1 / 14

HIPAA Privacy The Morning After Panel

HIPAA Privacy The Morning After Panel. What do we do now?. William R. Braithwaite, MD, PhD (moderator) Washington, DC Ross Hallberg, Corporate Compliance Officer John Muir/Mt. Diablo Health System Walnut Creek, CA

diella
Download Presentation

HIPAA Privacy The Morning After Panel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA PrivacyThe Morning After Panel What do we do now? William R. Braithwaite, MD, PhD (moderator)Washington, DC Ross Hallberg, Corporate Compliance OfficerJohn Muir/Mt. Diablo Health SystemWalnut Creek, CA Ronald Margolis, Chief Information OfficerUniversity Hospitals, University of New MexicoAlbuquerque, NM Tina Sernick, ManagerDeloitte & Touche LLPNew York, NY

  2. Principles of Fair Info Practices • Notice • Existence and purpose of record-keeping systems must be known. • Choice – information is: • collected only with knowledge and permission of subject. • used only in ways relevant to the purpose for which the data was collected. • disclosed only with permission or overriding legal authority. • Access • Individual right to see records and assure quality of information. • accurate, complete, and timely. • Security • Reasonable safeguards for confidentiality, integrity, and availability of information. • Enforcement • Violations result in reasonable penalties and mitigation.

  3. Individual’s Rights • Individuals have the right to: • A written notice of information practices from health plans and providers. • Inspect and obtain a copy of their PHI (DRS). • Obtain an accounting of disclosures. • Amend their records. • Request restrictions on uses and disclosures. • Accommodation of reasonable communication requests. • Complain to the covered entity and to HHS.

  4. E-mail • Misconception: HIPAA prohibits email between doctor and patient. • Fact: HIPAA allows it. Encryption requirement on internet transmissions was reduced to ‘addressable’ so that such interactions could continue.

  5. Drug Reps • Misconception: HIPAA prohibits drug reps from coming into the back office. • Fact: Given that reasonable efforts have been made to prevent incidental disclosures (to other patients, fax repairman, etc.), HIPAA does not prohibit such activity. HIPAA does, however, prohibit sharing PHI with drug reps (and others) without patient authorization.

  6. Prescriptions • Misconception: Friend can’t pick up prescription without written permission (authorization) from patient. • Fact: Specifically allowed in HIPAA.

  7. Family • Misconception: Doctor can’t talk to family about patient without written permission. • Fact: Specifically allowed in HIPAA unless patient objects.

  8. Medical Decisions • Misconception: HIPAA sets new rules for who can make medical decisions for patients. • Fact: HIPAA defers such decisions 100% to state law.

  9. Medical Records • Misconception: Medical Records department can’t send records to MD office for follow-up without patient authorization. • Newspapers report “lengthy and complicated legal forms are required.” • Fact: Any PHI may be disclosed to any health care provider for treatment purposes without patient permission of any kind. • Note: does not conflict with state law which MAY require such permission.

  10. Marketing • Misconception: HIPAA prevents any marketing activity without patient permission. • Fact: New definition of “marketing” excludes most activity commonly thought of as marketing as long as it has something to do with health. • e.g., drug switch letters are not “marketing” under the privacy rules.

  11. Costs • Misconception: Complying with HIPAA is extremely costly and will push health care organizations to bankruptcy. • Fact: Most requirements of HIPAA privacy are things that should already be in place. Cost of new documentation requirements are more than offset by savings from implementation of transaction standards.

  12. Directory • Misconception: HIPAA does not allow a hospital to list patients in their directory without their explicit permission. • Fact: Although the patient must be given the opportunity to object, no permission is required. • Routinely, when asked for by name, hospital may disclose location and general condition of patient. • If patient objects, no information may be disclosed without authorization.

  13. Clergy • Misconception: Clergy cannot get a list of patients with their religions. • Fact: Unless a patient objects, clergy may receive a list of patients with their location, general condition, and religious preference. • If a patient objects, they must be left off such a list.

  14. Mandated Disclosures • Misconception: HIPAA mandates new disclosures (including to law enforcement) and removes the right to consent. • Fact: HIPAA requires disclosure of PHI in only two cases: • Patient access to their own PHI is required. • HHS access to PHI when investigating a complaint. • All other use and disclosure is permissive -- NOT required.

More Related