1 / 73

HIPAA 202: Privacy

HIPAA 202: Privacy. An Introduction to the HIPAA Privacy Regulations. Today’s Agenda. HIPAA Overview Privacy Introduction Privacy Standards Usage and Disclosure Notice of Privacy Practices Patient Rights Administrative Requirements Summary. Presentation Objectives.

camdyn
Download Presentation

HIPAA 202: Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA 202: Privacy An Introduction to the HIPAA Privacy Regulations

  2. Today’s Agenda • HIPAA Overview • Privacy Introduction • Privacy Standards • Usage and Disclosure • Notice of Privacy Practices • Patient Rights • Administrative Requirements • Summary

  3. Presentation Objectives At the end of this presentation, you should: • Understand the intent of the Privacy standards and their impact on the organization • Understand the “reasonable” application of them in your organization • Be able to determine your own organizational strategies and next steps for tackling HIPAA Privacy

  4. Privacy Introduction Key Definitions Applicability of Privacy Rule Intent of Privacy Rule Approach to Privacy Rule Key Elements of Privacy Rule

  5. Key Definitions - Protected Health Information Individually Identifiable Health Information (IIHI) is that information which: • Is created or received by a health care provider, health plan, employer or health care clearinghouse • Relates to the past, present or future health of an individual, or the past, present or future payment for the provision of health care to an individual • Identifies an individual either outright, or could be used to identify an individual

  6. Key Definitions - Protected Health Information (cont.) Protected Health Information (PHI) is IIHI which: • Is transmitted or is maintained electronically or in any other form or medium • Explicitly includes Internet, leased line, dial-up line and private network transmission • Includes person to person telephone calls, video conferencing and voicemail • Includes information which is stored on paper, read from a computer screen or discussed orally • Under the Proposed Rule, employment records held by an entity in its role of employer of the individual would not be PHI

  7. Key Definitions • Business Associate– a person, other than a member of the covered entity’s workforce, or organization who performs or assists in the performance of a function or activity on behalf of a covered entity that involves the use or disclosure of individually identifiable health information • Trading Partner – a party with whom standard transactions are exchanged electronically (plans, clearinghouses, banks, employers)

  8. Key Definitions (cont.) • Workforce – employees, volunteers, trainees, and other persons under the direct control of a covered entity, including persons providing labor on an unpaid basis • Transaction – the transmission of information between two parties to perform financial or administrative activities related to health care

  9. Applicability - Covered Entities • The standards in the regulation apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173 (a)(1) of the Act

  10. Intent of Privacy Rule The Privacy Rule seeks to: • Protect and enhance the rights of consumers by providing them access to their health information and controlling inappropriate use of that information • Improve the quality of health care in the U.S. by restoring trust in the health care system • Improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy

  11. Approach to Privacy Rule In developing the Privacy Rule, DHHS: • Sought to balance the interests of multiple industry constituents – including those of patients • Created a mandatory floor that organizations may exceed • Left state laws in force that are more stringent • Delegated responsibility to the DHHS’s Office of Civil Rights (OCR) for enforcement • Projected that the extensive costs for implementing the privacy requirements would be offset by the savings anticipated in implementing the transaction standards

  12. Key Elements of Privacy Rule The Privacy Rule: • Gives consumers greater access to, and control over, their health information • Allows health information to be used and shared for treatment, payment and health care operations (TPO) without patient consent (proposed rule) • Requires patient authorization for use and disclosure of health information for purposes other than TPO, with specific exceptions • Requires organizations to maintain safeguards for protecting the confidentiality and integrity of health information and protect against unauthorized access of this information (security standards)

  13. Guidance on Government Access • The only new authority the Privacy Rule provides for government is in its enforcement of the rule itself • The (OCR) has the right to receive enough information to investigate complaints and ensure compliance • The Guidance also confirms that the Rule does not require covered entities to send medical information to the government for a database or similar reason • Police and other law enforcement access to PHI is not expanded by the Privacy Rule. Access will be more limited than provided currently; for example, DNA will not be given to law enforcement without a warrant, and entities must get permission from victims of domestic abuse before disclosing their information

  14. Privacy Standards Use and Disclosure (164.502 - 164.514) Notice of Privacy Rights (164.520) Patient Rights (164.522 - 164.528) Administrative Requirements (164.530)

  15. Organizational Issues

  16. Organizational Requirements 164.504 (a) Affiliated covered entities • Legally separate covered entities who are affiliated may designate themselves as a single covered entity if all of the covered entities designated are under common ownership or control 164.504 (b) Business associate contracts • A covered entity may use a business associate to provide services on its behalf

  17. Organizational Requirements 164.504 (b) Business associate contracts • A contract between the covered entity and a business associate must: • Establish the permitted and required uses and disclosures of PHI by the business associate • The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity • The contract may permit the business associate to use and disclose PHI for the proper management and administration of the business associate functions

  18. Guidance on Business Associates • PHI may be disclosed to business associates only to help providers and plans complete their health care functions • Members of a provider, health plan, or other covered entity’s workforce are not considered business associates • Covered entities who exchange PHI for treatment purposes are not considered business associates, such as physicians who disclose information to hospitals where they have admitting privileges • The Privacy Rule doesn’t “pass through” its requirements to business associates; it has no authority to do so • Covered entities are not liable for privacy violations of business associates, but if they become aware of a “pattern or practice” that is a material breach of the business associate’s contract, they must take “reasonable steps” to correct the problem

  19. Use and Disclosure of PHI

  20. Authorization Required: Authorizations 164.508 (a) Authorization for Uses and Disclosures • Authorization general rule:A covered entity may not use or disclose PHI without a valid authorization except: • to the patient himself/herself • for purposes of treatment • payment or health care operations (TPO); OR • for other purposes specifically addressed in the Privacy Rule • The Privacy Rule allows “payment” to include disclosures to consumer reporting agencies • These are limited to basic non-health information, such as name, SSN, date of birth, and payment history • Covered entities may use collection agencies through a business associate agreement

  21. Authorization Required: Valid Authorizations 164.508 (b) General Requirements • Valid authorizations • A valid authorization is a document that contains specified core elements • A valid authorization may contain elements or information in addition to the core, provided that such additional elements or information are not inconsistent with the core elements

  22. Authorization Required: Invalid Authorizations 164.508 (b) General Requirements • Invalid authorizations • An authorization is not valid, if the document submitted has any of the following defects: • The expiration date has passed, or the expiration event is known by the covered entity to have occurred • The authorization has not been filled out completely • The authorization is known by the covered entity to have been revoked • The authorization lacks a required core element • Any material information in the authorization is known by the covered entity to be false

  23. Authorization Required: General Requirements 164.508 (b) General Requirements • Compound authorizations:an authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization • Prohibition on conditioning of authorization:a covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization • Revocation of authorizations:an individual may revoke an authorization at any time, provided the revocation is in writing • Documentation:a covered entity must document and retain any signed authorization

  24. Authorization Required: Core Elements and Requirements 164.508 (c) Core Elements and Requirements • A valid authorization must contain the following core elements: • A description of the information to be used or disclosed • The name of the requesting person(s) • The name of the person(s) to whom the covered entity may make the requested use or disclosure available • An expiration date • A statement of the individual's right to revoke the authorization

  25. Authorization Required: Core Elements and Requirements (cont.) 164.508 (c) Core Elements and Requirements • A valid authorization must also contain the following core elements: • A statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by this rule • Signature of the individual and date • If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual • Must be written in plain language

  26. Authorization Required: Internal Use by Covered Entity 164.508 (d) Authorization Requested by a Covered Entity for its Own Uses and Disclosures • If an authorization is requested by a covered entity for its own use or disclosure of PHI that it maintains, the authorization must contain the following elements: • A statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individual's providing authorization for the requested use or disclosure • A description of each purpose of the requested use or disclosure

  27. Authorization Required: Internal Use by Covered Entity (cont.) 164.508 (d) Authorization Requested by a Covered Entity for its Own Uses and Disclosures • The authorization must also contain a statement that the individual may: • Inspect or copy the PHI to be used or disclosed • Refuse to sign the authorization • The covered entity must provide the individual with: • A covered entity must provide the individual with a copy of the signed authorization • Disclosure of whether or not use or disclosure of the PHI to a third party may result in direct or indirect remuneration to the covered entity

  28. Authorization Required: Disclosure to Others 164.508 (e) Authorizations Requested by a Covered Entity for Disclosures by Others • If an authorization is requested by a covered entity for another covered entity to disclose PHI, the authorization must contain the following elements: • A description of each purpose of the requested disclosure • A statement that the covered entity will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits on the individuals providing authorization for the requested use or disclosure • A statement that the individual may refuse to sign the authorization • A covered entity must provide the individual with a copy of the signed authorization

  29. Agree or Object Opportunity Required: Facility Directories 164.510 (a) Facility directories • A covered entity may use or disclose PHI without the written consent or authorization of the individual to maintain a directory of patients in its facility • Provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to, prohibit or restrict the disclosure • The covered entity may inform the individual orally and obtain the individual's oral agreement

  30. Agree or Object Required:Exceptions 164.512 (a) Required by law 164.512 (b) Public health activities 164.512 (c) Disclosures about victims of abuse, neglect or domestic violence 164.512 (d) Health oversight activities 164.512 (e) Judicial and administrative proceedings 164.512 (f) Law enforcement purposes 164.512 (g) Decedents 164.512 (h) Cadaveric organ, eye or tissue donation purposes 164.512 (i) Research purposes 164.512 (j) Aversion of a serious threat to health or safety 164.512 (k) Specialized government functions 164.512 (l) Workers' compensation

  31. Agree or Object Required:Exceptions (cont.) 164.510 (b) Involvement in the Individual’s Care and Notification Purposes • Disclosure of PHI by a covered entity to persons involved with the individuals care or payment is permitted in certain circumstances • When individual is present: • Agreement must be obtained, or an opportunity to object must be offered • Professional judgment that is in the best interest of the patient should be exercised • When individual is not present: • Emergency situations, including disaster relief efforts • Professional judgment that is in the best interest of the patient should be exercised

  32. Guidance on Parents and Minors • A parent or guardian of a minor is considered the “personal representative” of his or her minor child, and has the right to see the child’s PHI except in the following cases: • If a minor consents to services where parental consent is not required by state or other law • When a parent agrees to a confidential relationship between the child and the physician • If a covered entity believes the child is an abuse or neglect victim, or may be endangered by the parent or guardian • The Proposed Rule modifies the Current Rule by clarifying that state law governs disclosures in which a provider has discretion to determine whether a disclosure should be made to a parent

  33. De-identification of PHI 164.514 (a) De-identified health information • Health information for which there is no reasonable basis to believe that the information can be used to identify an individual • The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information 164.514 (b) Re-identification • A covered entity may assign a code or other means of record identification to allow de-identified information to be re-identified by the covered entity

  34. De-identification of PHI • Records can be de-identified by removing 19 elements outlined in the Rule, such as name, address, phone number, social security number, etc. • Under the proposed rule, requests comments on a possible alternative approach to de-identification that would allow the use and disclosure of a limited data set that would include certain identifiers to be used for research, public health and health care operations

  35. Verification Requirements 164.514 (h) Verification requirements • Prior to any disclosure, a covered entity must verify the identity and authority of any person requesting PHI, if the identify and/or authority are unknown

  36. Minimum Necessary • Covered entities must make all reasonable efforts to limit a use or disclosure to the “minimum (amount of PHI) necessary to accomplish the intended purpose of the use, disclosure or request” • Exceptions to the standard: • Disclosures to or requests by a provider for treatment • Disclosures made to the individual • Disclosures authorized by the individual • Required disclosures to DHHS and required by law • Disclosures to comply with the Privacy Rule

  37. Minimum Necessary (cont.) • Must identify persons in the workforce who need access to PHI to carry out their duties, and for each such person or class • Identify the category or categories of PHI to which access is needed • Identify any conditions appropriate to such access • The covered entity may rely on a requested disclosure as the minimum necessary from another covered entity, professional member of its workforce, or a business associate

  38. Minimum Necessary (cont.) • Policies and procedures are needed to define minimum necessary for routine disclosures • Criteria must be developed to limit the non-routine disclosure of PHI to the information reasonably necessary to accomplish the purpose for which it is sought and must review requests for disclosure on an individual basis in accordance with such criteria • The Guidance clarifies that the standard is a “reasonableness” standard, not a strict one – which enables a best practices approach consistent with existing professional standards

  39. Proposed Rule: Minimum Necessary • The scope of permitted uses and disclosures would be amended to include incidental disclosures, with certain conditions • The term “reasonably ensure” will be deleted from the language of the implementation guidelines to clarify that DHHS desires the minimum necessary standard to be flexible and not imply that an “absolute strict standard” applies • Uses and disclosures made pursuant to any authorization would be added to the list of uses and disclosures excepted from the minimum necessary standard

  40. Marketing • Marketing is defined as a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service. This definition does not limit the type or means of communication that are considered marketing • Exceptions to this definition include: • Describing participating providers or plans in a network or the services or benefits they provide • Using the communication to provide, manage, or further patient treatment

  41. Marketing (cont.) • If a communication is considered marketing, PHI may be used or disclosed only in these cases: • During a face-to-face encounter • Concerning products or services of nominal value • Concerning the health related products and services of the covered entity • When individuals have been told why they are being targeted • They are marketing-related disclosures made to business associates only to support the covered entity’s marketing activities • The exceptions above do not apply if the covered entity is compensated by a third party • In all other instances, a covered entity may not use or disclose PHI without an authorization

  42. Proposed Rule: Marketing • Under the current rule, individuals must “opt-out” in order to not receive marketing communications • Under the Proposed Rule, individuals must “opt-in” to receive further communications about health products or services • If the covered entity expects to be remunerated for marketing, the authorization must disclose that fact • The definition of marketing would be revised so that a determination of whether a communication is marketing would turn on the effect of the communication rather than the intent of the person making the communication • Health care communications such as disease management, prescription refill reminders and appointment notifications are exempt from the definition of marketing

  43. Fundraising • Fundraising on behalf of a covered entity is a health care operation • A covered entity may use or disclose to a business associate or to an institutionally related foundation certain PHI for the purpose of raising funds for its own benefit, without an authorization (name, address, phone number, date of episode) • Fundraising materials must explain how the individual may opt-out of any further fundraising communications, and covered entities must honor those requests

  44. Notice of Privacy Practices

  45. Notice of Privacy Practices 164.520 (a) Notice of Privacy Practices • Right to Notice • An individual has the right to have adequate notice of uses and disclosures of PHI • Covered entity’s legal duties with respect to protected health information • Exception for Inmates • The requirements of this section do not apply to correctional institutions • An inmate does not have the right to notice under this section

  46. Notice of Privacy Practices 164.520 (b) Content of Notice • Must provide written notice in plain language that contains: • Header: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.” • Uses and disclosures (i.e., treatment, third-party audits and special studies) • Separate statements for certain uses or disclosures • Individual’s rights • Covered entity’s duties

  47. Notice of Privacy Practices (cont.) 164.520 (b) Content of Notice • Optional requirement to elect to limit the uses of disclosures • May describe its more limited uses or disclosures in its notice • Revisions to the notice • Must promptly revise and distribute notice whenever there is a material change to the uses and disclosures

  48. Notice of Privacy Practices • Right to notice must be made available upon request • Covered entities must: • Provide notice no later than the date of the first service delivery • Provide notice as soon as reasonably practical in an emergency • Have notice available at the physical delivery site • Post notice in a clear and prominent location • Make notice available upon revision • Electronic Notice: • E-mail notification is probably acceptable • If covered entity knows the e-mail failed, a paper copy of notice must be provided

  49. Proposed Rule • Covered entities must use a “good faith effort to obtain a written acknowledgement of receipt” • If an acknowledgment is not obtained, the covered entity must document its good faith effort and the reason why the acknowledgment was not obtained • The covered entity must document compliance with the Notice requirement by maintaining any written acknowledgments of receipt of notice and any documentation regarding unsuccessful good faith efforts to obtain acknowledgment

  50. Joint Notices of Privacy Practices • Covered entities who participate in an organized health care arrangement may comply with provision of notice by a joint notice provided they: • Abide by the terms of the notice with respect to PHI created or received by the covered entity • Provide notice of revisions • Must describe the covered entities to which the joint notice applies

More Related