1 / 31

Columbia University Health Sciences

Columbia University Health Sciences. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA OVERVIEW. Health Insurance Portability and Accountability Act (HIPAA). Fraud and Abuse (Accountability). Administrative Simplification [Accountability]. Insurance Reform

bunme
Download Presentation

Columbia University Health Sciences

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Columbia University Health Sciences Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

  2. HIPAA OVERVIEW Health Insurance Portability and Accountability Act (HIPAA) Fraud and Abuse (Accountability) Administrative Simplification [Accountability] Insurance Reform [Portability] Transactions, Code Sets, & Identifiers Compliance Date: 10/16/2002 and 10/16/03 Privacy Compliance Date: 4/14/2003 Security Compliance Date: TBD

  3. What is Covered • Individually identifiable health information: • Created by a Columbia University • Relates to a physical or mental health condition at any time • Identifies the individual or could reasonably be used to identify the individual • Known as PHI

  4. Who is covered • Covered Entities = A Health Plan, Healthcare Clearinghouse, or a Health Care Provider who transmits any health information in electronic form in connection with a transaction covered under HIPAA • Covered entities are required to contractually bind other entities with whom they share Protected Health Information (“Business Associates”)

  5. Basic HIPAA Requirement “[Columbia University] may not use or disclose an individual’s protected health information except as otherwise permitted or required.”

  6. Permitted Uses/Disclosures of PHI • Individual access • TPO • Specialists • Labs • Other doctors • Other covered entities • Directories

  7. Notice of Privacy Practices • Privacy rule looks at usesof PHI as permissible within Treatment, Payment and Healthcare Operations – once we give the patient a Notice of Privacy Practices (NPP) at the first treatment encounter, we can use their PHI for any TPO purpose • NPP is a once in a lifetime requirement (argues for good record keeping!)

  8. Required Notice of Privacy Practices • Post NPP prominently at premises and on websites • The patient will sign a separate acknowledgement document that contains the privacy officer contact information for that facility • Give the patient a copy of NPP and acknowledgement sheet

  9. Required Notices of Privacy Practices • Describe Patient Rights to: - Restrict - Access - Amend - Accounting - Alternative Communication Methods - Complain

  10. Columbia University Policy • Minors (under 18) in NYS have a right to confidential treatment with respect to the following w/o a parents consent or notice: • Abortion • Birth control • STD testing • HIV/AIDS testing • Mental health counseling • Outside of these areas, a physician can always decide not to inform parents or keep a minors record confidential if, in the physicians judgment, revealing the medical information would have a negative impact on the patient/physician relationship

  11. Permitted by law • Outside of TPO or patient authorization, the only other permitted use of PHI are those required by law: • Investigations by HHS • Reporting about victims of abuse, neglect or domestic violence • Adverse Event Reporting • Reporting to Public Health Authorities in general

  12. Minimum Information Necessary • Privacy Rule requires Columbia University to make reasonable efforts to limit the use or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purposes

  13. Minimum Information Necessary • May not disclose entire medical record, except to providers for treatment • Certain limited types of information cannot be disclosed—e.g., psychotherapy notes • Minimum necessary does not apply to uses and disclosures to patients pursuant to an authorization, for HIPAA Compliance purpose, that are required by law

  14. Unintended Uses and Disclosures • Privacy Rule explicitly permits uses and disclosures that occur as a result of an otherwise permitted use or disclosure under the Privacy Rule. • Incidental use or disclosure is: • a secondary use or disclosure that cannot reasonably be prevented • is limited in nature • occurs as a by-product of an otherwise permitted use or disclosure • Columbia University must implement reasonable safeguards to limit unintended uses and disclosures and must implement the minimum necessary standard requirements

  15. HIPAA and Research

  16. HIPAA Authorization • Patient authorization elements • The information • Who may use or disclose the information • Who may receive the information • Purpose of the use or disclosure • Expiration date or event • Individual’s signature and date • Right to revoke authorization • Right to refuse to sign authorization • Redisclosure statement Authorization signed by patient for all clinical research

  17. HIPAA Waiver Criteria Waiver requires IRB/Privacy Board approval and documentation of three (3) waiver criteria: • Use or disclosure involves no more than minimal risk to privacy of the subject based on, at least: • Adequate plan to protect the information from improper use and disclosure; • Adequate plan to destroy identifiers; and • Written assurances that the PHI will not be disclosed further than as set forth in the waiver

  18. HIPAA Waiver Criteria, con’t • The research could not practicably be conducted without waiver or alteration • The research could not practicably be conducted without access to and use of the PHI Note: HHS intends to issue future guidance for IRBs and Privacy Boards on applying waiver criteria

  19. Research View of PHI

  20. Research Data Flow Step 1 Researcher Certification IRB (Rascal)/GCP/HR Protocol Submission Step 3 Disclosures For TPO Authentication/Authorization Central Authority Step 5 Automated linkage Audit Trail Monthly report Central HIPAA Compliance Step 4 Research Request for PHI Step 7 Compliance Audits Step 6 PHI Disclosed to Researcher

  21. Questions & Answers Jeffrey P. Davis, Esq. Associate Vice President/Privacy Officer Columbia University Health Sciences 212-305-7315 jd2086@columbia.edu

More Related