©2002 FCG proprietary and confidential HIPAA 201: Privacy October 2002 First Consulting Group An Introduction to the HIPAA Privacy Regulations - with Final Rule Updates

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 2 ©2002 First Consulting Group 2 w Privacy Introduction w Privacy Requirements and Impacts –Use and Disclosure –Notice of Privacy Practices –Patient Rights –Administrative Requirements w Summary Presentation Agenda

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 3 ©2002 First Consulting Group 3 At the end of this presentation, you should: w Understand the specific HIPAA Privacy requirements (both in final rule and with changes) w Understand the business process impacts of the HIPAA Privacy requirements w Understand the intent of the standards and the “reasonable” application of them in your organization w Be able to determine your own organizational strategies and next steps for tackling HIPAA Privacy Presentation Objectives

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 4 ©2002 First Consulting Group 4 Key Definitions - Covered Entities HIPAA directly covers: w Health Plans – an individual plan or group health plan that provides, or pays for the cost of, medical care w Healthcare Providers – any person or organization who furnishes, bills, or is paid for health care in the normal course of business such as hospitals, physician services, diagnostic services, outpatient and home health w Healthcare Clearinghouses – any public or private entity, including billing services, repricing companies, community health management information systems or community health information systems that process or facilitates the processing of health information received from another entity HIPAA indirectly covers: w Business Associates - a person or organization who performs or assists in the performance of a function or activity on behalf of a covered entity

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 5 ©2002 First Consulting Group 5 Key Definitions - PHI Protected Health Information (PHI) is that information which: w Is created or received by a health care provider, health plan, employer or health care clearinghouse w Relates to the past, present or future health of an individual, or the past, present or future payment for health care w Identifies an individual either outright or could give rise to identify an individual –Eighteen specific identifying elements w Is transmitted or is maintained electronically or in any other form or medium –Explicitly includes Internet, Extranet, leased line, dial-up line and private network transmission –Includes information which is stored on paper –Read from a computer screen and discussed orally –Person to person telephone calls, video conferencing or voic

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 6 ©2002 First Consulting Group 6 Key Concept - Reasonableness The reasonableness standard allows covered entities to: w Apply the rules as appropriate w Incur minimal costs w Define “reasonable precautions” based on service, location, or setting w Eliminate structural changes –Soundproofing –Private rooms –Telephone encryption w Implement acceptable alternatives –Low voice tones –Privacy curtains –Cubicles

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 7 ©2002 First Consulting Group 7 Intent of Privacy Rule The final Privacy Rule seeks to: w Protect patients while encouraging them to seek care w Establish a floor of national privacy standards for healthcare providers, health plans and clearinghouses w Create a framework that can be strengthened by both federal and state government as health information systems evolve; leaves more stringent state law in place w Balance the needs of the individual with the needs of the society w Improve the quality of healthcare in the U.S. w Improve the efficiency and effectiveness of healthcare

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 8 ©2002 First Consulting Group 8 Key Points of Privacy Rule The Privacy Rule: w Covers electronic, paper and oral communications w Allows PHI to be used and disclosed for treatment, payment and health care operations w Requires patient authorization for use and disclosure of health information for non-routine purposes w Gives consumers greater access to and control over their health information w Requires organizations to maintain safeguards for protecting the confidentiality and integrity of health information and protect against unauthorized access of PHI w Designed to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 9 ©2002 First Consulting Group 9 Structure The current HIPAA Privacy regulations are organized into four categories: 1. Use and Disclosure 2. Notice of Privacy Practices 3. Patient Rights 4. Administrative Requirements

©2002 FCG proprietary and confidential Use and Disclosure Rules Impacts

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 11 ©2002 First Consulting Group 11 Consent for uses and disclosures: –A covered entity may obtain a consent of the individual to use or disclose protected health information to carry out treatment, payment and healthcare operations (TP0) Authorizations: A covered entity must obtain an authorization for uses and disclosures that are not covered by the consent for TPO –A valid authorization must contain defined core elements –Generally, an authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization –A covered entity must document and retain any signed authorizations –Patients have to grant permission in advance for each type of non- routine use or disclosure –Providers may use a standardized authorization form Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 12 ©2002 First Consulting Group 12 Use and Disclosure - Rules Parents and Minors: Provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice –If a state has explicitly addressed disclosure of a minor/s health information to a parent, or access to a child’s medical record by a parent, the final rule clarifies that state law governs –In special cases in which the minor controls his or her own health information under such law and that law does not define the parent’s ability to access the child’s health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 13 ©2002 First Consulting Group 13 Business Associates: PHI may be disclosed to business associates only to help providers and plans complete their healthcare functions –Covered entities (except small health plans) are given up to an additional year to change existing written contracts to come into compliance with the business associate requirements –Members of a provider, health plan, or other covered entity’s workforce are not considered business associates –Covered entities who exchange PHI for treatment purposes are not considered business associates, such as a physician who discloses information to a hospital where he has admitting privileges –The Privacy Rule doesn’t “pass through” its requirements to business associates; it has no authority to do so –In general, covered entities are not liable for privacy violations of business associates, but if they become aware of a “pattern or practice” that is a material breach of the business associate’s contract, they must take “reasonable steps” to correct the problem (subject to legal interpretation) Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 14 ©2002 First Consulting Group 14 Use and Disclosure - Rules An Opportunity for the Individual to Agree/Object is Required: The final rule requires covered entities to use or disclose protected health information provided that the patient: –Is informed in advance of the use and disclosure; and –Has the opportunity to agree to or prohibit or restrict the use or disclosure under certain circumstances § (a) Facility Directories § (b) For Involvement in the Individual’s Care and Notification Purposes

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 15 ©2002 First Consulting Group 15 An Opportunity for the Individual to Agree/Object is Required: w Facility Directories: –Covered entities must inform patients: That it may include certain information in a directory; and To whom it may disclose this information (including clergy) –Patients must be given the opportunity to restrict or prohibit some or all of these uses and disclosures –Provisions are outlined for disclosing this information without the patient’s consent under certain emergency circumstances w Individual’s Care: –Covered entities may disclose to a family member or friend protected health information related to the patient’s care: By obtaining the patient’s agreement when he/she is present; Under certain circumstances using professional judgment when the patient is not present or is otherwise unable to object. Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 16 ©2002 First Consulting Group 16 Use and Disclosure - Rules Authorization or Opportunity to Agree/Object are Not Required: (a) Required by Law (b) Public Health Activities (c) Victims of Abuse, Neglect or Domestic Violence (d) Health Oversight Activities (e) Judicial and Administrative Proceedings (f) Law Enforcement Purposes (g) Decedents (h) Cadaveric Organ, Eye or Tissue Donation Purposes (i) Research Purposes (j) Aversion of a Serious Threat to Health or Safety (k) Specialized Government Functions (l) Workers' Compensation

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 17 ©2002 First Consulting Group 17 Authorization or Opportunity to Agree/Object are Not Required: w Use and Disclosures Regarding Food and Drub Administration (FDA): –The final rule permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products. Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 18 ©2002 First Consulting Group 18 Authorization or Opportunity to Agree/Object are Not Required: w Incidental Use and Disclosure: –The final rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met: doctors' offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse's stations without fear of violating the rule if overheard by a passerby. Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 19 ©2002 First Consulting Group 19 Other Requirements Relating to Uses and Disclosures of PHI: w De-identified Health Information: –Health information for which there is no reasonable basis to believe that the information can be used to identify an individual –De-identified data may be distributed openly w Re-identification: –With certain restrictions, a covered entity may assign a code or other means of record identification to allow de-identified information to be re-identified by the covered entity w Limited Data Set: –The final rule permits the creation and dissemination of a limited data set that does not include directly identifiable information for research, public health, and health care operations –A Covered entity and the recipient of the data must enter into a date use agreement, in which the recipient agrees to: limit the use of the data set for the purposes for which it was given ensure the security of data not to identify the information or use it to contact any individual Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 20 ©2002 First Consulting Group 20 Name Street address, city, county, precinct, zip code, and geo- codes Electronic address Social security number Telephone number Fax number Medical record number - All elements of dates (e.g. birth date, admission date, discharge date) Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images - Any other unique identifying number, characteristic, or code Requirements for De-identification of PHI: Use and Disclosure - Rules  = information that must be excluded to create a limited data set

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 21 ©2002 First Consulting Group 21 Minimum Necessary: Intended to restrict access and use of PHI to only the minimum necessary amount of information necessary to perform a requested action –The “minimum necessary” use and disclosure of PHI does NOT apply to: Disclosures to providers for treatment purposes; Disclosures directly to the patient; Uses or disclosures for which an individual has signed an authorization; Uses or disclosures required to comply with HIPAA transactions; Disclosures to DHHS that are needed in order to enforce HIPAA; Uses or disclosures that are required by other law. –The final rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. –Minimum necessary requirements are still in effect to ensure individual’s privacy for most other uses and disclosures –Minimum necessary standard is not intended to impede disclosures necessary for worker’s compensation programs Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 22 ©2002 First Consulting Group 22 Research: w Covered entities may use or disclose protected health information for research purposes provided that: –The organization has received IRB or privacy board approval for a waiver of patient authorization The IRB and waiver decision process must be documented; No more than minimal risk exists to individuals for use or disclosure of their information and their privacy rights and welfare will not be adversely affected; No other practicable method exists for conducting the research absent the waiver or access to the protected information –The researcher is using the information solely for preparing a research protocol –The information will not be removed from the covered entity, –The information sought is necessary for the research purposes; –The information will be adequately protected and will not be reused, and identifiers will be destroyed at the earliest opportunity Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 23 ©2002 First Consulting Group 23 Marketing Activities: –Covered entities are required to obtain an individual's prior written authorization to use his or her protected health information for marketing purposes except: for a face-to-face encounter or a communication involving a promotional gift of nominal value –Covered entities are prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual's authorization –Doctors and other covered entities communicating with patients about treatment options or the covered entity's own health-related products and services are not considered marketing For example, health care plans can inform patients of additional health plan coverage and value-added items and services, such as discounts for prescription drugs or eyeglasses. Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 24 ©2002 First Consulting Group 24 Fundraising: –A covered entity may use or disclose to a business associate or to an institutionally related foundation certain protected health information for the purpose of raising funds for its own benefit, without an authorization (name, address, phone number, date of episode) Verification Requirements: –Prior to any disclosure, a covered entity must verify the identity and authority of any person requesting protected health information, if the identify and/or authority are unknown Use and Disclosure - Rules

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 25 ©2002 First Consulting Group 25 Use and Disclosure - Impacts In Summary: w The final rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. w The rule also allows consent requirements already in place to continue. w Covered entities can disclose protected health information for the treatment and payment activities of another covered entity or a health care provider, and for certain health care operations of another covered w A covered entity may use and disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure

©2002 FCG proprietary and confidential Notice of Privacy Practices Rules Impacts

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 27 ©2002 First Consulting Group 27 Notice of Privacy Practices - Rules Content of Notice: –Must provide a written Notice in plain language and contains: –Header: “This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.” –Uses and disclosures (Example treatment, third party audits and special studies) –Separate statements for certain uses or disclosures –Individual rights –Covered entity’s duties –Optional requirement to elect to limit the uses of disclosures Revisions to the Notice –Must promptly revise and distribute its Notice whenever there is a material change to the uses and disclosures

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 28 ©2002 First Consulting Group 28 Notice of Privacy Practices - Rules Specific Requirements: –Must be provided no later than the date of the first service delivery, including service delivered electronically –In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation –Except in an emergency treatment situation, a covered entity must make a good faith effort to obtain a written acknowledgement of the receipt of the notice –If not obtained, a covered entity must document its good faith efforts to obtain why the acknowledgment was not obtained –A covered entity must document compliance with the notice by retaining copies of the notices issued by the covered entity and any written acknowledgments of the receipt of the notice or documentation of good faith efforts to obtain such written acknowledgements

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 29 ©2002 First Consulting Group 29 Notice of Privacy Practices - Rules Provision of Notice: –Notice must be made available upon request –Health plans must provide Notice: no later than the compliance date for the health plan at the time of enrollment within 60 days of material revision of the Notice at least once every three years –Healthcare Providers must provide Notice: no later than the date of the first service delivery have Notice available at physical delivery site post Notice in a clear and prominent location upon revision make Notice available –Electronic Notice: notification is acceptable If covered entity knows the failed, a paper copy of the Notice must be provided

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 30 ©2002 First Consulting Group 30 Notice of Privacy Practices - Rules Joint Notice by Separate Covered Entities: –Covered entities who participate in an organized health care arrangement may comply with provision of Notice by a joint Notice provided they: Abide by the terms of the Notice with respect to PHI created or received by the covered entity Provide Notice of revisions Must describe the covered entities to which the joint Notice applies

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 31 ©2002 First Consulting Group 31 Notice of Privacy Practices - Impacts In Summary: w DHHS makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional w The rule requires covered entities to provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity w The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient's written acknowledgement of the notice of privacy rights and practices

©2002 FCG proprietary and confidential Patient Rights Rules Impacts

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 33 ©2002 First Consulting Group 33 Patient Rights - Rules Under the section, patients have the following rights: –Access to Protected Health Information –Request amendments to their Protected Health Information –Request restriction of uses and disclosures: On PHI to carry out treatment, payment, and/or healthcare operations Covered entity not required to agree to restrictions If restrictions are agreed to, covered entity may not use or disclose PHI unless in emergency treatment, then that information can not be further disclosed Terminating a restriction –may terminate if individual agrees to or requests in writing –individual agrees orally then oral agreement is written –after the covered entity has notified the individual in writing Documentation –a covered entity must place its agreement to a restriction in writing

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 34 ©2002 First Consulting Group 34 Patient Rights - Rules Accounting of Disclosures –The authorization process itself adequately protects individual privacy by assuring that the individual's permission is given both knowingly and voluntarily. –The final rule exempts disclosures made pursuant to an authorization from the accounting requirements. –The final rule also exempts from the accounting requirements incidental disclosures, and disclosures that are part of a limited data set. –The rule provides a simplified alternative approach for accounting for multiple research disclosures that includes providing a description of the research for which an individual's protected health information may have been disclosed and the researcher's contact information Confidential Communications Requirements: –Covered entity must make reasonable efforts to allow the individual to received communications of PHI from alternative means/locations May request reasons for alternate locations for requests to review records from a health plan, but not provider Requests may be made under extreme circumstances or if individual is incapacitated in some way

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 35 ©2002 First Consulting Group 35 Patient Rights - Impacts In Summary: w Individuals have the right to request access to their PHI, offer amendments and receive an accounting of disclosure from the covered entity w Prompt action must be taken on request (no later than 30 days) w Covered entities must determine grounds for denial of access to requests w Access must be made to accommodate individuals in confidential setting w Fees may be assessed for reasonable costs- copying, postage, etc. w Organizations must have procedure for complaints to such access w Documentation must be kept for all processing of requests

©2002 FCG proprietary and confidential Administrative Requirements Rules Impacts

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 37 ©2002 First Consulting Group 37 Administrative Requirements - Rules Personnel Designations: –Covered entities must designate a Privacy Official –Contact person/office responsible for receiving complaints –Must document personnel designations Privacy Awareness Training: –Must train all members of workforce on P&P’s –Training must occur before compliance date- 4/14/2003 –All training must be documented Safeguards: –Administrative - (example: policies and procedures) –Technical - (example: passwords) –Physical safeguards - (example: office locks, access areas) –Must reasonably safeguard PHI from any intentional or unintentional use or disclosure

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 38 ©2002 First Consulting Group 38 Administrative Requirements - Rules Complaints to the Covered Entity: –Must have process for individuals to make complaints –Document received complaints and their disposition –Complaint procedure must be in place regarding covered entity’s policies and procedures Sanctions: –Must have and apply sanctions against members of its workforce for violations or breaches of policies/procedures –All sanctions that are applied must be documented Examples: oral reprimand, written warning and/or termination Mitigation: –A covered entity must mitigate to the extent possible, any harmful effect known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 39 ©2002 First Consulting Group 39 Administrative Requirements - Rules Refraining From Intimidating or Retaliatory Acts: –A covered entity must not intimidate, threaten, coerce, discriminate against or take other retaliatory action against: Individuals for the exercise of the individual of any right under or for participation by the individual Individuals and others for filing a complaint, testifying, assisting or participating in an investigation, compliance review Waiver of Rights: –A covered entity may not require individuals to waive their rights as a condition of the provision of treatment, payment, enrollment in health plan, or eligibility for benefits

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 40 ©2002 First Consulting Group 40 Administrative Requirements - Impacts Policies and Procedures: –Must implement policies and procedures with respect to PHI –Changes to policies and procedures are necessary to comply with changes in law –Changes in law must be promptly documented within covered entity’s policies and procedures –Changes to privacy practices stated in the Notice must be documented Documentation: –Maintain the policies and procedures in written or electronic form –Must retain copy of the documentation for 6 years from the date of its creation or when it was last effective

©2002 FCG proprietary and confidential Summary The Bottom Line Questions

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 42 ©2002 First Consulting Group 42 Summary The biggest areas of impact of HIPAA Privacy on an organization: –Developing and documenting policies and procedures –Designating a privacy official –Identifying and contracting with business associates –Developing, distributing and acknowledging patient receipt of the Notice of Privacy Practices –Capturing and providing patients access to the uses and disclosures of their health information not for treatment, payment or healthcare operations –Training workforce members who have access to patient identifiable information –Altering the oral communication culture of the organization

First Consulting Group ©2002 First Consulting Group ©2002 First Consulting Group 43 ©2002 First Consulting Group 43 The Bottom Line w Compliance will be required by April 14, 2003 w Civil monetary and criminal penalties for breach of privacy –If knowingly providing information $50,000 and/or up to 1 year imprisonment –Under false pretenses $100,000 and/or up to 5 years imprisonment –Intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm $250,000 and/up to 10 years imprisonment w Delegated responsibility to the Department’s Office for Civil Rights –Includes responsibility for enforcement –Comprehensive Enforcement Rule still expected, encompassing all of the Administrative Simplification provisions

©2002 FCG proprietary and confidential Questions / Comments? Name Telephone Number