1 / 25

HIPAA Training Workshop #1

HIPAA Training Workshop #1. Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc. Today’s Topics. Minimum Necessary – A real challenge! Authorizations or How to make something really complicated!

dawson
Download Presentation

HIPAA Training Workshop #1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.

  2. Today’s Topics • Minimum Necessary – A real challenge! • Authorizations or How to make something really complicated! • Access to Protected Health Information – The Defense Industry is going to have nothing on us!

  3. Minimum Necessary • A Covered Entity must make a reasonable effort to use, disclose or request only the minimum amount of information necessary for its purpose. • Policies and procedures identifying persons or classes of persons needing access to PHI and the conditions that would apply • Polices and procedures limiting identified persons or classes of persons to needed access

  4. Minimum Necessary • Defined routine and non-routine disclosures • Disclosures made on a routine basis must have policies and procedures limiting disclosure to minimum necessary (with an exception for treatment). • Non-routine disclosures – must have policies and procedures for determining and limiting information to the minimum necessary (case by case basis) • Business Associates – polices and procedures describing routine disclosures

  5. Minimum Necessary • Disclosure of the entire medical record not permitted unless specifically justified in a policy

  6. Who Needs What and Why? • How are you going to identify users requiring access? • How do you identify what they need access to? • What are the conditions under which they need access? • How do you inform the gate keepers about who should have access and who should not have access?

  7. Some Options • Option #1: Minimum Necessary Matrix • Pros • Basis for Access Authorization Log for Security Regulation • Easy for gatekeepers to determine if request is appropriate • Can be used for electronic systems as well as paper • Cons • Will probably require an employee survey or review of job descriptions • Will require maintenance Handout: Minimum Necessary Matrix

  8. Some Options • Option #2: Staff training and procedures requiring employees to verify access for any questionable requests • Pros • Less work to implement • Modifications of Job Description is logical • Cons • Someone must be given the responsibility of fielding calls and responding quickly • Changes to job descriptions to document access/level • More difficult to audit.

  9. Identifying Routine Uses and Disclosures • First minimum necessary does not apply to: • Providers for treatment purposes • To the individual • Pursuant to an Authorization • To the secretary of DHHS • To comply with the transaction standards • How do we identify routine disclosures? Handouts: Minimum Necessary Policy

  10. Some Options • Option # 1: Survey by job title • Pros • You find out if job descriptions really reflect what employees are doing. • This should help in determining the conditions under which an employee will require access. • Cons • This is time consuming to do

  11. Some Options • Option # 2: Departments/Programs management documents what should be routine. • Pros • Easier because not as many people involved • Easier to document this limited set of routine disclosures • Cons • You may miss something and then it will need to be handled on a case-by-case basis until policies are changed.

  12. Non-Routine Uses and Disclosures • Managing non-routine uses, disclosures and requests (remember that word reasonable) • How do we establish a consistent process for determining the reasonableness of a request? • How do we document due diligence?

  13. What’s Reasonable? • Criteria for reasonableness • Is the request specific with a clear purpose • Could the disclosure potentially harm the patient • Is the disclosure necessary to provide quality care or obtain reimbursement • Could the disclosure impact the organization legally • How many people would be provided access to the information • How much information is being requested • Could de-identified data meet the needs of the requestor • Technology available to limit use/disclosure • The cost of limiting the use or disclosure Handout: Evaluating Non-Routing Uses and Disclosures

  14. Time for a BREAK!

  15. Authorizations • Definitions • Informed Consent = consent to receive treatment (retention 7 years) • Consent = written permission to use or disclose PHI, with the exception of psychotherapy notes, to carry out treatment, payment or heath care operations - general consent (retention 6 years) • Authorization = allows the use and disclosure of PHI for purposes other than treatment, payment or health care operations – must be specific and is required to use or disclose psychotherapy notes (retention 6 years)

  16. Authorizations • Required elements • Everything that California Requires Plus • Statement – May Not Condition Treatment on Authorization (some exceptions) • Statement “Right to revoke” • Termination date • Potential for further disclosure – California prohibits • New conditions • Must provide copy • May not combine with other authorizations (again some exceptions)

  17. Now What? • Actions • Identify forms that meet the definition of a HIPAA Authorization (look at consents and authorizations) • Evaluate it against the Authorization Checklist • Make necessary changes • To Printer Handout: Authorization Checklist

  18. Authorizations just became complicated. • Procedures • Procedures to receive a revocation • To notify interested parties within the organization of a revocation • To notify business associates of a revocation • To retain all documentation related to an authorization for 6 years.

  19. Access to Protected Health Information • Verification of Identity and Authority or Do I know you? • Must verify the identity of a person requesting protected health information and the authority of such person to have access to protected health information, if the identity or any such authority of such person is not known to the covered entity; and • Obtain any documentation, statements or representations (oral or written) from the person requesting the protected health information when such documentation is a condition of disclosure

  20. Verification of Identity and Authority • Who are we talking about here? • Health oversight auditors • Public health authorities • Law enforcement • Personal representatives • Next of kin • Others

  21. Verification Procedures • Require completion of a request form. • Identity • Check drivers licenses, badges, or other official documentary proof of who they are. • If the request is in writing is it on government letterhead • Authority • Documented on government letterhead • Court order or other legal document • Legal documentation of personal representation • Proof of executorships or beneficiary • Obtain copies – retain 6 years Handout: Example Request for Access

  22. Accounting of Disclosures • An individual has the right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested. Note: The disclosure may be oral, written, printed, electronic, etc. but still must be recorded.

  23. Accounting of Disclosures • What doesn’t have to be recorded: • Disclosures for treatment, payment or health care operations • To the individual • Incidental disclosures • Pursuant to authorization • National security or intelligence purposes • Correctional institutions or custodial situations • If part of a limited data set Handout: Accounting of Disclosures

  24. What will we have to do? • Keep a disclosure history on each patient • Date of disclosure • Name of Organization or individual who received the information • Description of information disclosed • Reason for disclosure • Copy of an individual’s authorization • Be able to provide a copy when requested. • All documentation related to the request must be retained for 6 years (including information provided)

  25. The Clock is Ticking!

More Related