Presentation is loading. Please wait.

Presentation is loading. Please wait.

IMPLEMENTING THE HIPAA PRIVACY RULES Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002 Prepared By: Robert Belfort Kalkines,

Published byAna Temby Modified over 9 years ago

Similar presentations

Presentation on theme: "IMPLEMENTING THE HIPAA PRIVACY RULES Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002 Prepared By: Robert Belfort Kalkines,"— Presentation transcript:

1 IMPLEMENTING THE HIPAA PRIVACY RULES Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002 Prepared By: Robert Belfort Kalkines, Arky, Zall & Bernstein LLP 1675 Broadway, Suite 2700 New York, New York 10019 (212) 830-7270 rbelfort@kazb.com

2 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 1 A BRIEF HISTORY OF THE PRIVACY RULE Enactment of HIPAA Statute 8/21/96 Deadline for Congressional action 8/21/99 HHS adheres to final rule 4/14/01 Final rule reopened for comment 3/14/01 Final rule adopted 12/28/00 Proposed rule issued 11/3/99 HHS issues guidance 7/6/01 Modifications to rule proposed 3/27/02 End of comment period on proposed changes 4/26/02 Adoption of changes to rule Summer 2002? Compliance date 4/14/03

3 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 2 KEY COMPLIANCE ISSUES u Proper use and disclosure of protected health information (PHI) u Application of “minimum necessary” standard u Execution of business associate contracts u Accommodation of patient rights u Creation of administrative, physical and technical safeguards u Issuance of privacy notice u Appointment of privacy officer

4 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 3 u Individually identifiable health information –created or received by provider, plan, clearinghouse or employer –relates to individual’s health, provision of care or payment for care –identifies or could reasonably be used to identify the individual u Transmitted or maintained in any form WHAT IS PHI?

5 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 4 HOW CAN PHI BE USED OR DISCLOSED? Patient Type of Use or Disclosure Approval Required? 1 Treatment, payment and health care operationsConsent optional (subject to limited exceptions) Psychotherapy notes for most purposesAuthorization required Certain marketing and fundraising activitiesNo authorization required Facility directories, family members and disaster reliefOpportunity for oral objection by patient IRB-approved research following specified protocolsNo authorization required “National Priority” disclosuresNo authorization required Other uses and disclosures not subject to specific exceptionAuthorization required 1 Assumes adoption of proposed amendments to rule.

6 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 5 u Quality improvement u Reviewing provider qualifications and performance u Underwriting, rating and related activities u Medical review, legal services and auditing u Business planning and development u Business management and general administration WHAT ARE HEALTH CARE OPERATIONS?

7 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 6 WHAT ARE PSYCHOTHERAPY NOTES? u Recorded by a mental health professional u In any medium u Documenting or analyzing contents of conversation during private or group counseling session u Separated from rest of medical record u Excludes medication monitoring, session times, modalities of treatment, test results and summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress

8 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 7 WHEN MAY PSYCHOTHERAPY NOTES BE DISCLOSED? u By originator for treatment u Mental health training programs u Defense of legal action brought by patient u Certain health oversight activities

9 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 8 u Must specifically identify information being disclosed, its recipients and purpose of disclosure u May not be combined with other documents u Must include expiration date or event u Must be signed by patient or personal representative WHAT ARE THE ELEMENTS OF AN AUTHORIZATION?

10 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 9 u Types of marketing permitted without authorization –face-to-face –products or services of nominal value u In name of covered entity u Disclosure of remuneration u Opt out procedures u Determination and disclosure of patient benefit if health status-based MARKETING EXCEPTION

11 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 10 u By covered entity, business associate or related foundation u Disclosable or usable information –demographic information –dates of care provided u Opt out procedures FUNDRAISING EXCEPTION

12 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 11 u Required by law u Public health u Neglect and abuse u Health oversight u Legal proceedings u Law enforcement u Decedents u Cadaveric donations u IRB-approved research u Health or safety threat u Specialized government functions u Workers’ compensation NATIONAL PRIORITY DISCLOSURES

13 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 12 When using or requesting protected health information, covered entities “must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” “MINIMUM NECESSARY” STANDARD

14 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 13 u Treatment u Disclosures to other covered entities u Compliance with law u Disclosures pursuant to patient’s authorization u Disclosure to patient EXCEPTIONS TO MINIMUM NECESSARY

15 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 14 u Internal role-based access u Policies and procedures for routine disclosures u Criteria for all other disclosures IMPLEMENTING MINIMUM NECESSARY

16 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 15 u Provides specified functions to or on behalf of covered entity u Exceptions –Members of workforce –Members of hospital medical staff –Members of “organized health care arrangement” –Plan sponsors –Financial institutions processing consumer transactions –“Conduits” WHO IS A BUSINESS ASSOCIATE?

17 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 16 WHO IS A BUSINESS ASSOCIATE? u Billing companies u Computer maintenance vendors u Transcription services u Attorneys u Accountants u Compliance consultants u Employees u Student trainees u Federal Express u AOL u Referring providers u Third party payers YesNo

18 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 17 u Permitted uses and disclosures u Adoption of safeguards and reporting of unauthorized disclosures u Compliance by subcontractors u Access, amendment and accounting by patients u Access by HHS u Return or destruction of records if feasible u Termination for material breach BUSINESS ASSOCIATE CONTRACTS

19 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 18 WHEN MUST BUSINESS ASSOCIATE PROVISIONS BE IN PLACE? Contract StatusCompliance Date Executed on or after April 14, 2003Date of execution Executed prior to April 14, 2003 with no amendments or April 14, 2004 renewals prior to April 14, 2004 Executed prior to April 14, 2003 with amendment orDate of amendment renewal between April 14, 2003 and April 14, 2004or renewal

20 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 19 u If covered entity knows of improper pattern of activity or practice u Covered entity must take reasonable steps to cure breach u If cure unsuccessful, covered entity must –terminate, if feasible; or –report problem to HHS WHEN ARE YOU LIABLE FOR BUSINESS ASSOCIATES?

21 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 20 PATIENT ACCESS TO PHI u Access or copies u Time frames u Appeal rights u Reasonable copying charges u Exception for psychotherapy notes

22 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 21 PATIENT AMENDMENT OF PHI u Time frames u No obligation to amend u Informing other entities u Statement of disagreement

23 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 22 ACCOUNTING OF DISCLOSURES Accounting RequiredAccounting Not Required u To HHS u Permitted marketing u Permitted fundraising u Research without patient authorization u Public interest purposes not covered by exemption u Treatment, payment and health card operations u Individual’s written authorization u To individual u Pursuant to oral agreement u National security or intelligence u Correctional institutions or law enforcement agencies

24 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 23 Type of PHI Scope of Safeguards WHAT SAFEGUARDS ARE REQUIRED? Electronic Paper Oral 6 Rely on proposed security rules 6Proposed security rules, where applicable 6Faxes 6Public postings 6File cabinets 6Proposed security rules, where applicable 6Telephone 6Hallway conversations 6Public announcements

25 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 24 u Mandated header u Permitted uses and disclosures (examples) u Separate statement for certain uses u Individual rights u Covered entity’s duties u Complaints u Contact information KEY ELEMENTS OF PRIVACY NOTICE

26 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 25 u Provide at first contact after compliance date u Make good faith effort to obtain written acknowledgement u Make available on-site at patient request u Make available by mail at patient request u Post on-site in conspicuous location PRIVACY NOTICE — DISTRIBUTION REQUIREMENTS

27 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 26 u Oversee implementation of policies and procedures u Answer questions u Handle complaints u Investigate privacy breaches u Conduct audits u Review contracts u Coordinate employee training PRIVACY OFFICER DUTIES

28 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 27 u HIPAA provides floor but not ceiling — more stringent state laws not pre-empted u Exceptions –Certain state public health and auditing laws –HHS determination based on specified factors RELATIONSHIP TO STATE LAWS

29 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 28 SAMPLE COMPLIANCE TIMELINE Education Gap Analysis Remediation Testing Training MaySeptemberJanuaryApril 2002200320032003

30 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 29 ALTERNATIVE COMPLIANCE TIMELINE Procrastination Infighting Half-hearted efforts Panic Finger-pointing MaySeptemberJanuaryApril 2002200320032003

31 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 30 DEFINE THE COVERED ENTITY u Affiliates u Hybrid entities/health care components u Organized health care arrangements

32 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 31 CONSIDERATIONS IN DEFINING ENTITY u Standardization of policies u Centralization of administration u Sharing of information u Liability concerns

33 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 32 GAP ANALYSIS OPTIONS Staff Resources Financial Resources Low On-site Consultants Professional Self-Assessment Tool Self- Assessment High Moderate High Low Moderate

34 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 33 CREATE PHI FLOW CHART Patient Clinician Registration Billing Medical Records Other Providers Accounts Receivable Payers DOH QA Patient Finance Collection Agency

35 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 34 ANALYZE EACH USE AND DISCLOSURE u Consent or authorization required? u Minimum necessary applicable? Satisfied? u Business associate contract required? In place? u Subject to accounting? Recorded?

36 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 35 REVIEW PATIENT RIGHTS’ POLICIES u Access and copying of records u Amendment of records u Restriction on uses

37 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 36 REVIEW ELECTRONIC DATA SAFEGUARDS u Administrative policies u Physical plant security u Technical security measures –catalogue hardware and software (Y2K inventory) –compare security features to security regulations

38 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 37 REVIEW OTHER POLICIES AND PRACTICES u Fax u File cabinets u Telephone u Waiting room procedures u Hallway conversations u Posted information

39 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 38 EVALUATE COMPLIANCE OPTIONS u Prioritize initiatives u Reasonableness considerations u Scalability u Documentation u Maintaining confidentiality

40 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 39 KEY REMEDIATION STEPS u Revise policies and procedures u Document policies and procedures u Execute business associate contracts u Upgrade security of software and hardware u Secure physical plant u Prepare privacy notice, consent and authorization form u Appoint privacy officer

41 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 40 CONDUCT EMPLOYEE TRAINING u Differentiate by employee roles u Initial training before April 14, 2003 u Build into hiring process u Regular refresher training

42 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 41 TRAINING OPTIONS u Internal trainer u Outside attorney or consultant u Written manual u Videotape or CD-ROM

43 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 42 CIVIL PENALTIES u $100 per violation u $25,000 per year cap for each type of violation u Cooperative approach by HHS –reasonable diligence standard –technical assistance –informal dispute resolution

44 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 43 Maximum Offense Maximum Fine Prison Term Use of unique health identifier, or acquisition of individually identifiable health information$50,000One Year (“basic offense”) Basic offense under false pretenses$100,000Five Years Basic offense for commercial advantage, personal gain or malicious harm$250,000Ten Years CRIMINAL PENALTIES

45 K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP  HIPAA Compliance Presentation - May 31, 2002 44 HELPFUL WEB SITES http://aspe.hhs.gov/admnsimp http://www.hhs.gov/ocr/hipaa http://snip.wedi.org http://www.cpri-host.org http://www.ahima.org 251565

Download ppt "IMPLEMENTING THE HIPAA PRIVACY RULES Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002 Prepared By: Robert Belfort Kalkines,"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training

Similar presentations

Ads by Google