UNDERSTANDING WHAT HIPAA IS AND IS NOT Ann Agnew DaSy Center Improving Data, Improving Outcomes 8/16/2016
I. HIPAA PRIVACY
WHAT IS HIPAA - AND WHY DOES IT MATTER TO ME? IDEA Part C and Part B 619 agencies frequently interact with HIPAA “covered entities” Need to exchange and share information with “covered entities” providing Part C and 619 services to children “HIPAA” is not synonymous with “HIPAA privacy” HIPAA comprised of a suite of regulations implementing various parts of the law
Health Insurance Portability and Accountability Act of 1996 Established certain insurance protections Required standards for the exchange of electronic information (transaction standards and code sets for billing and payment of health care services) Set a process and timeline for establishing privacy and security protections for personal health information used in those electronic transactions
HIPAA Administrative Simplification Regulations 45 CFR Parts 160, 162, and 164 Suite of regulations covering HIPAA provisions Transactions and Code Sets Security Breach Notification Enforcement Privacy (More details included in Attachments) Privacy Rule and Security Rule implemented and enforced by the Office of Civil Rights in the Department of Health and Human Services The Centers for Medicare and Medicaid Services (CMS) sets and administers electronic standards (Transactions and Code Sets) through formal notice and comment rule-making
Privacy - What rights are conferred? Notice of privacy practices Access to records Amend/correct records Accounting for disclosure Restriction request Confidential communications requirements
HIPAA Privacy - Who has to comply? “Covered Entities” Health Plans - in general, all group and individual plans that provide or pay for health services Health Care Providers - any health care provider who engages in any electronic transactions covered by HIPAA standards Healthcare Clearinghouses - generally entities that convert nonstandard information into standard format required for electronic transmission Applicability of HIPAA Privacy provisions to these entities is NOT dependent of receipt of federal funding.
HIPAA Privacy - Who has to comply? “Business Associates” Individual or organization Performs services on behalf of a covered entity OR Provides services to a covered entity AND Services involve the use and/or disclosure of protected health information Examples An external entity that helps the agency with claims processing and billing third party reimbursement such as Medicaid or private insurance A private legal firm that has access to Protected Health Information (PHI) in the course of its work for the agency A technology company that has access to PHI while working on fixes to a state data system
HIPAA Privacy - What’s information is protected? “Protected Health Information” (PHI) Defined in the Rule as “individually identifiable health information” held or transmitted by a covered entity Information is protected regardless of form - electronic, paper, oral Information is considered PHI if it can be directly or indirectly linked to the individual, including: Physical or mental health conditions Any health care (services, treatments, diagnostic tests, etc.) Payments made for or on behalf of an individual Demographic information and common identifiers, such as name, address, and birth date
HIPAA Privacy - What’s NOT included? De-identified information Education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g JOINT GUIDANCE ON THE APPLICABILITY OF FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) and the HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TO STUDENT RECORDS
HIPAA Privacy - What about State privacy requirements? HIPAA Privacy Rule generally provides a “floor” of federal privacy protections. If a state law requires greater privacy protections, the state law applies Provisions of state law are pre-empted by HIPAA Privacy only if they are “contrary” to HIPAA provisions
HIPAA Privacy - Does an individual have to authorize the disclosure of their information? In general, the use or disclosure of an individual’s protected health information is prohibited without prior authorization from that individual. Authorization must be in writing Must be specific in terms of what data can be used, the purpose for which it can be used and the length of time it may be used Privacy rule specifically requires authorization of disclosure for release of individual information for purposes of marketing and for the release of psychotherapy notes
HIPAA Privacy - Are there exceptions to the requirement for authorization of disclosure? The Privacy Rule provides for two categories of uses that do not require an individual’s authorization. “Required” Uses A covered entity MUST disclose information: To the individual or their personal representative upon request To HHS for compliance investigation or enforcement action “Permitted” Uses The Rule lists five categories of disclosure where a covered entity is permitted to release information without the individual’s authorization. Any information disclosed under this category is required to adhere to the “minimum necessary” requirement established in the rule.
HIPAA Privacy - Are there exceptions to the requirement for authorization of disclosure? HIPAA Privacy - What are “permitted” uses ? “Treatment, Payment and Health Care Operations” Information necessary for a covered entity to: Treat patients (e.g. consult with a specialist on appropriate procedures to use on a patient) Get paid for services (e.g. send information to an insurance company to support a bill for services provided to a patient) Perform a range of activities necessary to operate and manage a business (e.g. quality improvement activities, performance evaluation, credentialing and accreditation, medical reviews, audits, etc.) “Use with opportunity to object” Incidental Use/Disclosure Public Interest and Benefit Activities Limited Data Set
HIPAA Privacy - Are there any exceptions for research? Limited Data Set Documented Institutional Review Board (IRB) or Privacy Board approval Preparation for Research
HIPAA Privacy - Are there penalties for non-compliance? Civil HITECH established 4 Tiers based on level of culpability Amount per violation - $100 to $50,000 or more Calendar year cap - $1.5 million Criminal Penalties range from 1 to 10 years in prison Enforced by Department of Justice OCR has made 575 referrals to the Department of Justice as of May 2016 As of May 2016, OCR has: Received 134,246 complaints Initiated 879 reviews Referred 575 cases to the Department of Justice for criminal investigation HITECH extended direct liability to Business Associates
II. HIPAA AND FERPA
HIPAA and FERPA Is protected health information in education records subject to HIPAA privacy requirements? How do I know if the information I have is covered by HIPAA or FERPA? Does HIPAA Privacy cover a child’s immunization record? What do I most need to know about the FAQs from “Joint Guidance on the Applicability of Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records”?
ATTACHMENTS
HIPPA ADMINISTRATIVE SIMPLIFICATION RULES Privacy Rule - 45 CFR Part 160 and Subparts A and E of Part 164 Establishes national standards for the use and disclosure of personally identifiable health information and for the protection of that information Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164 Establishes national standards for technical and non-technical safeguards necessary to protect personally identifiable health information held in an electronic format Enforcement - 45 CFR Parts 160 and 164 Sets requirements relating to compliance with HIPAA regulations and the conduct of investigations, establishes civil money penalties for violations and the procedures for hearings. These provisions apply to HIPAA Privacy and Security Rules as well as to other HIPAA Administrative Simplification regulations
HIPPA ADMINISTRATIVE SIMPLIFICATION RULES (CONT.) Breach Notification - 45 CFR 164.400-414 Sets requirements for notification of individuals, the public, and the U.S. Department of Health and Human Services (DHHS) when an impermissible use or disclosure of unsecured protected health information occurs HIPAA Omnibus Rule - 45 CFR Parts 160 and 164 Modifies Privacy, Security and Enforcement Rules to comply with and implement provisions of the Health Information Technology for Economical and Clinical Health Act (HITECH) - part of the American Recovery and Reinvestment Act of 2009
DaSy Center Visit the DaSy website at: http://dasycenter.org/ Like us on Facebook: https://www.facebook.com/dasycenter Follow us on Twitter: @DaSyCenter
The contents of this presentation were developed under a grant from the U.S. Department of Education, # H373Z120002. However, those contents do not necessarily represent the policy of the U.S. Department of Education, and you should not assume endorsement by the Federal Government. Project Officers, Meredith Miceli and Richelle Davis. Instructions to presenters: This slide is to be included as the last slide in your deck but you are not expected to show it to the audience. Please be sure to delete these instructions from this slide’s notes page in your presentation.