IMPLEMENTING THE HIPAA PRIVACY RULES Presentation to the Coalition of Voluntary Mental Health Agencies May 31, 2002 Prepared By: Robert Belfort Kalkines, Arky, Zall & Bernstein LLP 1675 Broadway, Suite 2700 New York, New York (212)
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, A BRIEF HISTORY OF THE PRIVACY RULE Enactment of HIPAA Statute 8/21/96 Deadline for Congressional action 8/21/99 HHS adheres to final rule 4/14/01 Final rule reopened for comment 3/14/01 Final rule adopted 12/28/00 Proposed rule issued 11/3/99 HHS issues guidance 7/6/01 Modifications to rule proposed 3/27/02 End of comment period on proposed changes 4/26/02 Adoption of changes to rule Summer 2002? Compliance date 4/14/03
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, KEY COMPLIANCE ISSUES u Proper use and disclosure of protected health information (PHI) u Application of “minimum necessary” standard u Execution of business associate contracts u Accommodation of patient rights u Creation of administrative, physical and technical safeguards u Issuance of privacy notice u Appointment of privacy officer
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Individually identifiable health information –created or received by provider, plan, clearinghouse or employer –relates to individual’s health, provision of care or payment for care –identifies or could reasonably be used to identify the individual u Transmitted or maintained in any form WHAT IS PHI?
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, HOW CAN PHI BE USED OR DISCLOSED? Patient Type of Use or Disclosure Approval Required? 1 Treatment, payment and health care operationsConsent optional (subject to limited exceptions) Psychotherapy notes for most purposesAuthorization required Certain marketing and fundraising activitiesNo authorization required Facility directories, family members and disaster reliefOpportunity for oral objection by patient IRB-approved research following specified protocolsNo authorization required “National Priority” disclosuresNo authorization required Other uses and disclosures not subject to specific exceptionAuthorization required 1 Assumes adoption of proposed amendments to rule.
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Quality improvement u Reviewing provider qualifications and performance u Underwriting, rating and related activities u Medical review, legal services and auditing u Business planning and development u Business management and general administration WHAT ARE HEALTH CARE OPERATIONS?
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, WHAT ARE PSYCHOTHERAPY NOTES? u Recorded by a mental health professional u In any medium u Documenting or analyzing contents of conversation during private or group counseling session u Separated from rest of medical record u Excludes medication monitoring, session times, modalities of treatment, test results and summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, WHEN MAY PSYCHOTHERAPY NOTES BE DISCLOSED? u By originator for treatment u Mental health training programs u Defense of legal action brought by patient u Certain health oversight activities
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Must specifically identify information being disclosed, its recipients and purpose of disclosure u May not be combined with other documents u Must include expiration date or event u Must be signed by patient or personal representative WHAT ARE THE ELEMENTS OF AN AUTHORIZATION?
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Types of marketing permitted without authorization –face-to-face –products or services of nominal value u In name of covered entity u Disclosure of remuneration u Opt out procedures u Determination and disclosure of patient benefit if health status-based MARKETING EXCEPTION
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u By covered entity, business associate or related foundation u Disclosable or usable information –demographic information –dates of care provided u Opt out procedures FUNDRAISING EXCEPTION
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Required by law u Public health u Neglect and abuse u Health oversight u Legal proceedings u Law enforcement u Decedents u Cadaveric donations u IRB-approved research u Health or safety threat u Specialized government functions u Workers’ compensation NATIONAL PRIORITY DISCLOSURES
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, When using or requesting protected health information, covered entities “must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” “MINIMUM NECESSARY” STANDARD
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Treatment u Disclosures to other covered entities u Compliance with law u Disclosures pursuant to patient’s authorization u Disclosure to patient EXCEPTIONS TO MINIMUM NECESSARY
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Internal role-based access u Policies and procedures for routine disclosures u Criteria for all other disclosures IMPLEMENTING MINIMUM NECESSARY
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Provides specified functions to or on behalf of covered entity u Exceptions –Members of workforce –Members of hospital medical staff –Members of “organized health care arrangement” –Plan sponsors –Financial institutions processing consumer transactions –“Conduits” WHO IS A BUSINESS ASSOCIATE?
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, WHO IS A BUSINESS ASSOCIATE? u Billing companies u Computer maintenance vendors u Transcription services u Attorneys u Accountants u Compliance consultants u Employees u Student trainees u Federal Express u AOL u Referring providers u Third party payers YesNo
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Permitted uses and disclosures u Adoption of safeguards and reporting of unauthorized disclosures u Compliance by subcontractors u Access, amendment and accounting by patients u Access by HHS u Return or destruction of records if feasible u Termination for material breach BUSINESS ASSOCIATE CONTRACTS
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, WHEN MUST BUSINESS ASSOCIATE PROVISIONS BE IN PLACE? Contract StatusCompliance Date Executed on or after April 14, 2003Date of execution Executed prior to April 14, 2003 with no amendments or April 14, 2004 renewals prior to April 14, 2004 Executed prior to April 14, 2003 with amendment orDate of amendment renewal between April 14, 2003 and April 14, 2004or renewal
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u If covered entity knows of improper pattern of activity or practice u Covered entity must take reasonable steps to cure breach u If cure unsuccessful, covered entity must –terminate, if feasible; or –report problem to HHS WHEN ARE YOU LIABLE FOR BUSINESS ASSOCIATES?
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, PATIENT ACCESS TO PHI u Access or copies u Time frames u Appeal rights u Reasonable copying charges u Exception for psychotherapy notes
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, PATIENT AMENDMENT OF PHI u Time frames u No obligation to amend u Informing other entities u Statement of disagreement
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, ACCOUNTING OF DISCLOSURES Accounting RequiredAccounting Not Required u To HHS u Permitted marketing u Permitted fundraising u Research without patient authorization u Public interest purposes not covered by exemption u Treatment, payment and health card operations u Individual’s written authorization u To individual u Pursuant to oral agreement u National security or intelligence u Correctional institutions or law enforcement agencies
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, Type of PHI Scope of Safeguards WHAT SAFEGUARDS ARE REQUIRED? Electronic Paper Oral 6 Rely on proposed security rules 6Proposed security rules, where applicable 6Faxes 6Public postings 6File cabinets 6Proposed security rules, where applicable 6Telephone 6Hallway conversations 6Public announcements
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Mandated header u Permitted uses and disclosures (examples) u Separate statement for certain uses u Individual rights u Covered entity’s duties u Complaints u Contact information KEY ELEMENTS OF PRIVACY NOTICE
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Provide at first contact after compliance date u Make good faith effort to obtain written acknowledgement u Make available on-site at patient request u Make available by mail at patient request u Post on-site in conspicuous location PRIVACY NOTICE — DISTRIBUTION REQUIREMENTS
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u Oversee implementation of policies and procedures u Answer questions u Handle complaints u Investigate privacy breaches u Conduct audits u Review contracts u Coordinate employee training PRIVACY OFFICER DUTIES
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, u HIPAA provides floor but not ceiling — more stringent state laws not pre-empted u Exceptions –Certain state public health and auditing laws –HHS determination based on specified factors RELATIONSHIP TO STATE LAWS
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, SAMPLE COMPLIANCE TIMELINE Education Gap Analysis Remediation Testing Training MaySeptemberJanuaryApril
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, ALTERNATIVE COMPLIANCE TIMELINE Procrastination Infighting Half-hearted efforts Panic Finger-pointing MaySeptemberJanuaryApril
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, DEFINE THE COVERED ENTITY u Affiliates u Hybrid entities/health care components u Organized health care arrangements
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, CONSIDERATIONS IN DEFINING ENTITY u Standardization of policies u Centralization of administration u Sharing of information u Liability concerns
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, GAP ANALYSIS OPTIONS Staff Resources Financial Resources Low On-site Consultants Professional Self-Assessment Tool Self- Assessment High Moderate High Low Moderate
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, CREATE PHI FLOW CHART Patient Clinician Registration Billing Medical Records Other Providers Accounts Receivable Payers DOH QA Patient Finance Collection Agency
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, ANALYZE EACH USE AND DISCLOSURE u Consent or authorization required? u Minimum necessary applicable? Satisfied? u Business associate contract required? In place? u Subject to accounting? Recorded?
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, REVIEW PATIENT RIGHTS’ POLICIES u Access and copying of records u Amendment of records u Restriction on uses
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, REVIEW ELECTRONIC DATA SAFEGUARDS u Administrative policies u Physical plant security u Technical security measures –catalogue hardware and software (Y2K inventory) –compare security features to security regulations
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, REVIEW OTHER POLICIES AND PRACTICES u Fax u File cabinets u Telephone u Waiting room procedures u Hallway conversations u Posted information
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, EVALUATE COMPLIANCE OPTIONS u Prioritize initiatives u Reasonableness considerations u Scalability u Documentation u Maintaining confidentiality
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, KEY REMEDIATION STEPS u Revise policies and procedures u Document policies and procedures u Execute business associate contracts u Upgrade security of software and hardware u Secure physical plant u Prepare privacy notice, consent and authorization form u Appoint privacy officer
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, CONDUCT EMPLOYEE TRAINING u Differentiate by employee roles u Initial training before April 14, 2003 u Build into hiring process u Regular refresher training
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, TRAINING OPTIONS u Internal trainer u Outside attorney or consultant u Written manual u Videotape or CD-ROM
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, CIVIL PENALTIES u $100 per violation u $25,000 per year cap for each type of violation u Cooperative approach by HHS –reasonable diligence standard –technical assistance –informal dispute resolution
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, Maximum Offense Maximum Fine Prison Term Use of unique health identifier, or acquisition of individually identifiable health information$50,000One Year (“basic offense”) Basic offense under false pretenses$100,000Five Years Basic offense for commercial advantage, personal gain or malicious harm$250,000Ten Years CRIMINAL PENALTIES
K ALKINES, A RKY, Z ALL & B ERNSTEIN LLP HIPAA Compliance Presentation - May 31, HELPFUL WEB SITES