Presentation on theme: "HIPAA WORKSHOP UTA – HCAD Students By Barbara Odom-Wesley, PhD, RHIA May 27, 2003."— Presentation transcript:
HIPAA WORKSHOP UTA – HCAD Students By Barbara Odom-Wesley, PhD, RHIA May 27, 2003
OBJECTIVES Review the value of Medical Records Review Federal & State Requirements for Medical Record Privacy Update procedures regarding confidentiality & release of healthcare information Study the impact of HIPAA on medical practices
Medical Record Definition A compilation of pertinent facts Of a patient’s life and health history, including past and present illnesses and treatments Written by the health professionals contributing to that patient’s care Compiled in a timely manner And contains sufficient data to Identify the patientJustify the treatment Support the diagnosisDocument the results
MEDICAL RECORD DOCUMENTATION Arrangement Forms Management Compliance Policies Analysis
WHY MEDICAL RECORDS? CLINICAL Patient Care Management Quality Review Research Public Health Education LEGAL Documentary Evidence Confidentiality FINANCIAL Medical Necessity Complexity Detail Services Substantiate Claims
STANDARDS JCAHO Joint Commission on Accreditation of Healthcare Organizations NCQA National Committee for Quality Assurance HEDIS Health Plan Employer Data & Information Set AAAHC Accreditation Association for Ambulatory Health Care TSBME Texas State Board of Medical Examiners
MORE STANDARDS Conditions of Participation (Medicare) Uniform Ambulatory Care Data Set Professionally Accepted Practices
OIG Compliance Plan Auditing & Monitoring Standards & Procedures Compliance Officer Training & Education Corrective Action Plan Communication Lines Disciplinary Standards
CONFIDENTIALITY CONCEAL OR REVEAL? Physician-patient relationship Medical Record ownership Texas Legal Statutes Senate Bill 667 Senate Bill 975 Senate Bill 11 Federal Law HIPAA
Senate Bill 667 Authored to reduce confidentiality threats Debated in four legislative sessions Passed by House and Senate May, 1995 Effective: January 1, 1996 1997 Revisions: SB 975 Support: THA, TxHIMA, Trial Lawyers
1997 Revisions (SB 975) Added Exceptions: Directory Information Transporting EMS Clergy Organ or tissue procurement American Red Cross Poison Control Center Utilization Review Agent incompetent to incapacitated Clarified court subpoena Fees Document certification Written questions ($10.00) None for patient examination None for Workers’ Comp.
Senate Bill 11 The Texas extended arm of HIPAA Disclose PHI for health research only with individual consent or IRB waiver. Composition & conduct of privacy board Disclose for health research if represented as necessity. Authorizes subject of research access to information at conclusion of trial. Use of PHI for public health activities without authorization. Prohibits re-identifying without authorization
SENATE BILL 11 PROVISIONS Prohibits disclosing, using, selling, or coercing consent for marketing purposes Extended to parties not covered by HIPAA (holder of insurance license) Amends insurance code to require authorization to disclose any nonpublic PHI Right of patient to revoke authorization Exempt: nonprofits, Workers’ Comp., Red Cross, offenders with mental impairments, educational records, public health authority Effective 9/1/01; insurance code amendments 1/1/02
HIPAA Health Insurance Portability and Accountability Act of 1996 Congress failed to adopt by August 21, 1999 as required by HIPAA Privacy Standards developed by DHHS Effective: 4/14/2001 History of Legislation
HIPAA http://aspe.os.dhhs.gov/admnsimp/ Pub.L.104-191 Federal Register vol. 65 no. 250, pp 82462-82829 Enacted April 14, 2001 Privacy implementation: April 14, 2003 Amended Public Health Service Act (PHS), Employee Retirement Income Security Act of 1974 (ERISA) Internal Revenue Code of 1986 Final Regulations August 14, 2002
Simplification Standards Extension: www.cms.gov/hipaa2/default/asp Electronic Exchange Unique Health Identifiers Code Sets Security Electronic Signatures Transmission of Data Privacy
HIPAA Privacy GOALS 1.Protect & enhance rights of consumers by providing them with access to their health information & controlling the inappropriate use of that information 2.Improve the quality of healthcare in the US by restoring trust in the healthcare system 3.Improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection
HIPAA Highlights Paper & verbal Preempts state law Mechanism for complaints Office of Civil Rights Administers Mitigation for Policy Violation Privacy Training Organization Requirements Definitions for appropriate release
PRIVACY STANDARDS Covered Entities Protected Health Information Consents Authorizations Rights of Individuals Privacy Officer Staff Training Business Associate Relationships Administrative Requirements Preemption Accounting for Disclosures Guidelines for Release
Covered Entities (CE) All but “small” health plans (<5 mil revenue) Implementation by 4/14/2004 Large health plans & healthcare providers Implementation by 4/14/2003 Health Care Clearinghouse Health Care Provider of Services or Supplies (direct/indirect treatment relationship)
COVERED ENTITIES (CE) Direct Care Providers – treatment relationship Indirect – delivers healthcare based on orders Provides service, product or report to another provider Clearinghouse – process or facilitates processing PHI received from CE
Organized Healthcare Arrangement Separate covered entities Establish clinically & operationally integrated systems Permitted to share information for TPO May use common Notice and Consent Example: hospital & its associated medical staff
Are you a CE? Cardiology Associates keeps medical records on paper and in file drawers and does not have electronic records. They only use the computers for accounting, scheduling and other limited purposes YES
What Information is Covered? Protected Health Information (PHI) Identifies an individual Relates to health, treatment, healthcare payment Created or received by CE Maintained or disclosed electronically, on paper, orally
Information Not Covered Individual health information loses its protections and may be used or disclosed freely if it can’t be used to identify an individual Must Remove all 18 identifiers
Covered Business Associates Performs or assists in the performance of a function or activity for the Covered Entity, not part of workforce. Confidentiality contract required: Attorneys Actuaries Accountants Consultants Computer Vendors Outsourced Services
BUSINESS ASSOCIATE TEST 1.On behalf of CE 2.Other than workforce 3.Involves use of PHI
Requirements for Business Associates Assurance they will safeguard information Contracts should set permitted uses & disclosures Contracts should stress privacy Safeguard PHI from misuse CE is not liable for violations
Enforce Contracts If the provider becomes aware of a “pattern of practice” that is a violation of contractual obligations, “reasonable steps” must be taken to solve the problem or the contract must be terminated. If the contract can’t be broken, the provider must report the problem to HHS.
Business Associates Final Reg. Changes Additional year to incorporate BA agreements not up for renewal (April 2004)
Identifying Business Associates WeCare, Inc., a local nursing home, hires a law firm to defend it in an elder abuse case. ASC discloses PHI to a health plan for payment purposes. Which of these entities, the law firm or the health plan would be a BA? The law firm is a BA. The health plan is not a BA.
PATIENT RIGHTS To consent for uses or disclosures of PHI to carry out treatment, payment, or healthcare operations, & the right to notice of privacy practices as part of the required consent form or process To access Protected Health Information (PHI) To accounting of how their PHI has been disclosed outside normal patient care channels To agree or object to certain disclosures To request amendment or correction to PHI To request restrictions on use of PHI for treatment, payment or healthcare operations
Consent Coverage TPO Treatment Direct and Indirect Payment UR, medical necessity, determination of coverage Operations QA, credentialing, peer review, quality analysis, accreditation, fraud/abuse monitoring
Requirements for CONSENTS May be written in general terms Provider can refuse to treat individuals who do not consent to uses & disclosures for treatment, payment, healthcare operations Can be combined into a single document covering all three activities & combined with other types of legal permission Consents may be revoked in writing at any time.
Consents not Required Indirect treatment relationship Inmates Required by law to treat Substantial barriers to communicate Emergency treatment (must obtain as soon as reasonable)
Psychotherapy Records CE’s must obtain the individual’s authorization to use or disclose psychotherapy notes to carry out TPO (other than originator of notes) Differs from other records because they do not include information that is needed typically for TPO Final rule, Section 164.508
Final Rule Changes to Consents Optional Direct Provider CE Written Acknowledgement alternative Document receipt of “Notice of Privacy Practices” Not required for emergencies Layered Notice encouraged Patient-friendly summary Full notice layered beneath Allows disclosure of PHI for another provider (TPO)
Need a Consent? A primary care physician sees a patient who has been experiencing arrhythmia. The physician refers the patient to a cardiologist for testing. The physician’s office calls the cardiologist’s office to arrange for an appointment for the patient. The patient would be new to the cardiologist’s practice. May the cardiologist schedule the appointment and review the patient’s information prior to the patient signing a consent? Under the final changes, prior consent is not required. A “Notice” is required to be provided.
Consent Required? An elderly woman is bedridden and is unable to leave the house to pick up her medications. She calls a friend and asks the friend to pick up the prescription for her. May the pharmacist give the prescription medication to the friend? Yes, there is implied consent. Prior consent is not required. The “Notice” should be given to the friend.
AUTHORIZATIONS Allows use & disclosure of PHI for purposes other than those covered by consent Must be written in specific terms with essential elements May not condition treatment on signing Can be revoked at any time.
VALID AUTHORIZATIONS Written, Dated Signed: Patient Legally Authorized Representative: Parent/Guardian Adult Guardian Durable Power of Attorney/Agent Attorney ad litem Information & Time Purpose To whom Facility to Release Right to withdraw Validity date (90 days) Photocopy valid
CONSENTSvs. AUTHORIZATIONS General language One time consent Allows full exchange among treatment team Refuse treatment without Allows for TPO May be revoked in writing Specific, detailed Required for each release May not condition care on refusal Psychotherapy records Non-TPO purposes Must keep a record
Authorization Required? A person injured in a car crash is treated at an ASC. The ASC receives a request for medical records from an attorney who represents the driver in the automobile accident. The request states the attorney represents the drier who has been sued for negligence by the patient and to send the records to the lawyer within 15 days of receipt of the request. May the center disclose the patient’s records to the attorney without authorization from the patient? No, it requires an authorization or court order.
Authorization for Marketing? A group of oncologists have been approached by a pharmaceutical company to purchase the group’s patient list so the company may develop a new marketing plan for its pharmaceuticals. May the group sell its patient list? No, not without authorizations from each patient.
GUIDELINES FOR RELEASE Minimum Necessary Minors Deceased By Fax Subpoenas Copy Fees
Minimum Amount Necessary Covered Entities must make all reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
Minimum Necessary Guides Establish role-based access for workforce Standard guidelines for recurring/routine disclosures Make determinations for “non-routine” disclosures Exception: disclosures for treatment Incidental disclosure not violation
Misuse of PHI The Widget Company establishes a group health plan for the benefit of its employees. A couple of employees of the company perform administrative functions for the group health plan. They sometimes have access to PHI. One of these employees learns that someone in the company has contracted hepatitis and tells her boss about the condition. The boss, fearful of the cost implications, decided to include the employee in a reduction in workforce. This violates the standards.
DeceasedMinors Executor Spouse Adult Child Parent Adult Sibling Statutory beneficiary Emancipated: 16, independent Active Duty Military Related to pregnancy Related to chemical dependence Counseling for abuse, suicide Infectious, contagious, communicable diseases
Written Denial of Request Form letter on office letterhead We are unable to respond because….. Incomplete identification of patient Office not specified to release Party to receive not specified Information to release not specified Authorization incomplete due to...
Responding to Requests Deny invalid authorization Never release originals Furnish copy, summary, narrative Delete information about others Provide within 30 days Notify patient of compulsory in 10 days Exception: Physician determines harmful
Protect Confidentiality Post notice on copies Prohibit redisclosure Provide other’s records only for original purpose of release
POST NOTICES Prohibition on Redisclosure This information has been disclosed from confidential records which are protected by federal law. Federal regulations prohibit the redisclosure of the information without the written consent of the person to whom it pertains.
RECEIVING PHI Any person who receives information made confidential by this Act may disclose the information to others only to the extent consistent with the authorized purposes for which consent to release the information was originally obtained. Furnish copies including records received from a physician or other health care provider involved in the care or treatment of the patient only for continued care or treatment.
EXCEPTIONS For Legal Purposes: Patient legal proceedings against physician substantiate & collect on claim Civil litigation or administrative proceeding Disciplinary investigations Involuntary commitments Criminal case involving patient Execution of Will Court Order or Subpoena
“COURT SUBPOENA” “As the author of S.B. 667, I can unequivocally state that it was not my intent to limit subpoena power for medical records to judges or remove that power from any legally authorized officer of the court who was empowered with such authority prior to the passage of SB 667. It was my intent that the term “court subpoena”, as used in SB 667, be interpreted to mean a subpoena issued by the officer of the court under the authority of the Texas Rules of Civil and Criminal Procedure or a subpoena issued under the authority of Chapter 121 of the Texas Civil Practices and Remedies Code.” –Frank Madla, Texas State Senate, District 19, March 8, 1996
SUBPOENAS Judicial Official legal order Issued by a court of law Compels to appear Nonjudicial Notary, court reporting service, record copying service Patient consent is required
Exceptions for Other Purposes: Governmental agencies Law enforcement Management audits Other physicians & personnel Collection of fees State Hospital inquiries Education, QA, peer review Custodial institutions IRB Research project HMO for statistics
Only when original hard copy, mail- delivered will not meet needs of Immediate patient care. Required for ongoing certification Use cover sheet (confidentiality statement) Verify receipt Photocopy thermal paper Release by Fax
$ REASONABLE FEES $ Ten day notification requiring payment Not required to release until paid May not deny release based on past due account TSBME Effective: 4/16/96 First 20 pages = no more than $25.00 Each subsequent page = 15 cents Mailing/Delivery = actual costs Films/diagnostic imaging studies = $8.00
PREEMPTION HIPAA will preempt state laws relating to the privacy of individually identifiable information except for those that are contrary to and more stringent than the federal HIPAA requirements.
Individual Access To inspect & copy PHI for as long as CE maintains information. No automatic right to access: psychotherapy notes, information in criminal, civil, or administrative action, PHI exempted by CLIA CE must act within 30 days (60 if offsite) CE may charge fees based on cost CE must maintain records of personnel responsible for 6 years
Accounting for Disclosures Right to accounting for 6 years prior to request Exceptions: For payment, treatment, or operations To the individual patient For the directory or those involved in care National security or Intelligence purposes To correctional institutions or law enforcement Prior to compliance date Authorization received
Accounting for Disclosures Guidelines CE must act within 60 days CE must provide one free per year Must include date person to whom released description of information copy of authorization
DISCLOSURE LOG One in each patient record’ One line per disclosure Date Person/entity to whom released Information released Initials of staff who released Comments regarding release
Accounting Required? Dr. Green must document each time she consults the chart to answer a patient’s question. No, this is a use of the PHI, not a disclosure. What about when she calls another physician to discuss the patient’s condition? No, exceptions are those disclosures for TPO. Disclosures with authorization are also excepted.
Request for Amendment CE may require written request with rationale CE has 60 days to act Notify individual that amendment accepted Inform relevant persons CE may deny request (written) physician not available not a part of designated record set(DRS) accurate & complete CE can prepare rebuttal Include with future disclosures
Denying Request Not created by CE Not part of designated record set Not available for inspection Accurate and complete Document denial Individual right to statement of disagreement
Designated Record Set (DRS) A group of records maintained by or for a CE : Medical records and billing records Used in whole or in part, by or for the covered entity to make decisions about individuals
Notice of Privacy Practices Written notice to patients including: Uses & disclosures of PHI Explanation of privacy rights Charges CE’s responsibility under HIPAA How to file complaints with CE or HHS Name/title/phone of contact person Effective date of notice
Notice Introduction This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please read it carefully. Include one example of each type of use and disclosure (TPO) that CE is authorized to make
NOTICE DISTRIBUTION Post in office Post on website Post in treatment areas Provide copies in office Use e-mail with patient permission No later than first service delivery Patient must acknowledge receipt
NOTICE Procedures Retain copies of notices issued Include version number & effective date Revise & communicate changes Do not combine with the consent except for research
PRIVACY OFFICIAL A CE must designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures of the entity. AHIMA Certification CHP
Principles for Protecting PHI Notice – Existence & purpose known Choice – Collected & released with knowledge Access – Accurate, complete, timely Security – Reasonable safeguards Enforcement – Mitigation & penalties
SECURITY REGULATIONS Compliance: April 20, 2005 Administrative Safeguards policies & procedures to protect ePHI manage conduct of workforce Physical Safeguards unauthorized intrusions natural & environmental hazards Technical Safeguards technology to control access
Steps to HIPAA Compliance Appoint Leadership Team (Privacy Officer) Educate staff on requirements Review current procedures Conduct a gap analysis Set goals Identify resources needed Develop timeline & document progress
Compliance & Penalties Dept. of HHS – Office of Civil Rights Implementation & Enforcement Process complaints Civil: $100/violation to $25000/year for identical violation Criminal: knowing violations, false pretenses, personal gain/malice Fines: $50,000 - $250,000 Imprisonment 1 – 10 years
OFFICE PREPAREDNESS Appoint privacy officer Develop confidentiality policies/ procedures Define levels of access Design consent & authorization forms Include in Budget Upgrade Equipment (paper & electronic) Renovations for physical safeguards Review contractual agreements Train Staff
Release of Information Policies Limited Use Rule for purposes compatible with reason for collection Limited Disclosure Rule only for authorized purpose; employee confidentiality statement Minimal Disclosure Rule minimum necessary to accomplish purpose Accounting for Disclosure Rule maintain record of all access Security Rule administrative, technical, physical safeguards Notice of Practices
PROCEDURES NEEDED Consents Authorizations Amendments Patient Access Copying by Patient Denial of Access Nonretaliation for whistleblowers Opt-out (directories/marketing/ fundraising) Verification of identification for requestors Complaints Handling Sanctions Release without authorizations
Confidentiality & Office Dynamics Policies and Practices Staff Awareness Scheduling Appointments Calling patients from waiting room Posting information outside exam room Conversations among providers Architectural considerations
Sign-In Sheets Dr. Taylor’s practice utilizes patient sign-in sheets which patients sign when they arrive for an appointment. When Dr. Taylor is ready for her next appointment, the nurse calls out the patient’s name in the waiting room notwithstanding that there are others in the room as well. The intent of the regulations was not to prohibit this type of practice, but to make sure reasonable safeguards are put into place. Each provider will need to make their own business decisions regarding what these safeguards must be. There are reasonable options to these practices.
STAFF TRAINING Document for every employee with access to PHI Entire workforce must be trained prior to compliance date. New employees must be trained within reasonable time
Impact on Internship Students Workforce Training Sign Confidentiality Statements Demonstrate knowledge of standards Receive PHI only as required for the assignment Do not disclose PHI orally or in writing Respond appropriately to various situations
More Information www.ama-assn.org www.texmed.org www.ahima.org http://thomas.loc.gov www.mgma.com www.wedi.org www.hhs.gov/ocr/hipaa www.ncqa.org www.the-medicare.com www.cms.gov www.healthlawyers.org www.privacyassociation.org
RESOURCES Model Forms http://www.ama-assn.org/ama/pub/category/6698.html http://www.ama-assn.org/ama/pub/category/6698.html Physician Compliance Report www.hcmarketplace.com www.hcmarketplace.com Medical Office Manager: Newsletter for Physician Officer Administrators www.ardmorepublishing.com
PREPARE FOR THE FUTURE EDI transaction and code sets Security guidelines for technical components of protecting access to PHI Medical Errors & Documentation Patient Participation In Documentation The Paperless Office