210 likes | 505 Views
HIPAA PRIVACY: A PRACTICAL APPROACH. April 14, 2003 is the deadline for health care providers to develop formal privacy procedures and to notify patients of their privacy rights. The following presentation outlines an approach for the smaller practice to access reasonable compliance solutions.
E N D
HIPAA PRIVACY: A PRACTICAL APPROACH April 14, 2003 is the deadline for health care providers to develop formal privacy procedures and to notify patients of their privacy rights. The following presentation outlines an approach for the smaller practice to access reasonable compliance solutions.
HIPAA COMPLIANCE: WHAT IT MEANS FORYOUR OFFICEPAUL A. GILMAN, ESQ.ANDREW S. WILLIAMS, ESQ.ARONBERG GOLDGEHN DAVIS & GARMISAONE IBM PLAZA SUITE 3000CHICAGO, ILLINOIS 60611(312) 828-9600
WHAT IS HIPAA? Health Insurance Portability Accountability Act of 1996 Sets standards and requirements for maintenance and electronic transmission of patient health information Covers 4 areas Privacy of information Security of data Transactions and code set standards for electronic transactions Identifiers for providers, employers, and payers
TO WHOM DOES HIPAA APPLY? • Covered Entities • Health Plans • Health care clearing houses • Health care providers who transmit any health information (including billing) in electronic form • Who is a health care provider • A provider of medical or health services and any other person organization who furnishes, bills or is paid for health care in the normal course of business. • Includes: physicians, dentists, chiropractors, podiatrists, etc. • Others dealing with covered entities, such as Business Associates, will be impacted by HIPAA
WHAT INFORMATION IS COVERED? • HIPAA Regulates “Protected Health Information” (“PHI”) • PHI is: information, oral or recorded, in any form or medium, that: • Is created or received by a provider, plan, etc.; and • Relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or past, present or future payment for the provision of health care
WHAT IS THE PRIVACY RULE? • A Covered Entity may only use or disclose PHI: • With notice to the individual and acknowledgement of how that information will be used (“Notice of Privacy Practices”) but only for treatment, payment or healthcare operations (“TPO”) • Without Notice of Privacy Practices under certain circumstances, such as per subpoena, to avert serious threat to health or safety • With a specific written authorization for disclosure for use permitted for other than TPO • Even with Notice of Privacy Practices, Covered Entity must make reasonable efforts to limit use or disclosure of PHI to the “minimum necessary” amount to accomplish the intended purpose of the use or disclosure of the PHI
WHAT IS THE SECURITY RULE? • Applies to physical, technical and administrative requirements to protect maintenance, availability and confidentiality of PHI • Closely intertwined with Privacy Rule • Requires appropriate technological measures and physical security safeguards to maintain the security of PHI • Final rules expected in October, 2002 • Compliance mandated 26 months after publication of final rules. • Will require Policies and Procedures and training for: • Password Maintenance • Access Controls • Physical Controls • Logging off computers • Screensavers • Locking doors and files cabinets • E-Mail Risks • Other
WHAT IS THE TRANSACTIONS AND CODE SET RULE? • Covers 8 EDI transactions between or within Covered Entities (or their Business Associates) • Claims • Remittances • COB • Eligibility • Referral Certification • Claim Status • Enrollment • Premiums • Providers conducting electronic transactions must conduct “standard transactions” • Standard Codes • Minimum data sets
RULE COMPLIANCE DATE Transactions and Code Set October 16, 2002 (October 16, 2003 if extension requested by October 15, 2002) Identifiers Summer/Fall, 2004 (est.) Privacy April 14, 2003 Security Summer/Fall 2004 (est.) KEY COMPLIANCE DATES
SANCTIONSWHY DO WE CARE ABOUT HIPAA? • 100 Per violation, up to $25,000 per year for each offense • Wrongful disclosure may result in fine of $50,000 or jail • Enforcement by Office of Civil Rights (OCR) • May be next hotbed of consumer litigation
OTHERS IMPACTED BY HIPAA:BUSINESS ASSOCIATES • Disclosure to Business Associates (“BA”) is generally permitted • A person or organization that performs a function or activity on behalf of a Covered Entity and has access to PHI in the course of performing the function or activity, but is not part of the Covered Entity’s workforce • Examples of Business Associates: Accountants Accreditation Services Non-owned Providers Attorneys On Call Locum Tenens Billing Service Companies Coding Providers Collection Agencies Collection Agencies Consultants Copy Services DME Document Shredding Services Laboratories Lawyers Management Services Marketing Services Medical Record Storage Transcription Services Vendors (software, hardware, etc.)
BUSINESS ASSOCIATE CONTRACTS • Required by HIPAA • Specify permitted uses and disclosures of PHI • Require Business Associates to report improper use and disclosure to Covered Entity • Authorize Contract termination for material breach • Require subcontractor compliance • Allow patient access, amendment and disclosure accounting • Allow Department of Health and Human Services to access BA’s books and records • Return or destroy PHI, if feasible, and otherwise ensure no disclosure or improper use when contract ends • Written contract existing with BA before 10/13/02 and not modified or concluded before 4/13/03, will be compliant until earlier of: • Modification or conclusion before 4/14/04 or • 4/14/04
KEY PRIVACY COMPLIANCE POINTS • Requires a cultural change • PRIVACY IS ABOUT CONSCIOUSNESS-RAISING: THINK PRIVACY BEFORE USE OR DISCLOSURE • If it’s not documented, it didn’t happen • HIPAA does not require a complete overhaul of business
STEPS TO COMPLIANCE • Appoint a Privacy Officer and Contact Person (can be the same person) • Required • Responsible for development and implementation of privacy-related programs, policies and procedures • Identify all categories of persons whose duties require access to PHI (by job functions) • Conduct “GAP Analysis” • Gather Baseline information • Hardware • Software • Networks • Data location, access, flow • Current policies and procedures • Identify and document GAPs in actual uses and disclosures of PHI against HIPAA’s requirements • Assess the GAP – What is needed to close the GAP
Identify Business Associates • Draft Business Associate Agreements • Communicate with and enter into agreements with Business Associates • Develop Required Forms, Policies and Procedures • Forms – Examples • Notice of Privacy Practices • Consents • Authorization • Request for Restriction on Use or Disclosure • Request to inspect and copy PHI • Request to amend or correct PHI • Request to receive an accounting of uses and disclosure • Accounting of uses and disclosure of PHI • Complaint forms
Policies • Notice of privacy practices • Minimum necessary use and disclosures • De-identification of health information • Other Policies • Workforce training • Patient privacy compliance • Marketing • Release of information • Patient requests • Information access control • Disciplinary action • Media controls; Access levels • Disaster recovery plan • Facility security plan • Develop and implement privacy training program • For existing employees, training must occur by April 14, 2003 • For new employees, within a reasonable period after hire • Monitor Compliance On-Going Basis
HIPAA TRAINING • Assess own culture for best learning opportunities. • Key Questions: • Who gets trained on which aspects of HIPAA? Does everyone get trained on all of HIPAA or just parts? • When do we begin? • How will we conduct on-going training? • What form will training take? • How do we track who got what training?
WHAT DO I TRAIN? • Privacy Rule requires that a Covered Entity train all members of its workforce on its policies and procedures with respect to PHI as necessary and appropriate to carry out their function with the Covered Entity • Training must be scaled to size of office and workforce • No “one size fits all” solution • All employees must understand requirements of the Privacy Rule • Rights of individuals • Duties and responsibilities of BA • Impact of requirements on their day-to-day work • Policies and Procedures • Sanctions for Violations • Security Rule Training – Train in Conjunction with Privacy Training • Password Management • Physical Access • Virus Protection • Backup and Disaster Recovery Procedure • Locking drawers, bins and files • Clean desk awareness • Faxes, printouts and reports • Visitor access to records area
PRIVACY TRAINING DEADLINES • Existing Employees – before 4/14/03 – Must develop Policies and Procedures before training can begin • New Hires – within a reasonable period of time after hire date • On-Going Training – as changes to law or policies and procedures affect job function
HOW DO I TRAIN? • Determine the best way to reach employees. • Classroom style • Audio conference • Web-based • Self-directed learning – manuals, videos, etc. • Simple approach – distribute manual, including Policies and Procedures, distribute tips & FAQ’s, etc.
CONCLUSION • Don’t Panic • Resources are available • Web Sites • Seminars • Guide Books (ADA, etc.) • Trade Associations • Remember what is necessary for a large office may not apply to a smaller office