Presentation is loading. Please wait.

Presentation is loading. Please wait.


Similar presentations

Presentation on theme: "HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 1996."— Presentation transcript:



3 WHO DOES HIPAA AFFECT? – COVERED ENTITIES A Covered Entity is: A Health Plan A Health Care Provider (who uses electronic transactions) A Clearinghouse See 42 USC 1320d – 1320d-9 for Privacy related statutes; 45 CFR Parts 160 and 164 3

4 WHAT IS PROTECTED HEALTH INFORMATION (PHI) Comes from a health care provider or health plan Identifies an individual or could be used to identify an individual Describes the health care, condition, or payments of an individual 4

5 PHI - CONT. Describes the demographics of an individual, including such things as name, address, date of birth, telephone number, social security number, medical records number, or any other unique identifying characteristic Excludes FERPA protected information, employer held information, and records re a person dead for over 50 years 45 CFR 160.103 5

6 HIPAA BUSINESS STRUCTURES Covered Entities Hybrid Entities Business Associates 6

7 HYBRID ENTITIES AZ government took a unique approach and declared itself a Hybrid. It looked at each agency’s business operations and determined which components would be HIPAA covered. DHS, AHCCCS, ADOA, DES, DCS, and Universities all have HIPAA covered components Many other states started at the agency level only; cf AZ has a state privacy officer at ADOA 7

8 BUSINESS ASSOCIATE A Business Associate (BA) is an agent or contractor that provides a service on behalf of the covered entity and comes into contact with PHI. 45 CFR 160.103 A Business Associate Agreement (BAA) should be executed prior to the services taking place The AG’s Office is a BA to DHS, DES, and DCS. AGO Business and Finance is the keeper of these agreements AGO or state contractors who see/hold an AZ HIPAA covered client’s PHI are also Business Associates. This may include experts, consultants, law firms, and court reporters 8

9 PORTABILITY OF PHI Transactions/sharing of PHI between Covered Entities and Business Associates for the purposes of Treatment, Payment, and Health Care Operations (TPO) are allowable without an individual’s authorization 45 CFR 164.502(a), -506, and -508(a)(2) 9

10 PUBLIC HEALTH AUTHORITIES 10 Disclosures to a Public Health Authority are allowable A Public Health Authority is an entity that is responsible for public health matters as part of its official mandate Preventing or controlling disease, injury, and disability Vital events like deaths and births The AZ Department of Health Services is the primary state Public Health Authority in Arizona Other Public Health Authorities are agencies that perform activities authorized by law, including audits, inspections, licensure, and civil, administrative, and criminal investigations State and local health departments FDA Centers for Disease Control and Prevention Agencies authorized to take reports of child/adult abuse or neglect 45 CFR 164.501 and -512(b) and (c)

11 HEALTH OVERSIGHT AGENCIES 11 A Health Oversight Agency is one that performs activities authorized by law including audits, investigations, inspections, licensure, and civil, administrative, and criminal investigations/prosecutions. 45 CFR 164.501 and -512(d) The goals of these public agencies include: Preventing fraud Ensuring non-discrimination Improving quality of care Monitoring safety Ensuring compliance with legal requirements Examples of agencies that fall in this category are: Medicaid Fraud Units US DOJ State Insurance Commissioners Professional Licensing Boards OSHA US DHHS Office for Civil Rights EPA FDA

12 RELEASE OF PHI TO LAW ENFORCEMENT 12 With an authorization With a subpoena, court order, or summons When the PHI pertains to specific injuries such as a gun shot wound, powder burn, or knife wound (state law may require = “required by law”) In an attempt to minimize imminent danger (avert a serious threat) Necessary to locate a suspect, fugitive, material witness, or missing person and the disclosure will avoid or minimize an imminent danger The information is related to the victim of a crime The information is regarding a crime on the covered entity’s property The reporting of child or vulnerable adult abuse or neglect and other mandatory reporting Special considerations for homeland security and national security 45 CFR 164.512(f)

13 AUTHORIZATIONS A subpoena, court or administrative tribunal order, or an authorization is needed for anything outside of disclosures for TPO, those mandated by law, or to a health care oversight agency or public health authority 45 CFR 164.502(a) and -512; ARS 12-2294.01 An authorization is always needed for psychotherapy notes. 45 CFR 164.501 and -512 13

14 ELEMENTS OF AN AUTHORIZATION The authorization must be written in plain language Is to contain a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion Has the name or other specific identification of the person(s), or class of persons authorized to make the requested use or disclosure Contains a description of each purpose of the requested use or disclosure Has an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure Is signed by the individual (or a personal rep.) and dated 14

15 REQUIRED STATEMENTS The individual’s right to revoke the authorization in writing and: A description of how the individual may revoke the authorization; and The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization The consequences to individuals if they refuse to sign the authorization 45 CFR 164.508(b) 15

16 AUTHORIZED REPRESENTATIVE OR DESIGNATED REPRESENTATIVE 16 An Authorized or Designated Representative may sign an authorization as long as the entity releasing the information has a record of this conveyance of authority on file. 45 CFR 164.502(g) Under HIPAA, this is a state law determination and is the individual who makes health care decisions for another individual (a parent, via a specific power of attorney, guardianship order, etc.)

17 RE-DISCLOSURE Unless prohibited by Federal or State law, PHI authorized by an individual for disclosure may be subject to re-disclosure and no longer protected by HIPAA. 45 CFR 164.508(c)(2)(iii) Whether the information remains protected depends on whether the recipient is subject to other Federal or State privacy laws, court protective orders, or other lawful process 17

18 RE-DISCLOSURE IN LITIGATION Once the medical or behavioral health records are obtained by a party in civil litigation, they will likely be subject to discovery unless another law protects them or they are deemed not relevant by a court Efforts to protect the privacy interests of complainants in suits brought by the State may result in both disclosure of the records or even court sanctions 18

19 TORT: MEDICAL MALPRACTICE, NEGLIGENCE, WRONGFUL DEATH….. 19 When a HIPAA covered provider such as a hospital, doctor’s office, dentist, or clinic is sued by a former patient or the estate of a former patient, it may use and disclose the PHI of the alleged victim as part of the litigation (subject to being sealed by a court) This is allowable under “Health Care Operations.” 45 CFR 164.501 If the HIPAA covered entity is not a party to the proceeding, then a HIPAA authorization, court order, subpoena, or other lawful process must be used to obtain the PHI

20 CORRECTIONAL INSTITUTIONS 20 PHI may be shared with a correctional institution if it is to be used for the provision of health care to the inmate or for the health and safety of employees of the institution and/or other inmates. 45 CFR 164.501 The AZ Department of Corrections is not a covered entity as long as it does not engage in electronic billing HIPAA only applies to providers performing electronic billing (unless they opt in) 45 CFR 160.103 Inmates are not entitled to a Notice of Privacy Practices. They may not obtain copies of their medical records if it poses a threat to the health and safety of the inmate, other inmates, or staff of the institution

21 BREACH Misuse or loss of PHI is a breach and must be mitigated, along with notification to both the Secretary of the US DHHS and the client/patient If the loss or misuse affects more than 500 individuals, then the media must be notified 45 CFR 164.402, -404, -406, and -408 21

22 HHS OFFICE FOR CIVIL RIGHTS 22 DateEntityViolationOCR Settlement (Cost of mitigation and notification not included) June 23, 2014Parkview Health System Medical records dumping $800,000 April 22, 2014Concentra Health Services Stolen Laptop$1,975,220 December 27, 2013 Adult & Pediatric Dermatology P.C. Lack of policies and procedures in place to address breach notifications $150,000 August 14, 2013Affinity Health PlanPhotocopier memory not deleted before sale $1,215,780 July 11, 2013WellPoint Inc.Web Portal breach$1,700,000 May 21, 2013Idaho State UniversityPatient data was accessible due to the firewall being disabled $400,000 January 2, 2013Hospice of North Idaho Stolen Laptop – affecting less than 500 individuals $50,000 June 26, 2012Alaska MedicaidStolen USB Drive$1,700,000 September 17, 2012 Massachusetts Eye and Ear Infirmary Stolen Laptop$1,500,000

23 PHI MUST BE SECURED IN ALL FORMS Written information (reports, charts, letters, messages, etc…) Oral communication (phone calls, meetings, informal conversations, etc….) E-mail, computerized and electronic information (computer records, faxes, voicemail, etc…) 23

24 COMPLAINTS All patients/clients and employees have the right to file a written complaint with the Covered Entity or with the US DHHS if they feel their or another individual’s HIPAA rights have been violated 45 CFR 164.530 Once a complaint has been filed, retaliation is prohibited 45 CFR 164.530 DM 4119229 Aug. 2014 24


Similar presentations

Ads by Google