1. 1 HIPAA Privacy Workshop November 26, 2002 Sponsored by: the North Dakota HIPAA Coalition

2. 2 Welcome Jennifer Kunz ND State Government HIPAA Coordinator

3. 3 Agenda  Opening Remarks from the Governor’s Office  HIPAA Privacy Rule Overview  Impacts on ND State Laws  Break  Essential Steps for Privacy Compliance  Best Practices Panel Discussion  Questions, Answers

4. 4 Opening Remarks from the Governor’s Office Duane Houdek, Policy Advisor Office of the Governor

5. 5 HIPAA Privacy Rule Overview Mike Mullen Assistant Attorney General

6. 6 Acknowledgement  The slides are substantially based on and borrowed from a set of slides originally prepared by William R. Braithwaite, MD, Ph.D., when he was a Senior Advisor on Health Information Policy, Department of Health and Human Services, and who played a key role in the development of the privacy rule.

7. 7 HIPAA  Health Insurance Portability and Accountability Act of 1996  Title II - Subtitle F - Administrative Simplification  Section 264 - HHS to publish Privacy Rule if no Congressional action by August 1999

8. 8 Development of Privacy Rule  11/3/99 - Proposed Rule -52,000 comments  12/28/2000 - Final Rule  New comment period - 11,000 comments  7/6/2001 - Guidance  8/14/2002 - Modifications  4/14/2003 - Compliance date (4/14/2004 - small health plans)  Further guidance expected

9. 9 Outline of Privacy Rule  Preemption  Who & what is covered  Uses & disclosures of protected health information (PHI)  Individual rights  Administrative provisions  Compliance & enforcement; penalties

10. 10 Preemption  Privacy Rule preempts a contrary provision of state law  Exceptions: –Provisions that the Secretary determines are necessary to accomplish certain purposes (e.g., prevent fraud & abuse) or that principally address controlled substances –Provisions that relate to privacy of health information & are “more stringent” –State public health laws & state laws relating to certain reporting by health plans

11. 11 Who is Covered?  Limited by HIPAA to “covered entities”: –Health care providers who transmit health info in electronic form in connection with HIPAA transactions (Section 1173(a)(1)) –Health plans –Health care clearinghouses  Not covered: business associates, employers, researchers, & others not meeting definition

12. 12 What is Covered?  PHI is: –Individually identifiable health information –Transmitted or maintained in any form/medium (electronic, written & oral) –Excludes education records covered by FERPA –Excludes employment records held by a covered entity in its role as employer  PHI held by covered entity or its business associate  De-identified information is not covered (§164.514(a))

13. 13 Uses & Disclosures: Key Points  NO use or disclosure of PHI unless required or permitted by the Rule  Required disclosures are limited to: –Disclosures to the individual who is the subject of information –Disclosures to OCR to determine compliance  All other uses & disclosures in Rule are permissive  Covered entities can provide greater protections

14. 14 Permissive Uses & Disclosures  To the individual (or personal representative) (§164.502)  For treatment, payment, & health care operations (TPO) (§§164.502, 164.506)  Incident to a use or disclosure otherwise permitted or required (§164.502)  For specific public priorities –Opportunity to agree or object (§§164.502, 164.510) –Special public purposes (§§164.502, 164.512)  As authorized by the individual (§§164.502, 164.508)  For limited data sets (§§164.502, 164.514(e))

15. 15 Uses and Disclosures: TPO (§164.506)  Providers with direct treatment relationship and other covered entities: –No consent required [Exception: if authorization is required, e.g. for psychotherapy notes (§164.508(a)(2) or marketing purposes (§164.508(a)(3)] –May obtain consent if choose to

16. 16 Uses and Disclosures: Opportunity to Agree or Object (§164.510)  Facility directories (name, location, general condition, clergy - religion)  To persons involved in care or payment for care & for notification purposes Friends can pick up prescriptions Hospitals can notify family members of patient’s condition Covered entities can notify disaster relief agencies

17. 17 Uses and Disclosures: Specific Public Purposes (§164.512)  Without authorization, but subject to various conditions: –As required by law –For public health –About victims of abuse, neglect or domestic violence –For health oversight activities –For judicial & administrative proceedings –For law enforcement purposes

18. 18 Uses and Disclosures: Specific Public Purposes (§164.512)  Continued : – About decedents (to coroners, medical examiners, funeral directors) –For organ, eye or tissue donations –For research purposes –To avert a serious threat to health or safety –For specialized government functions (military, veterans, national security, protective services, State Dept., correctional facilities) –For workers’ compensation

19. 19 Uses and Disclosures: Authorization (§164.508)  Any use or disclosure not otherwise required or permitted under the Rule requires individual authorization –Psychotherapy notes: generally use or disclosure requires authorization except for certain limited TPO activities –Marketing  Generally, may not condition treatment/enrollment on the individual authorizing the disclosure of PHI

20. 20 Uses and Disclosures: Authorization (§164.508)  Authorization –Specify information to be disclosed –Identify person authorized to disclose –Recipient of information –Expiration date –Statement of right to revoke –Statement that PHI may be subject to redisclosure  Disclosure must be consistent with authorization

21. 21 Transition Provisions: Prior Consents/Authorizations (§164.532)  Generally, may use/disclose PHI if authorization or other express legal permission obtained prior to compliance date  Permission does not need to comply with Rule’s requirements  Applies to PHI collected/received before the compliance date  Exception for clinical trials: applies to PHI created/received before or after compliance date (e.g., ongoing clinical trial w/ IRB approval)

22. 22 Transition Provisions: Business Associates (§164.532(d) and (e))  Covered entities (except small health plans) can continue to operate with business associates under certain existing contracts for up to one year (April 14, 2004) or until the contract is renewed or modified whichever is sooner

23. 23 Uses and Disclosures: Special Rules  Marketing (§164.508(a)(3))  Fundraising (§164.514(f))  Underwriting (§164.514(g))  By whistleblowers & workforce members who are crime victims (§164.502(j))

24. 24 “Marketing”  Marketing - a communication encouraging the purchase or use of a product or service  Certain communications are excluded from the definition of marketing  Other communications are marketing, but do not require individual authorization  All other marketing communications require individual authorization

25. 25 Communications Excluded from Marketing (§164.501)  Communications regarding participating providers and health plans in a network, the services offered by a provider, or the benefits covered by a health plan  Communications regarding the individual’s treatment  Communications regarding case management or care coordination for that individual, or directions or recommendations for alternative treatments, etc. for that individual

26. 26 Marketing without Authorization (§164.508(a)(3))  Marketing does not require authorization if entity or business associate communication –occurs face-to-face or –promotional gift of nominal value

27. 27 Fundraising (§164.514(f))  Demographic info. regarding individual & dates of care may be...  Used, or disclosed to a business associate or to an institutionally related foundation...  to raise funds for benefit of covered entity  Must include fundraising in notice  Must include info as to how to opt-out & implement any opt-out

28. 28 Uses and Disclosures: “Minimum Necessary” (§164.514(d))  Restrict information to minimum amount necessary to accomplish the purpose  Does not apply to: –Disclosures to providers for treatment to OCR –Uses & disclosures to the individual under authorization requested by individual if required by law or if required for compliance with HIPAA requirements

29. 29 Uses and Disclosures: “Minimum Necessary” (§164.514(d))  Uses: –Role-based access –Need to identify types of workers, types of information & conditions of access  Disclosures: –Routine disclosures –Non-routine disclosures –Requests for disclosure

30. 30 “Business Associates” (§§164.502(e) & 164.504 (e))  BA uses PHI to perform activities on behalf of covered entity or provide services to entity  Satisfactory assurance that BA will safeguard PHI  Written contract required except: –If both govt. agencies: may use MOU or other law has requirements that meet contract objectives –If BA required by law to act on behalf of or perform services for covered entity – only good faith attempt to obtain satisfactory assurances

31. 31 “Business Associates” (§§164.502(e) & 164.504 (e))  Exceptions: –for disclosures to provider for treatment –from a group health plan, issuer or HMO to a plan sponsor if conditions are met  Covered entity responsibility: –responsible for known violation of business associate agreement & failure to act –Monitoring not required

32. 32 Hybrid Entities: Definitions (§164.504)  Hybrid Entity –Single legal entity that performs both covered and non- covered functions and chooses to designate health care components in accordance with §164.504(c)(3)(iii)  Health Care Component –Must include any component that would meet the definition of covered entity if it were a separate entity –Components to the extent that they perform covered functions –Other components to the extent they perform activities that would make such component a business associate of a component that performs covered functions if the two entities were separate legal entities

33. 33 Hybrid Entities: Special Rules (§164.504(c))  Hybrid entity responsible for designating health care component  Hybrid entity must ensure health care component complies w/ requirements of Rule  Sharing of PHI between health care components & non-health care components is a disclosure

34. 34 OHCAs and Affiliated Covered Entities  OHCA (§164.501) –Special arrangement whereby multiple covered entities can share PHI (§164.501) (e.g., clinically integrated care settings) –Joint notice permitted  Affiliated Covered Entities (§164.504(d)) –Legally separate CEs that are affiliated (under common ownership & control) may choose to be treated as a single CE

35. 35 Individual Rights  Include rights to: –Notice of information practices –Request restrictions –Confidential communications –Access –Amendment –Accounting –File a complaint

36. 36 Individual Rights: Notice (§164.520 )  Right to adequate notice in plain language  Must include - standard header, uses & disclosures that may be made, rights of individuals, entity’s legal duties  Include statement in notice if entity will contact individual: for apptmt. reminders, about treatment alternatives or health related benefits or services, or to raise funds for entity

37. 37 Individual Rights: Provision of Notice (§164.520)  Plans: –to existing enrollees by compliance date –to new enrollees - at time of enrollment –within 60 days of material revision

38. 38 Individual Rights: Provision of Notice (§164.520)  Direct treatment providers: –Covered health care provider with direct treatment relationship with individual must make good faith effort to obtain individual’s written acknowledgment of receipt of such notice with certain exceptions –by date of first service delivery –available to take & posted at site –if revised, available upon request  Post on entity’s Website

39. 39 Individual Rights: Request Restrictions (§164.522(a))  Right to request restriction on use & disclosure of PHI –for TPO or –to persons involved in care (§164.510(b))  CE not required to agree to request  If CE agrees, may not use or disclose PHI in violation except if PHI is needed for emergency treatment

40. 40 Individual Rights: C onfidential Communications (§164.522(b))  Right to have reasonable requests to receive PHI from CE by alternative means or at alternative locations accommodated  Plan: –Requirement applies if individual states that disclosure could endanger him or her  CE may require: –Written request –Individual to say how payment will be handled –Individual to provide alternative address/ method of contact

41. 41 Individual Rights: Access (§164.524)  Right to inspect & obtain a copy of PHI in “designated record set” (used to make decisions about individuals)  Exceptions: –psychotherapy notes –legal proceedings –CLIA –Privacy Act –confidential sources –harm to certain persons

42. 42 Individual Rights: Access (§164.524)  Fees permitted: reasonable cost of copying & postage  Time limits for providing access  Can temporarily suspend access during clinical trial

43. 43 Individual Rights: Amendment (§164.526)  Right to amend PHI in “designated record set”  Not required to amend if: –PHI was not created by the entity, –PHI was not available for inspection, or –PHI is accurate & complete.  If amended: –Entity must inform others who received PHI  If not amended: –Individual can submit statement of disagreement, & –Covered entity can include rebuttal statement

44. 44 Individual Rights: Accounting (§164.528)  Right to accounting of disclosures - previous 6 yrs –name & address of recipient –description of PHI –purpose (with exceptions)

45. 45 Individual Rights: Accounting (§164.528)  Excepted disclosures: –Disclosures before compliance date –For TPO –To individual –For facility directory –To persons involved in care –For national security –For health oversight or law enforcement (can delay) –Authorized disclosures –Disclosures that are part of limited data sets –Incidental disclosures

46. 46 Personal Representatives (§164.502(g))  “Personal Representative” is a person who has the authority to make decisions related to health care  Covered entity must treat personal representative as individual  Personal representative can exercise individual rights (access, consent)  Special rule: may elect not to treat person as personal representative if reasonable concern of abuse, neglect, or endangerment

47. 47 Personal Representatives: Unemancipated Minors (§164.502(g)(3))  Parent, guardian, or person acting in loco parentis usually personal representative for minor child  Exceptions: –minor consents to health care service & no other consent is required by law; –court or another person authorized by law consents to health care service; OR –parent agrees to minor-physician confidential communication regarding health care service.  Also : –Parent is not personal rep if no parental rights –Abuse/neglect rule applies

48. 48 Administrative Requirements (§164.530)  Designate a privacy official & contact person  Provide privacy training to its workforce  Implement administrative, technical, & physical safeguards & reasonably safeguard PHI  Establish process for receiving complaints  Sanction employees who violate policies  Mitigate any harmful effects of violations  Not intimidate, discriminate or retaliate against complainants & others

49. 49 Administrative Requirements (cont’d)  Not require waiver of rights  Implement policies & procedures  Meet documentation requirements  Verify identity & authority of persons requesting PHI (§164.514(h))  Some requirements do not apply to certain group health plans (§164.530(k))

50. 50 Compliance and Enforcement (Part 160 - Subpart C)  Technical assistance for voluntary compliance  Any person or organization can file complaints with OCR (generally within 180 days)  OCR may investigate complaints & may conduct compliance reviews  OCR shall attempt to resolve noncompliance by informal means

51. 51 Compliance and Enforcement: Responsibilities of CEs (§160.310)  Keep records & submit compliance reports needed to determine compliance  Cooperate with investigations & compliance reviews  Permit OCR access to facilities, books, records  Certify & explain efforts to obtain information held by 3 rd parties if not provided

52. 52 Limitations on OCR Disclosure  Protected health information obtained by OCR in an investigation or review will not be disclosed by OCR, except if necessary for ascertaining or enforcing compliance or if otherwise required by law.

53. 53 OCR Compliance Action  If investigation or review indicates a failure to comply, OCR will inform covered entity & complainant in writing & seek informal resolution whenever possible  If matter cannot be resolved by informal means, OCR may issue written findings documenting non-compliance  If, after an investigation or review, OCR determines that further action is not warranted, OCR will so inform covered entity & complainant in writing

54. 54 Civil Monetary Penalties (CMPs)  $100 per violation  Capped at $25,000 for each calendar year for each requirement or prohibition that is violated

55. 55 Criminal Penalties (Enforced by DOJ)  Up to $50,000 & 1 year imprisonment for knowingly disclosing individually identifiable health information in violation of a HIPAA Rule  Up to $100,000 & 5 years if done under false pretenses  Up to $250,000 &10 years if intent to sell or for commercial advantage, personal gain or malicious harm

56. 56 Criminal Penalties (cont’d) Same penalties apply to persons who, in violation of a HIPAA rule,  uses or causes to be used a unique health identifier or  obtains individually identifiable health information relating to an individual

57. 57 Impacts on ND State Laws Mike Mullen Assistant Attorney General

58. 58 Acknowledgement  The North Dakota HIPAA Coalition expresses its appreciation to MeritCare Health System and Vogel Law Firm for making available a report “HIPAA Comparison: North Dakota Law” prepared for MeritCare by the Vogel Firm.  The author, however, assumes all responsibility for the material in this PowerPoint presentation.

59. 59 Preemption [U.S. Const. Art. VI, cl. 2.]  Under the Supremacy Clause of the United States Constitution, an Act of Congress “shall be the supreme law of the land…anything in the…laws of any State to the contrary notwithstanding.

60. 60 Preemption: General Rule – § 160.203  “ A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State Law…”  Unless the state law is “more stringent,” in that it “prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter.” [Note there are exceptions]

61. 61 Federal Rule is a “Floor”  The federal privacy rule establishes a “floor” of privacy protection. Thus, a covered entity must provide at least that much protection UNLESS a state law is more stringent and gives greater privacy protection or greater access to an individual’s protected health information.

62. 62 1. Reporting Physical or Mental Disorders to DOT  N.D. Cent. Code 23-07-01.1 permits reports to DOT. But HIPAA is more stringent—so disclose info only if the physician believes the use or disclosure is necessary to “prevent or lessen a serious and imminent threat to the health or safety of a person or the public.”  HIPAA > privacy

63. 63 2. Hospital Records  N.D. Cent. Code 23-16-09 permits disclosure of hospital records in certain cases. OK for inspection, licensing proceeding, court order, or subpoena.  But, do not follow state law for disclosure to health agencies or persons interested in welfare of mother or child without a patient authorization. HIPAA > privacy

64. 64 3. Mental Illness: Civil Commitment  N.D. Cent. Code 25-03.1-43. Generally follow state law and the procedural requirements of HIPAA.  Do not follow state law which allows release of information to the patient’s attorney without a patient authorization or court order. Follow HIPAA, and release only with patient authorization or court order. [Bill to permit disclosure to attorney will be introduced.]  This is an overview; details more complicated.

65. 65 4. Confidentiality of HIV Test Results  N.D. Cent. Code 23-07.5-05.  This statute generally is consistent with HIPAA.  The statute provides an exclusive list of persons or entities permitted to receive HIV test results. If a person or entity is not included in the state statute, disclosure is prohibited even if HIPAA would allow it.  Part of State law > privacy than HIPAA

66. 66 5. Drug and Alcohol Records  8. If drugs or alcohol records are involved, the federal confidentiality of alcohol and substance abuse law, 42 U.S.C. 290dd-2, and its implementing regulation 42 C.F.R. part 2, generally provide greater privacy protection than HIPAA or state law and must be followed.  42 C.F.R. part 2 > privacy than HIPAA

67. 67 6. Psychotherapy Notes §164.501  “Psychotherapy notes” means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.

68. 68 7. Psychotherapy Notes § 164.501 [cont’d]  Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

69. 69 8. Authorization Required: psychotherapy note-§ 164.508(a)(2)  1. A covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: –i. To carry out the following treatment, payment, or health care operations: A. Use by the originator of the psychotherapy notes for treatment; B. Use or disclosure by the covered entity for its own training programs in which students…; or C. Use or disclosure by the covered entity to defend itself in a legal action…brought by the individual; [Other exceptions/situations not covered]

70. 70 9. Psychiatric Records. N.D. Admin. Code 50-02-10-01  Section 50-02-10-01 is ambiguous. (Legislation to repeal the authority for this rule will be introduced; and, if enacted providers will follow the HIPAA privacy rule.)  The rule may be preempted (if and) to the extent it does not limit disclosure of separately filed psychotherapy notes  If psychiatric records relate to involuntary commitment under chapter 25-03.1 an “authorization” may be required to transfer the records. (Although legislation may be introduced to change this requirement.)

71. 71 10. Minors  Under § 164.502(g)(3) the preemptive provision does not to preempt a state law to the extent it authorizes or prohibits disclosure of protected health information regarding a minor to a parent.  The rule defers to these state decisions to the extent that they regulate any such disclosure.  § 164.502(g)(3), unemancipated minors, provides:  If under applicable law a parent [or] guardian… has authority to act on behalf of an individual who is a minor in making decisions related to health care, a covered entity must treat such a person as a personal representative (& disclose PHI to them).

72. 72 11. Public Health: Not Preempted  Preemption of State Law – Exception—Under § 160.203©, the HIPAA does not apply if:  The provision of State law…provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public surveillance, investigation, or intervention.  Under § 164.512(b)(1)(i), a covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to…a public health authority…

73. 73 Warning  Disclaimer: These PowerPoint slides offer only a general overview of preemption and may not be relied upon as legal advice.  You must read and study the rule and the state laws, and then consult with:  Your organization’s attorney, who is the only one qualified to evaluate your specific situation and provide you with legal advice.

74. 74 Preemption: Additional Materials www.discovernd.com/hipaa www.discovernd.com/hipaa  A report that contains more details comparing North Dakota law to the federal privacy rule will soon be available to members of the North Dakota HIPAA Coalition. Members will be notified via the NDHC list serve email. Other preemption materials & links to other preemption sites will be posted on the ND HIPAA website at www.discovernd.com/hipaa. www.discovernd.com/hipaa

75. 75 Essential Steps for Privacy Compliance Chuck Seviour Eide Bailly, LLP

76. 76 Common Questions  Posting of your Notice of Privacy Practices?  Answering machine usage?  Personnel representative, must we identify this person?  Number of policies necessary for HIPAA Compliance?  Can clergy be given information about parishioners in their facility?  Can a provider disclose a complete medical record even though other providers created portions of the record?

77. 77 Sample Task List  Appoint a HIPAA Task Force  Perform a baseline gap analysis  Provide HIPAA awareness training for all staff  Develop a list of all payers  Development of Privacy Policies  Development of Notice of Privacy Practice  Training of staff on Policies and Notice of Privacy Practices

78. 78 Sample Task List, cont…  Development of Policy and Procedure for training new hires re: HIPAA  Development of and assign responsibility for updating Business Associate List  Identify all record sets, medical and billing  Test transactions and code sets electronic transmissions (October 15, 2003 must be compliant)  Train impacted staff on new T & CS standards

79. 79 Minimum Necessary  Routine and Recurring disclosures: reasonably necessary to achieve purpose of disclosure  Other disclosures: criteria to limit PHI disclosed to the minimum necessary  Minimum necessary requires ongoing monitoring which will require culture change, training, and regular compliance monitoring

80. 80 Minimum Necessary Uses  Paper Based Environment: –You will rely heavily on the application and interpretation of policies and procedures and even self-policing –Thus, the development of policies and procedures and the need to train staff takes on a special importance for covered entities

81. 81 Minimum Necessary Uses, cont…  Automated Environment: Access Control –UBAC: Users must authenticate themselves, no constraints on access –RBAC: Access based on classes of users to access specific information –CBAC: Limit users to accessing information not only by role and identity but also by location and time –HHS Espouses RBAC: As the appropriate security model to safeguard health data

82. 82 Tour of Facilities  Calling names at registration areas and privacy in the area  Carts of charts in hallways with names visible  Patient schedules visible at desk areas  Radiology films on view-box with name visible  Nurses stations and nurses making phone calls from hallway nursing stations

83. 83 Tour of Facilities, cont…  Physicians dictating or talking with clinical staff in hallways and nursing stations  Laboratory  Medical Records  Insurance/Business Office/Billing  Pharmacy  Chemo’Radiation/PT/OT

84. 84 Security Rule  Telecommuting Employees  Security Checklist  Access Controls/Audit Controls  Contingency Planning  Data Authentication  Media Controls  Physical Controls (including visitor areas)  Personnel Security  CIA for Security (Confidentiality, Integrity, Availability)

85. 85 Essential Steps for Privacy Compliance HIPAA Shortcuts F. Snyder Gokey Vogel Law Firm (701)237-6983 email: sgokey@vogellaw.com

86. 86 HIPAA Shortcuts – Overview  Shortcuts to HIPAA project Completion –Policies and Procedures –Business Associates  HHS shortcuts for small providers. –Scalability –Reasonableness  Shortcuts to information about HIPAA.

87. 87 Shortcuts to Project Completion  The Policy and Procedures Shortcut  Business Associate Shortcuts

88. 88 Policies & Procedures Shortcut  How does an entity become HIPAA compliant? –How does an entity translate the abstract, technical, complicated requirements of the HIPAA regulations into practical applications on the ground at the entity? –How does it implement the required changes in practices?

89. 89 Goal of HIPAA Project  The measure of HIPAA compliance, and goal of the HIPAA Project is the: –identification of, –adoption of, and –implementation of –HIPAA compliant Policies and Procedures. –P&P are the entity’s “guidebook” on operations under HIPAA.

90. 90 Purpose #1 of P & P  Comply with HIPAA Regulations (164.530(I)(1) –(i)(1) Standard: policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart. –The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance. –This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart.

91. 91 Purpose #2 of P & P  Only practical way to proceed. –Record of practical and considered application of HIPAA regulations to entity’s environment. Square pegs/round holes issue Scalability issues Reasonableness issues –Operating manual Resource/guidebook/reference source Training materials – how things are done “here”

92. 92 Policies and Procedures Needed  P&P for Individual Rights (9)  P&P for Administrative Requirements (10)  P&P for Consent and Authorization (9)  P&P for Use & Disclosure –General PHI (6) –Authorization Not Required (12) –Specific Applications (7) (List from Strategic Management Systems, Inc.)

93. 93 P&P for Individual Rights  Accounting for disclosures of PHI  Accepting Requests for Amendments to PHI  Confidential Communications for PHI  Denying Access to Inspect/Obtain a Copy of PHI  Denying Requests for Amendments to PHI  Extending Time to Access  Granting Access to Inspect and Obtain a Copy  Requesting Restriction on Uses and Disclosures  Reviewing a Denial to Access to PHI Suspension

94. 94 Administrative Requirements  Designation of a Privacy Official  Privacy Official Responsibilities  Employee Training on Use and Disclosure  Filing Complaints  Employee Training on Individual Rights  Prohibiting Retaliation  Mitigating Effects of Unauthorized Release  Sanctioning of Employees, Agents, and Contractors  Maintaining Appropriate Documentation  Employee Training on Privacy Awareness

95. 95 Consent and Authorization  Authorization for Use or Disclosure of PHI that is Initiated by the Individual  Authorization to Disclose PHI for Provider’s Own Use  Conditioning Services on the Provision of an Authorization to Disclose PHI  Individual Revocation of an Authorization to Disclose PHI  Authorization for Disclosing PHI Created for Research that Includes Treatment

96. 96 Consent and Authorization  Initiating Authorization for the Use or Disclosure of PHI by Others  Prohibiting the Use of an Invalid Authorization to Disclose PHI  Obtaining Consent  Resolving Conflicting Consents and Authorizations

97. 97 Use & Disclosure–General PHI  Disclosing and Requesting only the Minimum Amount of PHI Necessary  Assurances from Business Associates to Safeguard PHI  Creating De-Identified Information  Identifying when Routine Health Information Becomes PHI  Treating a Personal Representative of the Individual as the Individual  Verification of Entities Requesting Use or Disclosure of PHI

98. 98 Uses and Disclosures – Authorization Not Required  Disclosing PHI about Decedent  Disclosing PHI about Victims of Abuse, Neglect, or Domestic Violence  Disclosing PHI as Required by Law  Disclosing PHI for Cadaveric Organ, Eye, or Tissue Donation  Disclosing PHI for Health Oversight Release  Disclosing PHI for Judicial and Administrative Release

99. 99 Uses and Disclosures – Authorization Not Required  Disclosing PHI for Law Enforcement Release  Disclosing PHI for Public Health Release  Disclosing PHI for Research Release  Disclosing PHI for Specialized Government Functions  Disclosing PHI for Worker's Compensation  Disclosing PHI to Avert Serious Threat to Health and Safety

100. 100 Uses & Disclosures – Specific Applications  Notice of Privacy Practices - Content of Notice  Authorization for the Use or Disclosure of Psychotherapy Notes  Disclosing PHI for Fundraising Purposes  Using and Disclosing PHI for Marketing  Using and Disclosing PHI for Underwriting or Rate Setting  Using PHI for Facility Directories  Using PHI for Involvement In and Notification of the Individual's Care

101. 101 Policies & Procedures Problem  Information about HIPAA is nearly infinite.  Approaches to a HIPAA project are infinite.  Solutions to a HIPAA project are infinite. But:  Finances are severely limited.  Time is severely limited.  HIPAA is a cost center, with no profit potential.  There is no reason to spend more time than necessary.

102. 102 Policies & Procedures Shortcut  Goal of HIPAA Project: –The measure of HIPAA compliance is the identification, adoption and implementation of HIPAA compliant Policies and Procedures.  Conclusion: Buy them. –Do not waste time reinventing the wheel. –Take advantage of commercially available draft Policies and Procedures. –Devote 100% of time to tailoring them, not writing them (that, alone, is a huge job)

103. 103 Advantages of Commercial PP  Turn liability/burden into a asset/resource.  Speed HIPAA project completion –Commercial P&P fill 3” binder. –Percentage can be adopted “out of the box” –Jumpstart your project.  Focus HIPAA project –Can select the applicable P&P from universe –They create a checklist to be completed.

104. 104 Advantages of Commercial PP  Quality –If start with good set, someone with time and expertise assembled them. –More time and expertise than most providers.  Cost – Reduce cost of project. –Cannot be replicated for the price. –If use set lawyer is familiar with from use with other clients, get de facto legal fee cost sharing on the analysis needed for scalability decisions.

105. 105 Using Commercial P&P - Steps  Find a set of Commercial Policies and Procedures to use. –Available on CD in document form so can be revised. –Ideally, select a set which has been reviewed by someone. –Available for $600+ ($300 with other subscriptions.)

106. 106 Using Commercial P&P - Steps  Select the P&P applicable to the provider. –Clinic will not have to have procedure regarding patient directory, as would a hospital.  Determine and address compatibility with the entity’s existing policies and procedures. –Some new P&P will not be covered by existing P&P –Some new P&P will be contrary to existing P&P. –The entity will need to determine how to “marry” the two, while arriving at HIPAA Policies and Procedures which meet the Privacy Regulation.

107. 107 Using Commercial P&P – Steps  Determine issues of practicality, reasonableness and scalability. –In small practices, practicality will have to rule. –This is contemplated by the “scalability” philosophy of the Privacy Rule. –Practical solutions which meet the letter of the HIPAA statute will have to be created.  Maintain copy with counsel, for analysis.

108. 108 Shortcuts to Project Completion  The Policy and Procedures Shortcut  Business Associate Shortcut

109. 109 Business Associates  Business Associates are third parties defined under 45 CFR 160.103 to whom covered entities disclose PHI.  HIPAA only regulates covered entities.  Third parties not bound by HIPAA, creating “hole” in the the patient privacy protection.

110. 110 Business Associates  HIPAA Regulations plug this hole, by requiring Covered Entities to: –Identify their business associates (160.103) –Not disclose PHI to business associates unless and until business associates agree to enter into contracts (“Business Associate Agreements”) –Business Associate Agreements contractually impose many HIPAA requirements on Business Associates. (§§164.502(e) & 164.504 (e))

111. 111 Business Associates Shortcut  Use HHS sample contract language –Utilize Business Associate Sample Contract Language from HHA preamble to August 14, 2002 Final Regulations. 67 FR 53264  Advantages –Acceptable to HHS –Most of the work is done. –Business Associates hard pressed to argue.

112. 112 Business Associates Shortcut  But: Provisos – HHS says: –“The proposal is not a model contract, but was rather sample language that could be included in a contract.” –“Each entity should carefully analyze each of the sample Provisions to ensure that it is appropriate given the specific Business Associate relationship.” –The contract must be “completed”.

113. 113 HIPAA Shortcuts – Overview  Shortcuts to HIPAA project Completion –Policies and Procedures –Business Associates  HHS sanctioned shortcuts for small providers. –Scalability –Reasonableness  Shortcuts to information about HIPAA.

114. 114 Shortcuts for Small Providers  Scalability  Reasonableness –Enforcement Discretion –HHS assistance

115. 115 Goal of HIPAA Project  The measure of HIPAA compliance, and goal of the HIPAA Project is the: –identification of, –adoption of, and –implementation of –HIPAA compliant Policies and Procedures. –But, “one size does not fit all”.

116. 116 HIPAA “Scalability”  Same privacy regulations for Mayo Clinic as a sole practitioner in Butte MT. –How can the same rules apply? –“Scalability”  What is Scalability? –Not defined. –“Scalability” not appear in the Regulations.

117. 117 Scalability  Defined by example in commentary  HHA has “expectation that small entities will develop –less expensive and –less complex privacy measures –that comply with the rule –than large entities.”

118. 118 Scalability – Entities should:  Weigh the costs and benefits of alternative approaches and  Scale their compliance activities to their –structure, –functions, and –capabilities  Within the requirements of the rule

119. 119 Purpose #1 of P & P  Comply with HIPAA Regulations (164.530(I)(1) –(i)(1) Standard: policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart. –The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance. –This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart.

120. 120 Scalability  “We intend this to be a common sense, scalable, standard.”  “We do not require covered entities to guarantee the safety of protected health information against all assaults.”

121. 121 Scalability Examples  Privacy official –at a small physician practice may be the office manager, who will have other non-privacy related duties; –at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.

122. 122 Scalability Examples  Training requirement –satisfied by a small physician practice's providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; –a large health plan may provide training through live instruction, video presentations, or interactive software programs.

123. 123 Scalability Examples  Policies and procedures  Small providers policies and procedures may be more limited under the rule than those of a large hospital or health plan –This is the reason policies and procedures must be “tailored” to the entities situation. –The question always remains: Is the tailored, “scalable” policy still compliant?

124. 124 Scalability Conclusion  Small providers cannot skip any HIPAA rules.  However, there is strong support for reasonable shortcuts and good-faith efforts appropriate to the circumstances.  Demonstrate and document a good faith effort to create a scalable solution to avoid enforcement difficulties.

125. 125 HIPAA “Reasonableness”  Regulations often call for: –“reasonable efforts” –“reasonable judgment”  Document the rationale for a close decision with a memo to the file, setting forth the justifications for the course taken, where decisions are discretionary and “reasonableness” is required.

126. 126 Enforcement Discretion  HIPAA is not discretionary.  HIPAA has teeth. –Civil penalties. –Criminal penalties.

127. 127 Enforcement Discretion  No penalties if : –the person liable for the penalty did not know, and by exercising reasonable diligence, would not have known, that such person violated the provision.

128. 128 Enforcement Discretion  No penalties if : –the failure to comply was due to reasonable cause and not to willful neglect; and –the failure to comply is corrected during the 30- day period beginning on the first date the person liable for the penalty knew.

129. 129 HHS Assistance  HHS can provide technical assistance: –If due to reasonable cause, Secretary may provide technical assistance to the person. –If due to reasonable cause Secretary may waive the penalty  Conclusion: So long as good faith efforts are made and documented a provider might expect assistance rather than enforcement.

130. 130 HIPAA Shortcuts – Overview  Shortcuts to HIPAA project Completion –Policies and Procedures –Business Associates  HHS sanctioned shortcuts for small providers. –Scalability –Reasonableness  Shortcuts to information about HIPAA.

131. 131 Shortcuts to HIPAA Information  WEDI – www.wedi.org  NCHICA – www.nchica.org  Federal Government  Associations

132. 132 WEDI  Workgroup for Electronic Data Interchange –Industry work group involved in forming HIPAA regulations.  WEDI work product available free on website.  Small Practice Implementation White Paper –Excellent resource. –http://snip.wedi.org/public/articles/index.cfm?C at=17

133. 133 WEDI  Other WEDI work product-Whitepapers on: –Awareness Training and Education –Access and Amendment –Minimum Necessary Rule –Notice and Consent –Authorization –Policies and Procedures –Preemption, among others.

134. 134 NCHICA  North Carolina Healthcare Information and Communication Alliance, Inc. "NCHICA")  The NICHICA web site contains a broad array of free HIPAA white papers, sample documents, checklists, and references to other HIPAA resources, free.  Collaborative documents.  Membership reasonable.  Sponsors “EarlyView” software.

135. 135 Federal Government  HIPAA targeted government websites –Office of Civil Rights- www.hhs.gov/ocr/hipaa/ –HHS- www.cms.gov/hipaa/hipaa2/default.asp  Should be surveyed.  Excellent free resources.

136. 136 Associations  American Dental Association  Pharmacy Associations, etc.  “HIPAA Summit” - National conference of the agency officials, HIPAA consultants, and attorneys –Streaming video of lectures and PowerPoint presentations on-line. –www.hipaasummit.com/

137. 137 Conclusion  HIPAA compliance is a daunting task  Do not recreate the wheel. Utilize shortcuts. –Focus and speed up the HIPAA project by buying Policies and Procedures for the first draft. –Use them to guide the project. –Plenty of work remains in tailoring them to the real world of the entity.  HHS expects only “scalable” good-faith efforts from small providers.  It’s a community effort. Work together.

138. 138 Best Practices Panel Discussion Best Practices Challenges & Solutions Good Resources

139. 139 Trisha Robertson  Systems Security Officer & Privacy Manager  Noridian (Blue Cross Blue Shield of ND)

140. 140 Kris Vollmer  Assistant Administrator  Heart and Lung Clinic

141. 141 Joan Bachman  RN, NHA, RHIT Administrator  Tri-County Nursing Home, Hatton

142. 142 Laurie Peters  Network HIM Director  Northland Healthcare Alliance

143. 143 Pam Crawford  RHIA, HR Officer  ND Dept. of Human Services

144. 144 Galen Jordre  Executive Vice President  ND Pharmaceutical Association

145. 145 Sparb Collins  Executive Director  ND Public Employees Retirement System (employer group health plan)

146. 146 Q & A

147. 147 Thank You!  Check out the North Dakota HIPAA web site in early December 2002 for a recorded version of this event and other great resources: www.discovernd.com/hipaa

148. 148 Disclaimer  This Privacy Workshop has been provided for educational purposes and may not be relied upon as legal advice.