1 / 30

HIPAA Privacy and Media

HIPAA Privacy and Media. Ed Goldman, J.D. Health System Legal office May 12, 2003. It’s HIPAA Not HIPPO!. HIPPA (NO, it’s HIP AA !) stands for: Help Impoverished Plaintiff Attorneys Aggrandize? No because there is no private right of action.

regis
Download Presentation

HIPAA Privacy and Media

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA Privacy and Media Ed Goldman, J.D. Health System Legal office May 12, 2003

  2. It’s HIPAA Not HIPPO! • HIPPA (NO, it’s HIPAA!) stands for: • Help Impoverished Plaintiff Attorneys Aggrandize? No because there is no private right of action. • Help Improve Privacy Across America? Yes because it’s a Federal regulation designed to establish one set of rules for privacy.

  3. Background • HIPAA (Health Insurance Portability and Accountability Act of 1996) • Administrative Simplification Section: Purpose is to standardize electronic transmission of health data. • Includes: Provider/Employer Identifiers (pending); Electronic Transactions (09/16/03); Security (04/21/05); e signature (10/01/00) and Privacy (04/14/03).

  4. Philosophy • “A journey of a thousand miles must begin with a single step.” -Chinese Proverb

  5. New Philosophy • “A journey to protect the privacy and security of protected health information must begin with a single step, a dedicated committee and a lot of money.” • -HIPAA Proverb

  6. Important Dates • HIPAA Privacy regulations were final 04/14/01 and effective 04/14/03. • HIPAA Security regulations are effective 04/21/05. • HHS can modify once per year. Last modification was 08/02.

  7. Overview • Regulations. Apply to Covered Entities (CE): • 1. Health Plans-provide or pay for health care including HMO’s, benefit plans. • 2. Health Care Clearinghouses • 3. Health Care providers who transmit any health information in electronic form.

  8. Overview • Regulations cover: Individually identifiable health/billing information. AKA: Protected Health Information (PHI): • Information kept in any form (oral, written, electronic) created or received by CE relating to a persons physical/mental health or payment for health care. Covers both living and deceased patients.

  9. Overview • Regulations also include: Business Associates (BA): Non-employees who, on behalf of a CE, perform a service involving PHI. Ex: Claim processing; record copy; malpractice defense; audit; consulting; software development; quality assurance. • Included entities: NCQA; UHC; JCAHO; non-covered portions of UM

  10. Preemption of State Law • State law is preempted except if: • HHS determines it serves to prevent fraud or serve a compelling State interest, • it is “more stringent” (provides more privacy protection), • it is a disease reporting law, • it is a State audit/licensing law.

  11. Enforcement • Patients can file complaints with the HHS Office of Civil Rights (www.hhs.gov/ocr/hipaa) • CE must keep records and allow HHS access to audit • Civil fines: $100/violation • Criminal fines: $250,000/up to 10 years (Disclosure for commercial purposes)

  12. The Privacy Rule • Rule: CE cannot disclose PHI except: • to the patient • with a general consent to the treatment team (Emergency exception) • as specifically authorized by the patient • as required by law • in a directory (if follow the rules) and allow for opt-out

  13. The “Minimum Necessary” Rule • Disclosure must be limited to the “minimum necessary to accomplish the intended purpose” except all PHI can be disclosed to treatment team and to patient and to HHS for audit or as required by law. • NOTE: De-identified information (removal of 19 elements) is not PHI.

  14. Elements of the Regulation • 1. Notice of Privacy Rights • 2. General acknowledgement for treatment, payment, health care operations • 3. Specific authorizations • 4. Exceptions for required reporting • 5. Patient access, amendt and audit rights • 6. Privacy officer and administrative rules

  15. Notice of Privacy Rights • Must be provided to all patients (except emergency). • Must include all the rules with examples of uses of PHI. • Must have person to contact for complaints. • Lots of specific requirements. • Posted at: med.umich.edu/hipaa.

  16. General Acknowledgement • Must be signed prior to rendering treatment, payment, health care operations (TPO). • Health care operations include: • QA • Credentialing • Compliance; business planning • Education of students, trainees, workforce (but not research)

  17. Specific Authorizations • Required for all disclosures for any other purposes (research, disclosure to 3rd party, release of “psychotherapy notes”, etc.) • Care cannot be conditioned on obtaining an authorization (exception for research coupled with treatment or enrollment in health care plan)

  18. Required Reporting • Disclosures required by law (child abuse, FDA, product recalls, communicable diseases) • To employer for workers comp with written notice to employee • In response to a Court order • For law enforcement purposes • To Coroner, funeral directors, organ donation.

  19. Patient 3A’s Rights • Patient may access PHI, obtain copy (for fee)Patient may request amendments and Facility needs a process to review request • Patient may (for 6 years) request and obtain an accounting of all persons who have seen the patients’ PHI for other then TPO. • Therefore, CE needs a reliable audit system.

  20. Disclosure to Business Associates • Only pursuant to a written agreement with assurances of protection and no re-disclosure. • PHI returned or destroyed at end of contract • Rules have lots of specific requirements for the contract.

  21. Facility Directories • Patients name, location, condition in general terms can be provided IF Notice says so and IF patient has opportunity to restrict/prohibit use (opt out) Except: Emergency. • Family, close personal friends, press (if ask by name), clergy or those identified by the patient can have this information.

  22. What to Tell the Press? • Except if the patient has been notified and has objected the CE can, upon request with patient name, disclose: • 1. Patient name • 2. Location • 3. Condition in general terms that do not communicate specific medical information

  23. Marketing/Fundraising • Marketing: Need Authorization except if: face to face encounter for products of nominal value which may be useful to patient and any financial remuneration to CE is disclosed, or description of UMHS services. • Fundraising: Need Authorization except if fundraising for CE only and use only demographic information or service dates.

  24. Examples • General newsletter OK • General mailing to all patients OK • If CE wants to target all cancer patients then a specific Authorization is needed because CE will need to look at information about the patients’ specific disease. • Fundraising/marketing need opt-out.

  25. Referring Physicians • If part of the treatment team then full PHI can be shared pursuant to the Notice of Privacy. • If referral with no expectation of providing further care to the patient then written authorization from patient required to disclose information.

  26. Administrative Rules • CE must: • designate a Privacy Officer • establish a complaint office • have safeguards for PHI protection • train staff • document complaints • create contracts with BA’s

  27. Administrative Rules 2 • Discipline workforce members who violate the rules • mitigate any harmful effects of disclosure • refrain from intimidation of patients who exercise their rights under the regulations • allow access to HHS for audit • Create amendment/audit system

  28. “How Can PR help?” • UMHS will need editing and website help. See website at med.umich.edu/hipaa • Also need publications/publicity about the new regulation. • And, any other help you can think of will be cheerfully accepted!

  29. Where to Find Out More? • Http://aspe.os.dhhs.gov/admnsimp gets you to the administrative simplification page. • Www.hhs.gov/ocr/hipaa gets you to the Office of Civil Rights page with lots of current information. • www.epicurious.com gets you to some great food.

  30. Question and Answer • Currently most useful answer is: These regulations are complex and evolving but the institution must comply for the benefit of our patients. For media we must be sure to protect privacy. No use of images without permission. No disclosure of PHI without full compliance with the regulations.

More Related