260 likes | 415 Views
HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSES. Written by PRIYAL PARMAR 7557 Rambler Road, Suite 1465 Dallas, Texas 75231 (214) 891-5960 (214) 891-5966 – Facsimile pparmar@owenfazio.com. INTRODUCTION.
E N D
HIPAA PRIVACY RULE: AN OVERVIEW GUIDE FOR BUSINESSES Written by PRIYAL PARMAR 7557 Rambler Road, Suite 1465 Dallas, Texas 75231 (214) 891-5960 (214) 891-5966 – Facsimile pparmar@owenfazio.com
INTRODUCTION HIPAA was enacted on August 21, 1996 as a set of basic national privacy standards and fair information practices to protect the privacy of the health information of consumers, and to protect an individual’s right to access and control the use of personal health information (PHI) This presentation provides a summary of the HIPAA Privacy rule. The goal of this presentation is to provide a guideline that businesses can use to ensure compliance with HIPAA. This information is not exhaustive and the attorneys at Owen & Fazio, P.C. can provide more detailed guidance upon request.
WHO HAS TO COMPLY WITH HIPAA? • Covered entities – This includes: • All health plans – individual or group health plan that provides, or pays the cost of, medical care (includes health insurers) • A health plan that has >50 participants is automatically a covered entity • An entity is not considered to be a health plan for Hipaa purposes if: • It falls under the Public Health Service Act • It provides incidental health care services • All health care clearing houses – any public or private entity that processes (or facilitates the processing) of health information received from another entity in a non standard format • Health care providers – provide medical and health services and any person or organization that furnishes, bills, or is paid for health care services or supplies in the normal course of business • Those health care providers that transmit health information in electronic form in connection with a standard transaction • Examples of standard transactions: eligibility request, claim submission, claim status inquiry, claim payment, referral request, medical services authorization
WHAT IS COVERED? Protected Health Information (PHI) – Information that: • Relates to the past, present, or future physical or mental health or condition of an individual, OR • Relates to the provision of health care to an individual, OR • Relates to the past, present, or future payment for health care, AND • Is individually identifiable, AND • Is transmitted by electronic media, maintained in any medium described in the definition of electronic media or transmitted or maintained in any other form or medium. What is excluded from PHI? • PHI in education records covered by Family Educational Right and Privacy Act - FERPA • Employment records held by the covered entity in its role as an employer • De-identified information. This can be accomplished by using two methods: • MIT method – qualified people use statistics and scientific methods to show that there is a very small risk that the information could be used by others to identify a subject of the information. • Safe-harbor method – remove all of the 18 enumerated identifiers
USES AND DISCLOSURES • Those that require no patient permission • Treatment • Payment • Health care operations • Public policy activities • Those that require patient’s oral agreement • Directory information – name, location, general condition, religious affiliation • Disclosures to persons involved in the individual’s care or payment of care • Disclosure to family members of the patient’s general condition and death for the purpose of notification • Those that require patient’s written authorization • Disclosure of psychotherapy notes • Disclosure for marketing purposes
REQUIRED ELEMENTS OF A WRITTEN AUTHORIZATION • Specific description of the information to be disclosed • Specific identification of the covered entity authorized to make the use or disclosure • Specific identification of the person(s) to whom the covered entity may make disclosure • Specific description of each purpose • Expiration date or event • Signature of the individual • Date • Information regarding right to revoke the authorization and the exceptions to it • Ability or inability of the covered entity to condition treatment, payment, enrollment in the health plan, or eligibility for benefits, on the authorization • Potential for the information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient • NOTE: • The authorization must be written in plain language • Covered entity must provide the individual with a copy of the signed authorization • Covered entity must retain a copy of the signed authorization for itself • The authorization is considered defective if: • Expiration date has passed • It is not filled out completely • It is known to be revoked • It contains false material
REQUIRED DISCLOSURES • Must be disclosed: • When individual requests his/her own PHI • When the Department of Health and Human Services (DHHS) requests the PHI to investigate a covered entity’s compliance with HIPAA
MINIMUM NECESSARY RULE • Covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request • If it is a routine disclosure, the covered entity is required to implement policies and procedures to restrict such disclosures to the minimum necessary standard
INDIVIDUAL RIGHTSRight to Receive Notice • Purpose – to notify individual about protections of health information by the covered entity • Must post notice in a conspicuous place where patients are likely to look. Ex: payment window • Must also keep copies for patients to take • If the covered entity has a website, the notice must be posted on the website as well • Note: The next 5 slides explore the Right to Receive Notice in more detail
What are the components of the notice? • It must contain a statement that additional uses and disclosures require written authorization • It must clearly outline the covered entities legal duties with respect to the information • It must give instructions on how to file a complaint with the Department of Health and Human Services if the individual feels that his/her privacy rights have been violated
Who must give notice? • Any health care provider with a direct treatment (not indirect) relationship with the individual must give notice • Indirect treatment relationship – when a health care provider delivers health care to the individual based on the orders of another health care provider and the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual • Ex: radiologists, pathologists, clinical laboratories • Health care clearing houses, correctional institutions, and group health plans that provide benefits through health maintenance organization (HMO) contracts are not required to give notice, but must provide one upon request by an individual • Affiliated covered entities under common ownership or control may designate themselves as one single entity and produce a single notice
When must notice be given? • At the time of enrollment of new client or time of first service delivery • Within 60 days of making a material revision to the notice • Any time patient requests a notice • A health plan should remind enrollees about how to obtain a copy of the notice at least once every 3 years.
Who must the notice be given to? • EACH ENROLLEE, NOT each covered spouse or dependent
Acknowledgment • Once notice is given, a covered entity should obtain a written acknowledgement by either: • Signature on the notice • Initials on the notice cover sheet • Signature on a separate list • If covered entity is unable to obtain acknowledgement, it must document its good faith attempts to obtain it and reason(s) why it was not obtained
Patients have right to inspect and copy their PHI in a designated record set (group of records maintained by or for a covered entity that are medical records, billing records, enrollment, payment, claims adjudication, case management record systems or records used by covered entities to make decisions about individuals) Exceptions Psychotherapy notes Information in anticipation of legal proceedings PHI that is subject to Clinical Laboratory Improvement Amendments (CLIA) to the extent the provision of access to the individual would be prohibited by law or exempt from CLIA Covered entity must comply in a timely manner, usually 30 days For records not maintained on site, covered entity has 60 days to comply A one time extension of 30 days is allowed, but covered entity must give individual the need and the reason(s) for the extension. Covered entity must have a procedure in place to challenge denial of access Two situations when access can be denied and no appeal is available: Inmates of a correctional institution Research participants, but only until research is completed. If access is denied, individual must receive a written explanation of the basis for denial. It should be easy to understand and inform of any existing appeal rights. It must also alert the individual of the availability of the right to complain to the covered entity or the DHHS. RIGHT TO ACCESS PHI
RIGHT TO AMEND PHI • Individuals have the right to amend incorrect or incomplete PHI • A covered entity must respond timely to the request for amendment within 30 to 60 days
RIGHT TO AN ACCOUNTING OF DISCLOSURES OF PHI • Individuals have the right to receive an accounting of disclosures of PHI made by a covered entity in the 6 years prior to the date on which the accounting is requested. • Accounting must include: • Date of disclosure • Name of the entity or person who received the PHI and address if known • Brief description of PHI disclosed • Brief statement of the purpose of the disclosure • Exceptions to the right to receive an accounting: • To individuals or their personal representatives for treatment, payment, or healthcare operations • For national security or intelligence reasons • For a facility’s directory • PHI made prior to the April 14, 2003 compliance deadline • Pursuant to an authorization • To correctional institutions or law enforcement officials • Incident to a use or disclosure otherwise permitted or required by this subpart • Covered entity must act on the request within 60 days • The first accounting in a 12 month period is free but subsequent requests may be charged a reasonable cost-based fee
APPOINTMENT OF PRIVACY OFFICER • A covered entity must appoint a privacy officer who is in charge of developing and implementing policies and procedures • It must also designate a person/office for receiving complaints
WORKFORCE TRAINING • All members of the workforce must be trained by the compliance date • New members must be trained within a reasonable time • If material changes are made, all workforce members affected by the change must be trained within a reasonable time.
PENALTIES AND ENFORCEMENT • Individuals can lodge complaints with the attorney general, state insurance commissioner, state medical board or the United States Department of Health and Human Services (DHHS) Office for Civil Rights • DHHS can impose civil penalties between $100,000 to $250,000 • Civil penalties can only be imposed for willful violations • If a reasonable cause is found, no penalties are given as long as the covered entity corrects the non-compliance within 30 days • Civil penalties cannot be imposed if criminal penalties have already been imposed • Criminal penalties • Knowing violations of HIPAA = $50,000 or less and/or 1 year or less in prison • Using false pretenses to violate HIPAA = $100,000 or less and/or 5 years or less in prison • Intent to gain personally or commercially or with intent to cause malicious harm by the misuse of IIHI = $250,000 or less and/or 10 years or less in prison.
COMPLIANCE DATES • Health care providers, health care clearinghouses, and health plans must comply by April 14, 2003 • Small health plans must comply by April 14, 2004
BUSINESS ASSOCIATES • A person or organization outside the covered entity that performs, or assists in the performance of, function and activities of HIPAA. Ex: legal, actuarial, accounting, etc. • HIPAA does not apply directly to a business associate, but may apply to them indirectly if there is a business associate agreement • A business associate agreement is a contract between a covered entity and a business associate and must contain the following required elements: • Establish permitted uses and disclosures • State that the business associate will not use information for further uses and disclosures not in the agreement • State that the business associate will use appropriate safeguards to prevent the use or disclosure of information other than as provided by the contract • The business associate will report to the covered entity regarding any use or disclosure not in the agreement • Business associate must agree to get all of its subcontractors to comply with the business associate agreement • Business associate must make PHI available for inspection and copying • Business associate must make PHI available for amendment • Business associate must make its records available to the Secretary of DHHS to check the covered entity’s compliance with HIPAA • Business associate must agree to return or destroy all information at the end of the contract if feasible to do so • Agreement must establish that the covered entity can terminate the contract with the business associate for any violations
STATE PREEMPTION • HIPAA preempts any state law unless the state law is more stringent.
HIPAA WEB SITES • Association of American Medical Colleges, www.aamc.org • American Health Information Management Association, www.ahima.org/journal • Department of Health and Human Services, www.aspe.dhhs.gov • Health Privacy Project, www.healthprivacy.org • United States Department of Health and Human Services, www.hhs.gov/news/facts/privacy.html • Phoenix Health Systems HIPAAdvisory, www.hipaadvisory.com
REFERENCES • Alex Bednar, HIPAA Implications for Attorney-Client Privilege, St. Mary’s University Law Journal, 35 St. Mary’s L. J. 871 (2004) • Texas Administrative Agencies Tackle Compliance with the Health Insurance Portability and Accountability Act’s Privacy Rule, Texas Tech Journal of Texas Administrative Law, 5 Tex. Tech J. Tex. Admin. L. 87 (2004) • Nancy A. Lawson, Jennifer M. Orr and Doedy Sheehan Klar, The HIPAA Privacy Rule: An Overview of Compliance Initiatives and Requirements, Defense Counsel Journal, 70 Def. Couns. J. 127 (2003) • Department of Health and Human Services, www.aspe.dhhs.gov • Health Privacy Project, www.healthprivacy.org • United States Department of Health and Human Services, www.hhs.gov/news/facts/privacy.html • 45 C.F.R. 160 and 164