560 likes | 830 Views
Health Insurance Portability and Accountability Act of 1996 . September 23, 2004Seattle, WA. A2 B2 = C2. Pythagoream Theorem. Where C is the hypotenuse and A and B are the sides of a right triangle, . A Matter of Perspective?. 21 words?. Archimedes' Principle. 20 words. A body immersed in a fluid is buoyed up by a force equal to the weight of the displaced fluid? .
E N D
1. HIPAA Aaron K. Owada
Northcraft, Bigby & Owada PC
720 Olive Way, Suite 1905
Seattle, WA 98101
2. Health Insurance Portability and Accountability Act of 1996
5. Archimedes’ Principle 20 words
6. The Ten Commandments 179 words
7. Lincoln’s Gettysburg Address 286 words
8. US Declaration of Independence 1,300 words
9. HIPAA Privacy 401,034 words
10. Overview “The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other law that grants individuals even greater protections...”
OCR Guidance, December 3, 2002
11. Overview HIPAA Privacy Standards became enforceable on April 14, 2003
12. Overview Established standards to ensure
privacy and established rules for:
When patient permission is required
What type of permission is required
13. Overview Rights that patients have to:
Access their own information
Control the flow of their information
Find out who else has seen their information
14. Who is a Covered Entity (CE)? HIPAA Standards apply to:
Health care providers who transmit any health care information in connection with certain kinds of transactions electronically
Health plans
Health care clearinghouses
15. Are All Health Care Providers Covered? YES. All health care providers are covered only if they transmit health information electronically in connection with a transaction covered by the HIPAA Transaction Rule
16. What is “electronically”? Electronic modes include, but are not limited to:
Creating a file and submitting it by way of disks, tapes, or data lines
Using a clearinghouse or billing service to transmit data
17. What is NOT “electronically”?
Mailing a paper form
Faxing a paper from a dedicated fax machine (but not a computer desktop fax system)
Calling to obtain information
18. Are you a Covered Entity? Go to: www.hhs.gov/ocr/hipaa
Click on “What’s New?”
Scroll down page to:
“10/25/02 Am I a Covered Entity”
19. Are there any “loopholes” to being a Covered Entity?
NO.
Covered entities must comply with national standards when conducting the named transactions electronically with a covered health plan
20. For purposes of HIPAA Privacy
Covered entity must protect all individually identifiable health information, regardless of the method in which the data is maintained or transmitted (paper, electronically or orally)
21. Should you comply even if you are not a Covered Entity? YES.
At some point, HIPAA it is likely that if you have protected health information, someone will likely argue that HIPAA applies to you.
See, US ex rel. Stewart v. The Louisiana Clinic (E.D. La., December 2002)
Even before HIPAA was in force, Court applied HIPAA anyway by holding that HIPAA “demonstrates a strong federal policy of protection for patient medical records.”
22. Pre-emption: State or Federal Law? The more stringent law that provide the greatest privacy controls, or access to their own information.
45 CFR 160.202(1)
23. Copying Costs HIPAA allows for “reasonable cost-based fee” for the cost of actual copying, postage, and preparing a summary explanation. “Handling fees, chart pulling fees, and “per page fees in excess of the direct cost of material are specifically not allowed.
WAC 246-08-400 allows a provider to charge $.83 per page for the first 30 pages, and $.63 per page thereafter. This now serves as a cap under HIPAA.
24. Copying Costs… WAC allows a charge of up to $19.00 for chart pulling or as a clerical/labor charge but this is preempted by HIPAA which does not allow for this kind of charge.
25. PHI: Protected Health Information Privacy and security rules address the confidentiality and security of PHI.
PHI can be in any form (paper, electronically orally)
Created or received by a covered entity
26. PHI: Privacy Health Information Anything that relates to an individual’s mental or physical condition, treatment, or payment for services that identifies the individual or could reasonably be used to identify the individual
27. Not PHI
Employment records of the Covered Entity
School Records under FERPA (Family Educational Rights and Privacy Act) records
28. Not PHI Information that does not identify individual. However the following information must be removed:
*Geographic subdivisions or references that are less than at the State level
*All elements of dates
*SSNs or other identifiers
*Anything else that could identify the individual
29. Authorization to Release PHI Authorization to give permission to use PHI by patient
Authorization to release is still governed by the Washington Uniform Health Care Information Act (“WHCIA”) RCW 70.02.020
30. Consent for Treatment is not Affected by HIPAA Consent for treatment is still governed by state law regarding informed consent
Consent addresses the concept of a patient giving permission to treat
Authorization addresses the concept of a patient giving permission to use their PHI
31. Authorization to Disclose Health Care Information A health care provider (or anyone who assists a health care provider) may not disclose health care information without written permission from the patient, EXCEPT as authorized by RCW 70.02.050
32. Washington Health Care Information Act (WHCIA) Statute provides 12 situations where authorization is NOT required
1. Ongoing health care
2. Health care education/operations
3. Prior health care provider
4. Safety of patients or others
33. WHCIA cont… 5. Family members/Close relationships
Provider knows of the immediate family relationship or close relationship, unless directed in writing by the patient not to make the disclosure.
34. WHCIA cont… 6. Successor in Interest
7. Research
8. Performance of an “audit”
9. Correctional Institutions
10. Directory Information
35. WHCIA cont… 11. Media
Impacted by HIPAA. State law allows name, age, sex, residence, occupation, condition, and diagnosis to be reported if the patient is brought to a health care provider by police, fire, sheriff, etc. HIPAA only allows this information to be released if the media inquires about the patient by name.
36. WHCIA cont… 12. Federal or State enforcement monitoring or legal authorities
37. Requirements to Validly Authorize Disclosure 1. Be in writing, dated, and signed by the patient
2. Identify the nature of the information that may be disclosed
3. Identify the name, address and institutional affiliation of the person to whom the information is to be disclosed
38. Requirements to Validly Authorize Disclosure 4. Except for third party payors, identify the provider who is to make the disclosure; and,
5. Identify the patient
RCW 70.02.030(3)
39. Treatment Medical services provided by health care provider
Very broad, all encompassing definition
40. Payment Payment encompasses the various activities associated with health care providers obtaining payment or reimbursement for their professional services.
41. Privacy Rule Examples Determining the eligibility or coverage
Risk adjustment
Billing and collection activities
Reviewing health care services for medical necessity, coverage, justification for charges, etc.
Utilization Review
42. Business Associate Agreement With limited exceptions, a Covered Entity may NOT disclose PHI to a Business Associate without first obtaining “satisfactory assurances” that the PHI will be appropriately safeguarded from disclosure.
A business associate is a person who performs a function or activity involving the use or disclosure of PHI on behalf of the Covered Entity.
43. Business Associate
Certain specified services are automatically considered business associates if they are not part of the Covered Entities workforce and they handle or process PHI for the Covered Entity:
44. Business Associate Claims Processing (45 CFR Sec. 160.103)
Financial consultants
Auditors
Clearinghouses
Accountants
Lawyers who must review PHI
45. Business Associate Written Contractual Provisions
Satisfactory Assurance that PHI will be safeguarded
Provisions for violation of HIPAA, reasonable steps to cure the breach, terminate the contract, or to report the conduct to HHS
46. 12 Elements for Business Associate Agreement 1. Identify permitted use and disclosure of PHI
2. Prohibit use or disclosure that would violate the Privacy Rules
3. Limit use and disclosure
4. Safeguard PHI
5. Report unauthorized use or disclosure
6. Ensure that agents have the same restrictions
47. Business Associate Agreement 7. Make PHI available to individuals to inspect/copy
8. Make PHI available for amendment
9. Provide an accounting of disclosures
10. Make internal practice, books, and records available
11. Return or destroy PHI at end of contract
12. Authorize termination for material breach
48. Other Considerations Hold harmless clause
Indemnification
Using the Business Associate Agreement to change the underlying agreement
49. Complaint and Grievances Final rule at Sec. 160.306(a) provides that any person, not just an individual may file a complaint with the Secretary
Complaints must be filed with 180 days of the date the complainant became aware of the possible violation. Time to file the complaint may be extended for good cause by the Secretary.
50. Complaints and Grievances Provider has a duty to document both the complaint and the response, resolution or disposition of the complaint.
Complaint must identify the person that will address and respond to the complaint.
51. Reply must be in writing… A monetary penalty may be not be imposed where the failure to comply is for a reasonable cause, corrected within 30 days, and there is no willful neglect.
$100 for each violation
Maximum of $25,000 per month
52. Criminal Penalties $25,000 fine
Up to one year in prison
53. Governmental Agencies Auditors and Enforcers
HHS Office for Civil Rights (Privacy)
CMS (Center for Medicare and Medicaid Services) for transaction compliance
HHS OIG for audits and investigations
54. Governmental Agencies DOJ (referral by OIG or they have independent authority to investigation and indict for civil or criminal violations)
FTC for Inernet privacy poicy violations
FBI for criminal enforcement in multi state cases
55. OCR Investigations You will be contacted in writing if OCR determines that you have violated HIPAA.
You may be notified that a response is required
Under the enforcement rule, OCR is supposed to try to resolve the compliant informally “whenever possible.”
If no resolution is obtained, DHHS has the authority to issue a written noncompliance finding
56. If No Violations are found… OCR is not required to notify you in writing that no violation has been found.
Confirm the “no violation” assessment yourself in writing.
57. Employee Discipline If you find that one of your employees has violated HIPAA, you must discipline that employee.
Update your Employee Handbook and personnel policies to reflect HIPAA