August 8, 2011 Leslie J. Pfeffer, BS, CHP

Health Insurance Portability and Accountability Act HIPAA Privacy Rule April 14, 2003 HIPAA Security Rule April 21, 2005 HITECH Act February 17, 2009 Final Rule – 2011 Accounting of Disclosures NPRM June

HIPAA - Terms Covered Entity (CE) Healthcare Organizations who conduct financial and administrative transactions electronically * Health Plans (Anthem, Medicare, Medicaid, etc.) Healthcare Clearinghouses (Claims Processing) Healthcare Providers (Physicians, Dentists, Optometrists, Chiropractors, Pharmacies) Not Pharmaceutical Companies Not Physicians/Providers who bill all claims on paper * Qualified electronic transactions – must meet the requirements of the electronic code sets established by HIPAA 3

HIPAA - Terms Workforce HIPAA defines the workforce to include "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.“ Persons who do not fall in these categories, but nonetheless perform services on behalf of the covered entity, would be considered part of the workforce of a Business Associate 4

HIPAA - Terms Business Associate A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Not a member of the CE’s workforce Need a Business Associate Agreement Another CE can be a Business Associate to a CE Business Associate requirements do not apply to CEs who disclose PHI to providers for treatment purposes 5

HIPAA - Terms Protected Health Information (PHI) Individually identifiable health information Transmitted or maintained in any form or medium Information including demographic information Is collected from an individual Includes demographics such as name, address, insurance Is created or received by a covered entity Relates to past, present or future physical or mental health conditions Relates to past, present or future payment Reasonable basis to believe information can be used to identify an individual 6

HIPAA - Terms Minimum Necessary HIPAA requires you take reasonable steps to limit the Use of Disclosure of Request for PHI to the “Minimum Necessary” to accomplish the intended purpose Reasonableness Standard calls for best practice 7

HIPAA – Indiana University IU - Hybrid Covered Entity Covered components include  School of Dentistry  School of Optometry  IUB Health Center (soon IUPUI Health Center)  Speech & Hearing Clinics Bloomington  IU Health Plan (self-administered) This means these areas conduct “Qualified” electronic transaction such as claims submissions using Indiana University’s Tax ID 8

HIPAA – Indiana University HIPAA Applies directly to the Covered Components: IU School of Dentistry IU School of Optometry IU Speech & Hearing IU Health Center Bloomington HIPAA Applies to: Faculty associated with most Health Science Schools*; Staff associated with most Health Science Schools*; Researcher involved in Human Subject Research; * Including those in the IU School of Medicine 9

HIPAA – Major Concepts Provide Notice of Uses/Disclosures How the organization might use the PHI Treatment Education Fundraising Research Patient’s Rights Under HIPAA Inspect & Copy PHI Request an Accounting of Disclosures Notice of Privacy Practices Permission to Use PHI File a Complaint Permission to access and use PHI for Research 10

HIPAA – Major Concepts Safeguard PHI during use & disclosure Administrative Physical Technical HIPAA Awareness Training of Workforce All Forms of PHI Paper Electronic Oral Communication 11

HIPAA – Allowed Uses A Covered Entity or Covered Component may use/disclose PHI to carry out certain Healthcare Functions without a written authorization from their patients Treatment Payment and Healthcare Operations aka TPO 12

HIPAA – Allowed Uses Healthcare Operations Tasks necessary to run a business Quality Assurance/Assessments Accounting Consulting Services Transcription Auditing Education *Research is not part of Healthcare Operations 13

HIPAA – Allowed Uses Required Notifications Disclosures required by law Disclosures to public health authorities Registries Public Notification requirements Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA *Requires an Accounting of Disclosure 14

Access to PHI for Research Since Research is not part of: Treatment Payment or Healthcare Operations Need HIPAA Authorization (patient’s permission) to use health information for research; or IRB (Privacy Board) approved Waiver of Authorization Must comply with the Minimum Necessary 15

HIPAA – Exceptions De-identified Data Names Geographic designations smaller than a State Dates relating to the individual Telephone numbers Fax numbers address Social Security number Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers, including license plates Device identifiers/Serial Numbers Universal resource locators (URLs) Internet protocol (IP) address numbers Biometric identifiers – finger & voice prints Full face photographic images & comparable images Any other unique identifying number, characteristic, or code. 16

HIPAA – Exceptions Limited Data Set Limited types of identifiers can be released for research purposes (a Limited Data Set). Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient. The Limited Data Set can contain: Elements of Dates. City, town, state, and ZIP. Other unique identifiers, characteristics and codes not previously listed as direct identifiers 17

HIPAA – Limited Data Set Names Geographic designations smaller than a State Postal Address, other than town or city, state & zip codes Dates relating to the individual Telephone numbers Fax numbers address Social Security number Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers, including license plates Device identifiers/Serial Numbers Universal resource locators (URLs) Internet protocol (IP) address numbers Biometric identifiers – finger & voice prints Full face photographic images & comparable images Any other unique identifying number, characteristic, or code. 18

HIPAA – Other Exceptions Reviews Preparatory to Research Covered entity must obtain representation from the researcher: The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose; PHI will not be removed from the covered entity; and PHI is necessary for research purposes 19

HIPAA – Other Exceptions Decedent Information Researcher must represent: Use or disclosure solely for research on decedents' information. PHI is necessary for research, and Individual is a decedent, and provide documentation upon covered entity's request. *Even though an authorization is not required, this access requires an Accounting of Disclosure 20

Accounting Privacy Rule grants to a patient a right to request and receive an accounting for some “disclosures” of PHI, including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. 21

Definitions: Use & Disclosure USE With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information with an entity that maintains such information. DISCLOSURE Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information 22

Accounting When a Covered Entity discloses PHI without the permission of the individual, the CE must provide the individual with an accounting of disclosures upon request. Accounting must include: Date of the Disclosure Name of the entity or person who received the PHI A brief description of the information disclosed A brief purpose of the disclosure (research study xyz) 23

Accounting If more than 50 records accessed (used/disclosed) for research purposes: Form sent to the appropriate Medical Records Department to notify individuals their record may have been accessed. All the information listed on the previous page If less than 50 records accessed must indicate in each individual record the appropriate information. 24

HIPAA – Research Uses Recruitment HIPAA - Recruitment is Research Special Rules for Research apply to Recruitment Authorization May need an authorization to recruit or Waiver of authorization 25

HIPAA - Authorization Must contain "core elements" & "required statements," Signed copy must be given to the individual. May need to obtain Authorization for the use or disclosure of PHI to create/maintain an IRB approved repository or database Must be for a specific research study Authorization for future, unspecified research is not permitted Must have an Expiration date Can be indefinite but must be identified as such Subject must have ability to “revoke” Include exceptions and process Minimum Necessary Rule Applies 26

HITECH Act 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, Part of the American Recovery & Reinvention Act (ARRA) of 2009 HITECH creates significant incentives for an expanded use of electronic health records Clarified Criminal & Civil Penalties Increased Civil Monetary Penalties Expansion of Privacy & Security Provisions & Penalties to Business Associates Breach Notification Requirement 27

HITECH Act 2009 Increased Civil Monetary Penalties Violations occurring after Feb. 18, 2009  Tier based on nature of violation:  Unknowing (least severe)  Willful Neglect (most severe)  Per Violation per Person:  $100; $1,000; $10,000 and $50,000  Annual maximum:  $25,000; $100,000; $250,000; and $1.5 million. 28

HITECH Act 2009 Business Associates Business Associates must comply with the HIPAA Privacy Rule Business Associates must comply with the HIPAA Security Rule The administrative, physical and technical safeguards of the HIPAA Regulations applies directly to Business Associate Imposes additional obligations upon Business Associates & their subcontractors regarding policies, procedures and documentation 29

HITECH Act 2009 Business Associates Will require Business Associate Agreements to be revised Criminal and Civil Penalties applied to Covered Entities for violations of security and privacy regulations now will apply directly to Business Associates 30

HITECH Act 2009 Notification of Breach Required to notify affected individual(s) of a breach of “unsecure” protected health information. Applies to: Covered Entities Business Associates Vendors of Personal Health Records (PHR) 31

HITECH Act 2009 Definition of Unsecure Unsecured protected health information is PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the guidance. Secure PHI PHI which is encrypted will be considered “Secure” 32

HITECH Act 2009 Requirements of Notification Contact affected individuals in writing or electronic (with individual’s permission) Posting on website (if 10 or more individuals have outdated contact information and there is not a reasonable way to notify them) If more than 500 people affected Notice shall be provided to prominent media outlets Notice must be immediately sent to HHS 33

Notice of Proposed Rule Making Hybrid Entities: The non-covered components of a Hybrid Entity which provide services to covered components would be considered part of the covered components and HIPAA would apply directly. Minimum Necessary: Rule requires the Office for Civil Rights (OCR) to provide guidance to help define minimum necessary (no longer would be the discretion of the CE) Compound Authorization: Allow a single authorization to be used even when part of research might be conditioned and another part might be unconditioned. 34

Notice of Proposed Rule Making Authorization for Future Use: Allowing an authorization for future use. Decedents: Information would not be covered by HIPAA after an individual was deceased for 50 years. Required Restriction: If a patient pays out-of-pocket for a medical service and request the covered entity not share this information with their insurer, the CE must accommodate this request. (no option) Copy of Record: Electronic health record, the entity must be able to provide at the patient’s request an electronic version of their PHI 35

Notice of Proposed Rule Making Must account for disclosures related to treatment, payment and operations; and Must provide an access report to an individual that lists who accessed their designated record set – even within the covered entity. 36

Notice of Proposed Rule Making Accounting of Disclosures Under the HITECH Act (June 30, 2011) HITECH Act changed the Accounting Requirement by stating the exceptions of Treatment, Payment and Healthcare Operations no longer applies to an electronic health record (EHR). Under section 13405(c), an individual has a right to receive an accounting of such disclosures made during the three (3) years prior to the request. Must also provide disclosures by Business Associates or provide the names of the BA to the individuals to contact. 37

Notice of Proposed Rule Making Further indicates to apply this same requirement to the entire Designated Record Set which will include Billing records. 38

Contact Leslie J. Pfeffer, BS, CHP HIPAA & Research Compliance Manager (317)