, this requirement is waived in emergency situations where obtaining a patient's acknowledgment is not be feasible or practicable
4/28/ HOWEVER, where extenuating, emergency circumstances do not exist, such as non ‑ emergency transportation by ambulance providers: of the elderly, who may be suffering from an incapacitating or stressful condition whereby they require transport by ambulance, but are not in a crisis situation; patient assist (MVA w/o injury); or in those cases where a patient executes a patient refusal. In these types of situations, the EMS Provider: is expected to provide patients with the Notice at the time of service and make a good faith effort to obtain their acknowledgment of receipt.
4/28/ What Information Must Be in a Notice of Privacy Practices? A Notice of Privacy Practices must be written in plain language and contain the following header or otherwise be prominently located : “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.” AND….
4/28/ What Information Must Be in a Notice of Privacy Practices? a detailed description, including at least one example, for each applicable purposes (treatment, payment, and health care operations); a description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the patient’s written authorization; a statement that other uses and disclosures will be made only with the patient's written authorization and that the patient may revoke such authorization … AND
4/28/ What Information Must Be in a Notice of Privacy Practices? Separate statements for certain uses or disclosures in sufficient detail stating that: the covered entity may contact the patient to provide appointment reminders (for non- emergency transport), treatment alternatives or other heath-related benefits and services that may be of interest to the patient; or the covered entity may contact the patient to raise funds for the covered entity (but not for the benefit of a third party A Statement of the patient’s rights and brief description of how the patient may exercise these rights, including the right to: request restrictions on certain uses and disclosures of PHI, including a statement that the covered entity is not required to agree to a requested restriction; receive confidential communications of PHI; inspect and copy PHI; amend PHI; receive an accounting of disclosures of PHI; and obtain a paper copy of the notice from the covered entity upon request even if the patient has previously agreed to receive the notice electronically AND…
4/28/ … And A Notice of Privacy Practices must contain: A statement of the covered entity’s duties stating that the covered entity is required: by law to maintain the privacy of PHI and to provide patients with notice of its legal duties and privacy practices with respect to PHI; to abide by the terms of the notice currently in effect; and to affirmatively reserve the right to change the terms of its notice and to make the new notice provisions effective for all PHI and to give notice of any change in its privacy practice prior to issuing a revised notice. The statement must also describe how it will provide patients with a revised notice. A statement that patients may complain to: the covered entity and to The Secretary if they believe their privacy rights have been violated, including a brief description of how the patient may file a complaint with the covered entity, and a statement that the patient will not be retaliated against for filing a complaint. The name, or title, and telephone number of a person or office to contact for further information concerning privacy practices and the effective date (which may not be earlier than the date on which the notice is printed or otherwise published).
4/28/ WHEN IS AN AUTHORIZATION REQUIRED? Covered Entities must obtain a patient’s authorization for: the use and disclosure of PHI for purposes OTHER than treatment, payment and health care operations and for various public purposes. All such use or disclosure must be consistent with such authorization. The covered entity must document and retain all signed authorizations.
4/28/ To Be Valid, An Authorization Must Be Written in Plain Language and Contain the Following Core Elements: A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion; The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure; The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure; An expiration date or an expiration event that relates to the patient or the purpose of the use or disclosure; A statement of the patient's right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the patient may revoke the authorization; and A statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by this rule (con’t)
4/28/ AND the Authorization must also contain: A statement that treatment is not conditioned on the signing of the authorization, [except in certain specifically stated circumstances (i.e., research projects)] A statement as to whether the use or disclosure of the requested information is to be used for marketing purposes that will result in direct or indirect remuneration to the covered entity from a third party be signed and dated by the patient; or if signed by a personal representative of the patient, a description of such representative’s authority to act for the patient must be provided. A covered entity must provide the patient with a copy of the signed authorization.
4/28/ An Authorization is NOT valid, if: the expiration date has passed or the expiration event is known by the covered entity to have occurred; the authorization has not been filled out completely, with respect to the required elements the authorization is known by the covered entity to have been revoked; any material information in the authorization is known by the covered entity to be false. An authorization for use or disclosure of PHI may not be combined with any other document to create a compound authorization, except in limited circumstances.
4/28/ To Be Valid, An Authorization MAY NOT: Condition the provision of treatment on the provision of an authorization, (except that a covered health care provider may condition the provision of research-related treatment on provision of an authorization). And a patient may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that: the covered entity has taken action in reliance thereon; or if the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy. BEST ADVICE: Upon receipt and before any disclosure, all authorizations should be reviewed carefully by the Privacy Officer and if in any doubt about compliance, consult your attorney!
4/28/ CAN I SHARE PHI, without getting a patient’s authorization, with any of the following: Independent Dispatch Centers Billing service/agency Collection agency Accountants Attorneys Consultants or Administrative/Management Services Companies Answering services Lockbox services Transcription services Practice management software vendors Electronic medical records software vendors Hardware maintenance services Off-site record storages AND ANY other independent contractor who provides any functions requiring the use or disclosure of PHI for or on behalf of the EMS al Services Entity ?
4/28/ YES, if they are…”business associates” providing certain functions, activities, or services to you or on your behalf and they agree to be subject to certain conditions.
4/28/ UNDER WHAT CONDITIONS MAY A COVERED ENTITY SHARE PHI WITH A BUSINESS ASSOCIATE? A covered entity may share PHI with its “business associate” as long as the covered entity obtains satisfactory assurances from its business associate through a written contract that the “business associate” will, among other things,: use the information only for the purposes for which it was engaged, safeguard the information from misuse, help the covered entity comply with its duties to provide patients with access to health information about them and a history of disclosures, not use or further disclose the PHI except as permitted under such written contract, the HIPAA Privacy Rule and applicable State law, as each may be amended from time to time; AND under NO circumstances, disclose PHI for any independent use of its own.
4/28/ What Must Be Done under HIPAA CONDUCT CURRENT STATUS ASSESSMENT (GAP ANALYSIS ): take steps to assess their current status with respect to patient privacy. APPOINT A PRIVACY OFFICER who will be responsible for the development and implementation of the covered entity’s privacy policies. A contact person must also be designated who will be responsible for receiving complaints. For routine and recurring uses and disclosures: Current practices and procedures must be reviewed with the intent to revise existing policies and procedures or create new policies and procedures that will protect against intentional and unintentional uses and disclosures that violate HIPAA and limit the disclosure of PHI to the amount reasonably necessary to achieve the purpose of the disclosure. For all other disclosures: Covered entities must establish criteria that will limit the disclosure of PHI to the amount reasonably necessary to achieve the purpose of the disclosure and review all requests for disclosure according to such criteria.
4/28/ DRAFT WRITTEN POLICIES & PROCEDURES dealing with: Uses and Disclosures of PHI, including those that require authorization and those that do not Revocation of Authorization Disclosures to personal representatives Disclosures to Business Associates Compliance with the rules regarding the release of minimum necessary PHI Implementation of the right to request restrictions on the release of information Creation of De-Identified information Complaints Accountings Access to PHI Sanctions for personnel who fail to comply with policies and procedures Changes to Policies and Procedures Retention of copies of policies and procedures for at least 6 years after creation (even if amended in the interim)
4/28/ DRAFT NOTICE of PRIVACY PRACTICES DRAFT CONFORMING FORMS TRAINING: Covered Entity must train all personnel about its PHI policies and procedures, as necessary and appropriate to carry out their function within the entity For current personnel, by April 14, 2003 For new personnel, within a reasonable period after joining the entity For all personnel within a reasonable time after any material policy and/or procedure change REVIEW ALL CONTRACTS and ENTER INTO BUSINESS ASSOCIATES AS NECESSARY HAVE EMPLOYEES, VOLUNTEERS, TRAINEES and OTHERS SIGN CONFIDENTIALITY AGREEMENTS