820 likes | 840 Views
Learn about HIPAA rules, penalties, client rights, amendments, and disclosures. Ensure privacy practices are compliant for protecting health information.
E N D
HIPAA • Limits sharing of Protected Health Information • Restricts employers from using Protected Health Information in employment decisions • Requires employers & employees to adopt& apply certain procedures to safeguard Protected Health Information
Three HIPAA Rules • Privacy Rule protects individuals from discriminatory or wrongful use of theirProtected Health Information. • Security Rule safeguards PHI throughsecurity officers & security measures. • Electronic Transactions & Code Set Rule sets standard codes for electronic transactions.
Penalties for Non-Compliance • For knowing misuse of PHI: up to 1 year imprisonment, or $50,000 fine, or both • For obtaining PHI under false pretenses: up to5 years imprisonment, or $100,000 fine, or both • For using PHI for commercial advantage, personalgain, or malicious harm: up to 10 years imprisonment,or $250,000 fine, or both • Civil Penalties: min. $100 per client, max. $25,000per year per client
Client Rights • To have their Protected Health Information protected • To inspect & copy their records • To request their PHI records be corrected/changed • To request limits on how their PHI is used/shared • To request the manner in which to be contacted(at home and not at work) • To get a list of disclosures made of their PHI
Client’s Right to Access • Clients may be charged for the costs of copying, including personnel time, supplies required, & mailing, but not for the cost associated with retrieving information. • Copies for individuals other than the client may be charged at whatever rate the covered entities desires. • Access may be denied if a licensed provider has determined that access may be dangerous to the client or another person. • If access is denied, the covered entity must notify the individual in writing of the reason for the denial & provide the individual with access to all information that is not subject to the denial. • Some denials are subject to review at the client’s request.
Client Cannot Amend • If the covered entity did not create the information unless the client can show that the originator is unavailable • If the information is complete & accurate “as is” • If the information is the type of information that would not be available for the client to access
Amendment IS Granted • Make the amendment to the client’s records. • Notify anyone who has received the informationof the amendment. Amendment is NOT Granted • Notify the client in writing. • Upon client’s request, include a copy of request for amendment in all future disclosures. • If the client and/or covered entity adds a rebuttal statement, include that statement in all future disclosures & provide the client with a copy.
Accounting of Disclosures • The first accounting in a 12-month periodmust be free of charge to the client. • Account for all disclosures made in the previous 6 years (but after HIPAA 04/14/03). • Not required to account for TPO, to client, for national security or intelligence, to correctional institutions, incidental disclosures, or disclosures pursuant to client’s written authorization.
Written Notice of Privacy Practices Providers are required to give a writtenNotice of Privacy Practices that explains how they use & share PHI, clients’ rights& entity’s responsibilities regarding PHI, & who to contact for more information.
Written Notice of Privacy Practices • Provided at the time of first delivery of servicesor in an emergency provided as soon as practicable after the emergency passes • Posted at each physical site of service • Posted on website (if one) • Available upon request by anyone at the physical site of service • Covered entity must document failed efforts to obtain a written acknowledgement of receipt
Sample Privacy Notice We may use and disclose your PHI to a family member, friend or other person to the extent necessary to help with your healthcare or with payment for your healthcare, but only if you agree that we may do so. If you are present, then prior to use or disclosure of your health information, we will provide you with an opportunity to object to such uses or disclosures. In the event of your incapacity or emergency circumstances, we will disclose health information based on a determination using our professional judgment disclosing only health information that is directly relevant to the person's involvement in your healthcare. We will also use our professional judgment and our experience with common practice to make reasonable inferences of your best interest in allowing a person to pick up filled prescriptions, medical supplies, x‑rays, or other similar forms of health information.
NOTProtected Health Information • Pre-employment physicals or substance abuse screenings • Family Medical Leave Act Request • Americans With Disability Act Request • Disability retirement or retirement savings plan withdrawals for health
Names Addresses All dates Telephone/FAX numbers Email addresses Social Security Numbers Photographs Account numbers Medical record numbers Health plan numbers License & Vehicle Identification Numbers Diagnosis & medications Any other unique identifying number, characteristic, or code Protected Health Information
Protected Health Information Use generally refers tohow PHI is handled by the provider. Disclosure generally refers to how PHI is shared externally.
Protected Health Information • Electronic: Internet, fax, disks, back-up tapes • Paper: written or photo • X-Rays: film or electronic • Audio or Video • Oral Communications:in person or by telephoneor voice mail
Protected Health Information • Sent or stored in any form • Identifies the client or canbe used to identify the client • Created or received by a covered entity • Concerns a client’s past, present or future treatment or payment for services
Minimum Necessary • The amount of PHI used, shared, accessed, or requested must be limited to only what is needed. • When a billing company bills for a blood test,it does not need the client’s complete medical record.
Minimum Necessary • Workers should have ONLY such PHI as their job responsibility requires. • Someone who delivers food trays may needPHI about the client’s diet but does not need to know the reason the client is in the hospital.
Covered Entities • Healthcare Plans • Organized Health Care Arrangements • Healthcare Providers including doctors, nurses, therapists, & people who transmit information electronically • Healthcare clearinghouses(DENIS, WebMD) • Hospitals & clinics
Affiliated Entitiesmust be under common ownership or control & must prepare & retain a written designation. Hybrid Entitiesmay have some covered portions & some non-covered. Firewalls are required to prevent unauthorized disclosure by the covered portion to the non-covered portion. Other Entities
Business Associates • Any non-employed vendor providing a service for the covered entity where access to PHI is needed must sign a Business Associate Agreement promising to keep PHI confidential. • A company developing entrysoftware must see actual PHI. • Employees, volunteers, trainees are NOT considered business associates.
Insurance Companies Laboratories Provider Offices Pharmacies Banks Employers Hospitals Government Information Exchange
Mandated Transaction Standards • Healthcare Claims or Encounters • Healthcare Claims Status • Healthcare Claims Payments & Remittance Advice • Healthcare Enrollments & Disenrollments • Health Plan Eligibility • Health Plan Premium Payments • Health Plan Claims Attachments • Referral Certification & Authorization • First Report of Injury Worker’s Compensation
Treatment, Payment, & Operations • Treatment: activities related to client care • Payment: activities related to paying for or getting paid for healthcare services • Healthcare Operations: day-to-day activities of acovered entity such as planning, management, training, improving quality, providing service and education, but NOT research
Consent A general document that gives covered entities, which have a direct patient relationship, permission to use and disclose all personal health information (PHI) for treatment, payment & operation (TPO) purposes (Physician to use and disclose medical records and lab results) Authorization A more customized documentthat gives covered entities permission to use PHI for purposes other than TPO or disclosure to a third party (Follow-up for diabetes counseling once diagnosed) KEY TERMS
Covered Entities Health Plans, Healthcare Clearinghouses Health Care Providers & extensions of provider service (financial & administrative functions) Business Associates A person or entity who provides certain functions & services for or to a covered entity involving protectedhealth information (medical waste vendor) KEY TERMS
Prior Written Authorization • DO NOT use or disclose PHI for any non-routine purposes without prior written authorizationsigned by the client. • Prior Written Authorization form must include • The name of the person or persons authorized to make & receive the disclosure • A description of the information to be disclosed • The expiration date & a statement that the authorization can be revoked at any time • The client’s or legal agent’s signature & date
Prior Written Permission NOT Required • To treat a client, to get paidfor treatment, or to evaluatethe person who provided treatment • To share PHI with that client • To report births & deaths (public health purposes) • For disclosure to vendors for TPO under a written contract
Prior Written Permission NOT Required • To report abuse, neglect, or domestic violence • For certain law enforcement • For organ, eye, or tissue donation • To avoid serious threats to health or safety • For coroners, medical examiners, or funeral directors
Prior Written Permission REQUIRED ForMarketing & Fundraising A doctor cannot give a diaper company the names of pregnant clients without clients’ prior written authorization including how the PHI will be used, for how long, & by whom.
Prior Written Permission REQUIRED For Use & Disclosure ofPsychotherapy Notesrecorded by mental health professionals about private, group, joint, or family counseling sessions that are separate from the rest of the client’s medical records
Exceptions • For a covered entity to train students • For the covered entity to defend itself in alegal action brought by the individual who isthe subject of the psychotherapy notes • For coroners and medical examiners • As necessary to prevent a serious and imminent threat to health or safety • For health oversight activities • Uses and disclosures required by law
Prior Written Permission REQUIRED ForUse and Disclosure for Research A researcher cannot enroll a client in a study withoutprior written authorizationthat includes how the PHI willbe used, by whom, & for howlong.
Prior Opportunity to Reject Required • Facility directories • Friends & family members involved in client care or payment • Clergy • Disaster relief organizations
Incidental Disclosure • Allowed if reasonable stepsor safeguards are taken tosecure & protect PHI • Visitors may hear a client’s name called in a waiting room, over speakers, or overhear a clinical discussion while walking down a hallway.
Incidental Disclosure • Sign-in sheets may be used but should NOT ask the reason for the visit. • Charts at bedside or outside exam rooms are allowed but should face backwards. • Client care signs are allowed,such as for diet needs.
Alternative Communications • You must comply with all reasonable request about how& where to contact clients. • Messages can be left on answering machines or with those who answer the phone, but the message shouldbe limited to minimum necessary. • Do NOT disclose sensitive information.
Incidental Disclosure • Prescriptions can be discussed with the client over a drugstore counter or by the healthcare provider or client by telephone. • PHI can be shared in group therapy settings for treatment. • Clients’ conditions may be discussed in entity’s educational programs.
Incidental Disclosure • You may speak to otherproviders or clients even if you may be overheard. • You may orally arrange servicesat nursing stations. • You may discuss a client’s condition with that client, other providers, or family members over the telephone or in a client’s semi-private room with the client’s oral permission.
Reasonable Safeguards • Speak in soft tones when discussing PHI. • DONOT discuss PHI in public hallwaysor elevators. • Use but DO NOT share computer passwords. • Always lock cabinets that store PHI.
Administrative Requirements • Privacy Official is responsible for developing &overseeing privacy for the covered entity. • Contact Officer distributes information & receives complaints about privacy practices. (May be conducted by the Privacy Official in smaller organizations.) • Must be a written designation. • Training required for ALL members of the workforce, must be job-specific, and requires retraining when a change in the law affects a workforce member’s handling of Protected Health Information.
Documentation • Covered entities must ADOPT & APPLY policies & document in written or electronic form. • Must provide a process for receiving & addressing complaints & complaints must be documented. • Retention is required for 6 years from the date the document was created or the date the documentwas in effect, whichever is later. • The Department of Health & Human Services Office of Civil Rights will oversee compliance.
Q: Is PHI the same as the medical record? A: No, HIPAA protects more than the official medical record. A great deal of other information is also considered PHI, such as billing and demographic data. Even the information that a person is a client is Protected Health Information. FAQ
Q:What if I’m accidentally overheard discussing a client’s PHI? A:It is not a violation as long as you were taking reasonable precautions & were discussing the protected health information for a legitimate purpose. The HIPAA privacy rule is not meant to prevent care providers from communicating with each other & their clients during the course of treatment. These "incidental disclosures" are allowed under HIPAA.
Q: If I overhear patient care information in the elevator or in the hallway, how should I handle it? A: If appropriate, remind the speakersof the policy in private. If the conversation clearly violates policies or regulations, report it to the Privacy Officer.
Q: I work in the hospital and don't need to access PHI for my job, but every now & then a client’s family member asks me about a client. What should I do? A: Explain that you do not have access to that information, & refer the individual to the client’s healthcare provider.
Q: What should I do if a government agency or law enforcement person requests information about a client? A:If working with law enforcement is not part of your responsibility, contact your supervisor. If it is your responsibility, provide only the minimum amount necessary to support the investigation after verification of the authority of the individual or organization making the request. Always consult your supervisor or the Privacy Officer if you are unsure what to do. The privacy rules are very specific in this area.
Q: Do I needto record the fact that I’ve made these disclosures? A: For the most part, yes. You need to document most disclosures made without prior authorizations except disclosures made for TPO purposes. Contact the Privacy Officer for details about which disclosures do not require documentation.