1 / 25

Cindy Fillman Department of Public Welfare Office of General Counsel

HIPAA Executive Office Training January 2003. Cindy Fillman Department of Public Welfare Office of General Counsel. HIPAA – How did we get here?. Health Insurance Portability and Accountability Act

bin
Download Presentation

Cindy Fillman Department of Public Welfare Office of General Counsel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Executive Office Training January 2003 Cindy Fillman Department of Public Welfare Office of General Counsel

  2. HIPAA – How did we get here? • Health Insurance Portability and Accountability Act • Required Secretary of HHS to promulgate standards to implement the Administrative Simplification Portion of the Law (standard transactions). • Intended to “improve the efficiency and effectiveness of the health care system.” • Requires protection of security and privacy of Protected Health Information (PHI) maintained electronically and otherwise. 1

  3. HIPAA – How did we get here? REGULATIONS • Electronic Transactions and Code Sets Unique Employer Identifier National Provider Identifier • Security and Electronic Signature • Privacy 2

  4. COVERED ENTITIES • Health care providers who engage in covered transactions • Health plans • Includes Medicare and Medicaid and other specified government programs • Includes government programs that do not fall out with specific exclusion for those programs: • Whose principal purpose is other than providing or paying the cost of health care, OR • Whose principal activity is the direct provision of health care or the making of grants to fund the direct provision of health care • Health care clearinghouses 3

  5. BUSINESS ASSOCIATES • A Person or entity who on behalf of a Covered Entity • Uses • Accesses • Rediscloses • PHI either • To provide services to a Covered Entity OR • To perform or assist in the performance of a function or activity for, or on behalf of, the Covered Entity 4

  6. DPW Priorities • How the Department Prioritized • Definitions assigned to DPW (Hybrid Covered Entity part of Affiliated Covered Covered Entity) and Counties, Contractors and other Business Partners (Business Associates) • Master Client Index Drove some Decision making 5

  7. What are we doing? • Appointing Privacy Officials for affected Offices/Bureaus. • Training all members of the workforce • Drafting policy and procedures and beginning new business practices • Rewriting Contracts and Quasi-Contracts (Business Associate Language) • Drafting/Revising Consents and Authorizations • Documenting Decisions and Activities 6

  8. Training • Committee comprised of personnel of impacted bureaus • Basic format created by the committee • Combination training to allow for flexibility • Kickoff-October-December • Computer and Blended Training-April • Stand up (job specific)-June 7

  9. Policy and procedures • High level HIPAA Handbook • Adaptations made by each program office to meet their own needs • Business processes changes to be phased in by April, 2002. 8

  10. Privacy Standards • Purpose: To safeguard privacy of health information by setting rules on the use and disclosure of individuals protected health information (PHI) • Applies to: Covered entities and business associates who use, store, maintain, transmit, or dispose of patient health information in any form (verbal, written, or electronic) 9

  11. Privacy Standards (PHI) • Individually identifiable • About an individual’s physical or mental health or condition • About provision of or payment for health care • Created or received by a provider, health plan, clearinghouse, or employer • Transmitted or maintained in any medium (verbal, written, or electronic) 10

  12. Privacy Standards • Outline individual rights regarding PHI and obligations of providers, health plans, clearinghouses and business associates • Give consumers greater control over use, and disclosure of PHI • Restrict certain uses and disclosures of PHI by plans, providers, and clearinghouses, unless authorized by the patient or permitted by law 11

  13. Privacy Standards • Rules restrict use and sharing of PHI • Higher security and protection levels • Greater individual control and access • Greater accountability • Rules apply to covered entities • Compliance deadline is April 14, 2003 • Limit disclosures to the “minimum necessary” 12

  14. Minimum Disclosure • Except for medical treatment, release of PHI must be kept to the minimum amount necessary to accomplish the purpose of disclosure • We must determine the minimum amount needed 13

  15. Privacy Obligations • Plans and providers must create privacy-conscious business practices and disclose only the minimum information required • Department must: • ensure internal protection of PHI • monitor external disclosures of PHI • Complete employee training, and • establish procedures for addressing clients’ privacy complaints 14

  16. Privacy Obligations • Plans and providers must inform clients of their business practices (privacy notice) • Providers must obtain written consent from a client to use or disclose PHI, even if just for routine uses for treatment, payment, or operations • A separate, specific authorization is required for non-routine disclosure 15

  17. Consent vs. Authorization • Consents cover T/P/O–authorizations cover most other uses and disclosures • Authorizations are for specific disclosures • May refuse to treat without consent; cannot refuse to treat a patient who won’t sign authorization 16

  18. Use and Disclosure • may use or disclose PHI without consent, an authorization, or giving an opportunity to agree or object, including: • For the payment activities of other CEs or providers who are not CEs, and for certain healthcare operations of other CEs. • When required by law • For public health activities • Reporting domestic violence or abuse and neglect • For health oversight activities • For judicial and administrative proceedings in response to a court order, or in response to a subpoena or discovery request if certain assurances are obtained 17

  19. De-Identified Information • De-Identified Information is not subject to HIPAA requirements • A Covered Entity may determine that health information is not individually identifiable by: • Obtaining an opinion that information is not identifiable from an entity experienced with generally accepted statistical and scientific principles and methods for de-identifying information • Removing specified identifiers of the individual or of relatives, employers, or household members 18

  20. De-Identified Information • Names • All geographic subdivisions (address, zip code) • All elements of dates (incl. birthdate and date of admission • Telephone/Fax numbers • E-mail addresses • SSN • Medical record number • Health plan number • Account number • Certificate/license number • VIN/serial number • Device identifier/serial # • URL • IP address • Biometric identifiers (voice/finger prints) • Photos • Other unique characteristics 19

  21. Client Rights • Request restrictions on use and disclosure of PHI • Obtain a disclosure history • Review and copy their own medical records • Request amendments or corrections the record • Complain to the Department and to the Secretary of DHHS if privacy rights are violated 20

  22. Business Associate Agreements • Terms and Template • Other Agreements • Trading Partner • Chain of Trust • User Agreements 21

  23. Enforcement • ENFORCER: Office of Civil Rights, HHS • Complaint Driven Process(but indicate willingness to provide “guidance” first). • PENALTIES: • For failure to comply – Civil Money Penalties of $100 per violation, not to exceed $25,000 per year For knowingly disclosing or obtaining PHI – CRIMINAL PENALTIES • CRIMINAL PENALTIES: • Knowing only: $50,000, one year in prison, or both • False pretenses: $100,000, five years, or both • Use for commercial or personal gain or malicious harm: $250,000, ten years, or both 22

  24. Practical Steps to Compliance • Shred all PHI to be discarded • Log off terminal when not in use • Do not discuss specific cases in public places • Verify fax locations • Be mindful of sharing only “minimum necessary” information 23

  25. Practical Steps to Compliance • Be aware of with whom you are sharing PHI • Report breaches to Privacy • Assure adequate safeguards/paperwork is in place • Check with IT staff to be sure dial-in is secure • Read and follow Privacy and Security Policies and Procedures 24

More Related