1 / 44

Joy L. Pritts, J.D. Assistant Research Professor Health Policy Institute, Georgetown University

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy. Joy L. Pritts, J.D. Assistant Research Professor Health Policy Institute, Georgetown University jlp@georgetown.edu. Background.

kenna
Download Presentation

Joy L. Pritts, J.D. Assistant Research Professor Health Policy Institute, Georgetown University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computerized Networking of HIV Providers WorkshopData Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health Policy Institute, Georgetown University jlp@georgetown.edu

  2. Background • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • “Administrative simplification” • Encourage electronic health care information infrastructure • Protect security/privacy of health information

  3. Who Is Covered Covered entities • Health plans • Health care clearinghouses • Health care providers who transmit health claims-type information electronically

  4. What Is Covered Protected Health Information Information in any format about a person’s: • Health, health care, or payment of health care; • Which identifies or reasonably could be used to identify the person; and • Was created or received by a covered health care plan or provider

  5. What is NOT Covered De-identified information • Qualified statisticianhas determined only very small chance of identifying person from information; or • All listed identifiers have been removed • Name • Dates associated with person (other than year) • Social Security Numbers • Etc.

  6. General Structure • Restricts how covered entities can use and disclose protected health information • Grants patients rights (e.g., see, copy, amend own health information) • Imposes “administrative” requirements

  7. General Rules

  8. Uses & Disclosures: In General Prohibits using and disclosing health information unless • Specifically permitted by regulation or • Authorized by patient

  9. If the disclosure does not fit within one of the specifically enumerated purposes in the regulation, you mustget thepatient’s authorization.

  10. Business Associates • Person who performs functions on behalf of covered entity involving use/disclosure of identifiable health information • Can disclose to “business associates” if certain conditions are met

  11. Business Associates Contract or other arrangement that • Establishes permitted uses/disclosures • Provides that business associate will use appropriate safeguards to protect info. • Makes health information available to patients pursuant to access rights • Meets other requirements

  12. Minimum Necessary Rule Requires reasonable effort to limit information to minimum amount necessary to accomplish intended purpose 45 C.F.R. § 164.502(b)

  13. Rules for Specific Purposes

  14. Treatment, Payment, and Health Care Operations • Regulatory permission to use and disclose for these purposes • Obtaining patient’s consent is permitted

  15. Treatment, Payment, and Health Care Operations • Patient has right to request restrictions • Provider does not have to agree to request

  16. Treatment, Payment, and Health Care Operations Minimum necessary rule does not apply to disclosures for treatment purposes

  17. “National Priority” Purposes • Required by Law • Public Health • Health Oversight • Law Enforcement • Research • To Avert Serious Threats to Health or Safety • Workers’ compensation • Others

  18. “National Priority Purposes” • No patient authorization required • Additional conditions generally imposed varying with the purpose

  19. Patient Authorization • Required for uses/disclosures not expressly permitted by regulation • Must conform with standard format

  20. Patient Rights • Right to notice of privacy practices • Right to see, copy, and amend record • Right to an accounting of disclosures • Excludes disclosures made for treatment, payment, & health care operations • Right to request restrictions

  21. Administrative Duties • Provide notice of privacy practice • Designate privacy officer & contact person for complaints • Implement safeguards • Develop sanctions for privacy violations • Maintain documentation

  22. Issues for Centralized Health Information Networks

  23. Is Anyone on the Network Covered by the HIPAA Privacy and Security Regulations?

  24. Health Plans • HMOs • Fee for service health insurers • Most group health plans • Medicaid programs • State high risk pools • Any individual or group plan that provides or pays for the cost of medical care (45 C.F.R. § 160.103)

  25. Health Plans • Ryan White CARE funded programs generally are not considered to be health plans, but • May meet the definition of health care provider 65 Fed. Reg. 82479

  26. Health Care Clearinghouses • Person/entity that translates health information into/out of standard format • Central database that just stores/transfers information is not a clearinghouse

  27. Covered Health Care Providers Health Care Provider • Practitioners • Facilities • Those who furnish drugs, devices pursuant to prescriptions

  28. Covered Health Care Providers Must engage in: • Standard transactions • Claims submission/encounter reports • Verification of eligibility • Referrals • Others

  29. Covered Health Care Providers (cont’d) • Electronically • Use of computer • Fax excluded

  30. Impact • It is likely that someone on network will be covered by HIPAA. • If someone is covered, some client-level data will be protected by HIPAA.

  31. Impact Every class of disclosure to central data base must either • Come within permitted disclosures of HIPAA or • Be authorized by patient

  32. What Provisions Justify Sharing Health Information With Central Database?

  33. Business Associate • If covered entity enters data for treatment purposes • Business associate provisions permit organization that maintains database to store and share with others for treatment purposes

  34. Business AssociateDoes not permit organization to use or disclose for other purposes Business Associate Use Provider Info. for Treatment Info. for Treatment Provider

  35. “Required by Law” Covered entity may make any disclosure that is “required by law” without the permission of individual who is the subject of information.

  36. Disclosures “Required by Law” When is a use or disclosure “required by law”? • Mandate is contained in law that compelsuse or disclosure; and • Is enforceable in court of law

  37. Health Oversight Permission of individual who is subject of information not required to disclose protected health information to a public health agency for oversight activities authorized by law.

  38. Health Oversight Public Health Authority includes Federal, state, or regional entity authorized to oversee • Health care system or • Govt. programs for which health information is necessary to determine eligibility or compliance

  39. Health Oversight Overseeing health care system includes • Oversight of health care and health care delivery; • Analysis of trends in health care costs, quality, delivery, and access to care; • Other functions

  40. Public Health May disclose without authorization to public health authority that is authorized by law to collect or receive such information

  41. Some Other Considerations Business associate • Business associate or similar agreements • Patient right of access to information held by business associates

  42. Some Other Considerations Minimum necessary rule applies to disclosures for health oversight and public health

  43. Some Other Considerations State Law • HIPAA does not preempt stronger state law • Most states have laws related to HIV that are in some respects stronger than HIPAA

  44. Some Resources • HHS, (ASPE) http://aspe.hhs.gov/admnsimp/ Admin. Simp. History • HHS, Office of Civil Rights http://www.hhs.gov/ocr Text of Privacy Regs. Guidance • CMS http://www.cms.hhs.gov/hipaa/hipaa2/default.asp Evaluation tool

More Related