590 likes | 1.03k Views
The HIPAA Privacy & Security. Brian Martin Privacy Program Manager Navy Medicine Support Command (904) 542-7200 ext. 8139 Brian.K.Martin@med.navy.mil. Learning Objectives. Know Future CONOPS for Office of Privacy Program Management Know the purpose for Privacy Act and HIPAA
E N D
The HIPAA Privacy & Security Brian Martin Privacy Program Manager Navy Medicine Support Command (904) 542-7200 ext. 8139 Brian.K.Martin@med.navy.mil
Learning Objectives • Know Future CONOPS for Office of Privacy Program Management • Know the purpose for Privacy Act and HIPAA • Know key provisions or features of each law • Know training requirements • Understand disclosures and accounting of disclosures • Understand TMA and DoN incident reporting requirements • Know basic MTF requirements for HIPAA Privacy and Security compliance
References • Public Law 104-191 • Privacy Act of 1974 as Amended • DoD 6025.18R Health Information Privacy • DoD 8580.02R Health Information Security • DoD 5400.11 Privacy Regulation • DoN 5211.5E Privacy Regulation • DoD 8500.2 Information Assurance Implementation • TRICARE Management Activity – training materials
Command Organization Chief of Naval Operations (CNO) Echelon 1 Bureau of Medicine and Surgery (BUMED) Echelon 2 Navy Medicine Support Command (NMSC) Navy Medicine East (NME) Navy Medicine West (NMW) Navy Medicine National Capitol Area (NMNCA) Echelon 3 NMRC NAVMED MPT&E NMCPHC NMLC NMIMC Echelon 4
Navy Medicine Support CommandOffice of Privacy Program Management Concept of Operations: • Create an Office of Program Management at NMSC and appoint a full time Director to standardize and integrate HIPAA Privacy and Security execution throughout enterprise. • Execute all BUMED policies and procedures pertaining to the DoD Health Information Privacy and Security regulations. • Ensure risk analysis are conducted that include an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI created, received, stored, or transmitted by the organization as directed by and in coordination with NAVMISA. • Provide technical support to Regional Commands and coordinate activities to improve compliance with privacy and security requirements.
HIPAA, Title I - V Title I Title II Title III Title IV Title V Tax provision for medical savings account Group health plan provision enforcement Revenue offset provisions Health insurance portability and renewal Administrative Simplification Certificate of Creditable Coverage Privacy-Apr 03 Security-Apr 05 TCS-Oct 03 Identifiers-May 05
HIPAA Privacy Rule Key Provisions • Apply to the protection of information whether it be in oral, written or electronic form • Provisions: • More consumer control = Individual patient rights • Specifies “what” health information must be protected • Boundaries on use and release • Accountability and penalties • Preserving strong state laws • Balancing public responsibility with protections
Who is Covered under HIPAA Privacy Rule? • Directly applies to …… • Health Plans (e.g. TRICARE) • Healthcare Clearinghouses (e.g. process claims or perform electronic billing) • Healthcare providers who transmit information in electronic form for specified financial & administrative transactions. • These groups/organizations referred to as “Covered Entities” (CE)
What is Covered under HIPAA Privacy? • Health Information ….oral, paper, or electronic media and related to……. • past, present, or future physical or mental health condition of an individual • provision of health care to individual or • payment for health care • Individually identifiable - includes demographics • Held by CE or their business associates
Requires Fed agencies to comply Restricts disclosure Allows individual access to records about themselves Applies to contractors hired to operate a system of records Provides judicial remedies for PA violations Requires “covered entities” to comply-not just Fed agencies Restricts use and disclosure with key exceptions Expands patient rights --Notice of privacy practices, access, inspect, copy, amend, acct of disclosures, request restrictions, file complaints, alternate communications requests Applies to all members of the workforce Features of Privacy Act and HIPAA
Privacy Act-- Consent Disclosures “Need to Know” HIPAA Privacy Rule-- Notice of Privacy Practices Use and Disclosure Authorization Minimum Necessary Military Exemption Pillars of Privacy-Key Areas
HIPAA Notice of Privacy Practices Includes: • Use and Disclosure of PHI for TPO • Individual’s rights to access, control and • request restrictions on use. • Covered entities duties • Complaint procedures • Contact information • Effective date ·
Notice of Privacy Practices • Obtain written acknowledgment of receipt of the Notice of Privacy Practices. • “Good faith effort” • Exception--Emergency situations--delay having to provide Notice until reasonably practicable and exempt providers from good faith effort to obtain acknowledgment
No record disclosed without consent of individual to whom record pertains Exceptions: Ex: Need to know, released under FOIA, routine use, criminal law enforcement activity Disclosures not required if to DoD or DON personnel having a “need to know” in performance of official duties CE can use & disclose PHI for TPO of self plus other CE w/out authorization of individual - No “consent” required For Non-TPO uses, need authorization but there are exceptions Must provide accounting of disclosures for up to 6 years - only if non TPO Use & Disclosure-Privacy Act vs.HIPAA
Need to know Released under FOIA Routine use Criminal/law enforcement activity Health or safety Committee of Congress Bureau of Census Statistical research National Archives Required by law Avert serious threat to health or safety Specialized govt. functions Judicial/administrative proceedings Cadaver, organ, eye or tissue donation purposes Law enforcement purposes Exceptions under Privacy Act & HIPAA
Comptroller general for GAO Order of court of competent jurisdiction Consumer reporting agency Victims of abuse,neglect of domestic violence Inmates in correctional institutions/custody Worker’s compensation Research involving minimal risk Public health activities Health oversight activities About decedents Exceptions under Privacy Act & HIPAA-
HIPAA Privacy Authorization • Covered entities must obtain an individual’s authorization, signed written permission before using or disclosing PHI for purposes other than treatment, payment or healthcare operations • Cannot condition provision of treatment, payment, enrollment or eligibility upon an authorization • Individuals have the right to use an authorization to request a restriction on the use of their PHI
HIPAA Privacy Authorization Examples • Authorization required : • For research • To send marketing materials • Authorization NOT required: • To fill prescriptions • For referrals to specialists • To communicate treatment options
HIPAA PrivacyMinimum Necessary • All Uses and Disclosures subject to this standard • Balancing act between protecting privacy against “reasonable ability” to limit information that is disclosed and still deliver quality care • Exceptions: • Disclosure to or request by provider for treatment • Disclosure to the individual • Under authorization - unless requested by CE • Required by HIPAA standard transaction • Required by law • Required for law enforcement
HIPAA Privacy Military Exemptions • Covered entities may disclose PHI of service members to Military Command Authorities if: • For determination of member’s fitness for duty • Necessary to assure proper execution of the military mission
Orientation Specialized training for specialized areas of job performance Management Training Provided shortly after assuming duties associated w/level of involvement All members of workforce must receive basic HIPAA privacy training Focused specialty training New employees When material change in policy-annual training Training Requirements-Privacy Act and HIPAA Privacy Rule
Civil: denial of amendment request;denial of access; failure to meet record keeping standards--(against a naval activity) Criminal: wrongful disclosure, unauthorized records, wrongful request or obtaining records Civil: $100 for each violation for failure to comply with requirements of law privacy regulations Criminal: fines up to $50,000,imprisonment up to 1 year for wrongful disclosure by any person Requires CE to apply sanctions against members of its workforce who fail to comply with privacy policies and procedures. Civil Remedies/Criminal Penalties under Privacy Act and HIPAA
MTF HIPAA Compliance Requirements • Must have and introduce written Notice of privacy practices • Must designate privacy/security officer in writing • Must develop consent and authorization process for uses and disclosures • Must provide privacy training to all staff • Must maintain documentation regarding compliance with the regulation • Must establish safeguards to protect health information • Must conduct privacy assessment and modify policies and procedures to be in compliance with the Privacy rule • Must develop and apply sanctions for violations
Disclosures Training Objectives - • Accounting of Disclosures of Protected Health Information (PHI) • Review of Disclosures • Uses & Disclosures – General Information • Suspension of Individual Rights • Reporting of Disclosures • Responding to a Request for Disclosures • PHI Management Tool (PHIMT) • Rights of Individuals
What is the HIPAA Privacy Rule? • The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ personal health information in any form: paper, electronic, oral • It sets boundaries on the use and release of health information • It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made • It generally gives patients the right to gain access and obtain a copy of their own health records and request amendments and restrictions
§164.528 Accounting of Disclosures of Protected Health Information • An individual has a right to receive an Accounting of Disclosures of Protected Health Information (PHI) made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures • To carry out treatment, payment and health care operations • For the facility’s directory or to persons involved in the individual’s care or other notification purposes • For national security or intelligence purposes • To correctional institutions or law enforcement officials • That occurred prior to the compliance date of April 14, 2003
What is a Disclosure? • A “disclosure" is generally defined as the sharing of health information with someone outside of the Military Health System • Example: A disclosure of health information to a public health official to assist in tracking exposure of individuals to a contagious disease • Example: Disclosures for family advocacy program offices and the Exceptional Family Member Program (EFMP)
Uses & Disclosures - General HIPAA allows the use and disclosure of PHI for treatment, payment & healthcare operations (TPO) without the patient’s permission
Suspension of Individual Rights Communicated in Writing • An oversight agency or law enforcement official has the authority to request a suspension of an individual’s right to receive an accounting of disclosures if • Such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to undermine the agency's investigation activities • The agency must specify the time period for which the requested suspension is required • Example: A law enforcement investigation of criminal activity when the knowledge of the individual might alter the nature of the investigation
Suspension of Individual Rights Communicated Orally • If the request for suspension is made orally by an authorized agency, the covered entity must • Document the request, including the identity of the agency or official making the statement • Temporarily suspend the individual’s right to an accounting of disclosures subject to the request • Limit the temporary suspension to a period of no longer than 30 days from the date of the oral statement, unless a written request is submitted during that time
Reporting the Disclosure • For each disclosure, the account must include: • The date of the disclosure • The name of the entity or person who received the PHI and, if known, the address of such entity or person • A brief description of the PHI disclosed • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for a disclosure
Reporting Multiple Disclosures • If the covered entity has made multiple disclosures of PHI during the period covered by the accounting to the same person or entity for a single purpose, the accounting may provide • The information requested for the first disclosure during the accounting period • The frequency, periodicity, or number of the disclosures made during the accounting period • The date of the last such disclosure during the accounting period • The PHIMT will separately track disclosures made for one record
Responsibility for Responding to a Request • The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request • If the covered entity is unable to provide the accounting within the 60-day timeframe, the covered entity may extend the time to provide the accounting by no more than 30 days and must • Provide the individual with a written statement of the reasons for the delay, and • The date by which the covered entity will provide the accounting • The covered entity may have only one such extension on a request for an accounting
Accounting of Disclosures – PHI Management Tool (PHIMT) • TRICARE will use the PHIMT to process the Accounting of Disclosures • In addition to Accounting of Disclosures, the PHIMT utilized to process complaints, requests for amendments, requests for restrictions to PHI and for suspension of an individual’s right to a disclosure • Overall Navy Medicine has a low utilization rate
Rights of Individuals Right to an Accounting of Disclosures • An individual has a right to receive an Accounting of Disclosures of PHI made by a covered entity in the six years (or a shorter time period at the request of the individual) prior to the date on which the accounting is requested • Including disclosures to or by business associates of the covered entity • Only applies to disclosures made after April 14, 2003
Rights of Individuals Amendments • Individuals have the right to request that a Covered Entity (CE) amend PHI • Amending PHI usually does not involve actually removing information, but adding an amendment with the accurate data if appropriate • A CE may deny an individual’s request for an amendment, if it determines that the PHI • was not created by the CE • is not part of the designated record set • is not available for inspection within the CE • is accurate and complete
Rights of Individuals Right to Restrictions • Individuals have the right to request that certain uses related to TPO and disclosures of PHI be restricted • Exception to Right to Restrictions - Individuals do not have a right to request that a covered entity restrict a disclosure of PHI about them for • workers’ compensation purposes or • when that disclosure is required by law
Summary of Disclosure Tracking • The following subjects have been reviewed • HIPAA Privacy Rule • Accounting of Disclosures of PHI • What is a Disclosure is • Uses & Disclosures – General Information • Suspension of Individual Rights • Reporting of Disclosures • Responding to a Request for Disclosures • Charge for an Accounting of Disclosure • TRICARE’S Disclosure Tracking Tool - PHI Management Tool (PHIMT) • Rights of Individuals
Resources • DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 2003 • DoD 8580.02-R DoD Health Information Security Regulation • www.tricare.osd.mil/hipaaTMA Privacy website • hipaamail@tma.osd.milfor subject matter questions • hipaasupport@tma.osd.milfor tool related questions • Service HIPAA Privacy Representatives
HIPAA Security This document contains proprietary information and should be handled in accordance with U.S. Navy Regulations. It is intended solely for official purposes only.
Agenda • HIPAA Security Background • Key Concepts and Terms • Security Rule Organization • Specifics • Impact • Compliance
Training Objectives • Describe the organization and context of the HIPAA Security Rule • Understand HIPAA security standards and implementation specifications • Identify tools and other resources that support HIPAA security implementation
Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Medical Liability Reform HIPAA Security BackgroundWhere Does This Fit In? HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability, and Renewability Title II Title III Tax-Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets Preventing Health Care Fraud and Abuse Administrative Simplification • Security • Administrative Safeguards • Physical Safeguards • Technical Safeguards Privacy Code sets for Health Care Plans • Unique Identifiers for • Providers • Employers Electronic Data Exchange Source: National Institute of Standards and Technology (NIST)
HIPAA Security BackgroundPurpose of the HIPAA Security Rule • To adopt national standards for safeguards to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI)
Privacy HIPAA 1996 Covered entities April, 14 2003 PHI Uses and Disclosures Confidentiality OCR Security HIPAA 1996 Covered entities April 21, 2005 EPHI Safeguards Confidentiality, Integrity, and Availability CMS HIPAA Security BackgroundPrivacy vs Security
HIPAA Security Background Summary • You should now be able to: • Describe the purpose and applicability of the HIPAA Security Rule • Identify how HIPAA Security fits in to the HIPAA Law • Explain the differences between HIPAA Privacy versus HIPAA Security
Key Concepts and Terms The Universe of Health Information HI:health information IIHI: individuallyidentifiable health information John Doe Paper Files Education Records CDs HI E-PHI PHI IIHI Biomed Devices PHI: protected health information EPHI: electronic protected health information