710 likes | 982 Views
HIPAA Privacy and Security Requirements. What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information. Program Content. Overview of Privacy and Security A Hypothetical Case History Using and Sharing Information The Notice of Privacy Practices
E N D
HIPAA Privacy and Security Requirements What HIPAA requires staff to do to protect the privacy and safeguard the security of patient information
Program Content • Overview of Privacy and Security • A Hypothetical Case History • Using and Sharing Information • The Notice of Privacy Practices • Authorization • Privacy Accounting • Patient Access to Health Information • Information Security • Wrap-up
HIPAA Privacy & Security – Section 1Overview of Privacy and Security How HIPAA views privacy and security … and threats to privacy and security
Privacy & Security Goals • The goals of privacy— • Patient control over sharing of information • Disclosure of how information will be used • The goals of security— • Information available to those who need it • Information not available to those who don’t
Key Concepts and Terms • Protected Health Information • Use and Disclosure • Notice and Acknowledgement • Authorization • Business Associate • Workforce • Personal Representative • Minimum necessary
Key Concepts and TermsProtected Health Information • General definition • Information that identifies an individual and describes his/her medical condition or treatment • Specifically includes • Clinical information • Information on payment • Basic demographic information • Name, address, and telephone number • Applies to written and electronic information
Key Concepts and TermsUse and Disclosure • Information is used by members of our workforce for • Collection of information by clinical staff • Review of patient charts by clinical staff • Completion of billing forms by clerical staff • Accounting and bookkeeping entries • Information is disclosed when it is shared with others • Transmission of information to a health plan • Transmission of information to a billing service • Transmission of prescriptions to a pharmacy • Consultation with an independent provider • Reporting to government agencies
Key Concepts and TermsNotice and Acknowledgement • Notice of Privacy Practices • A statement given to each patient describing how the practice will use and disclose health information and outlining the patient’s rights under HIPAA • Acknowledgement • Written documentation that the notice was provided to a patient, either signed by the patient or completed by a staff member explaining why the patient did not sign it
Key Concepts and TermsAuthorization • Required for uses and disclosures other than for • Treatment • Payment • Health care operations • To comply with legal mandates • Signed by the patient or patient’s personal representative
Key Concepts and TermsWorkforce • Members of the medical practice • Employees of the medical practice • Independent contractors we hire
Key Concepts and TermsBusiness Associate • An entity that performs services for the practice • Examples: • Billing services • Accreditation agencies • Must give satisfactory assurances
Key Concepts and TermsPersonal Representative • A person who can act on behalf of the patient • Must have legal authority to act on the patient’s behalf • A personal representative may: • Acknowledge the Notice of Privacy Practices • Authorize use and disclosure of information • Request and receive an accounting of use and disclosure • Request amendment of health information
Key Concepts and TermsMinimum necessary • HIPAA limits use and disclosure of protected health information to the ‘minimum necessary’ to accomplish an intended purpose • Examples: • Any information requested for treatment • Any information in a standard transaction • Information required by administrative task • Information specified in request from • Law enforcement officials • Regulatory officials • Subpoena or court order
Quiz 1: Key Concepts • Does protected health information includes the patient’s name, address, and basic demographic information? • Do privacy protections apply to both information recorded on paper and information stored electronically? • Can a family member or close personal friend act as the representative of the patient? • Is a business associate contract required only for those business associates who create or process protected health information?
HIPAA Privacy & Security – Section 2A Hypothetical Case History The privacy regulation in action: An overview
A Hypothetical Case History • A patient calls for an appointment • The patient arrives for first visit • The patient is called by the nurse • Care discussed with patient’s spouse • Claim prepared and submitted to health plan • Newsletter sent to practice’s patients • Mailing list requested by local pharmacy • Patient requests accounting of disclosures • Patient asks for information from chart • Patient requests correction of information
A Hypothetical Case HistoryMaking an appointment • Collect basic patient information • Name • Telephone number • Telephone number • Health plan • Information is protected • Does not violate privacy rules
A Hypothetical Case HistoryPatient Arrival • Patient is given the Notice • Staff seek Acknowledgement of Notice
A Hypothetical Case HistoryIn the Waiting Room • Disclosure of limited information • Patients signature on “sign-in” sheet • Staff call patient from waiting area • Does not violate privacy rules
A Hypothetical Case HistoryDiscussion with patient’s spouse • Information shared with family members • Patient has opportunity to object • Does not violate privacy rules
A Hypothetical Case HistoryClaim Submission • Disclosure of information to health plan • Does not require patient authorization • Does not violate privacy rules
A Hypothetical Case HistoryPatient Newsletter • Uses protected information • Does not require authorization • Does not violate privacy rules
A Hypothetical Case HistoryMailing lists • Must have patient’s permission to sell or provide mailing lists to other organizations
A Hypothetical Case HistoryAccounting for disclosures • Must provide list of certain disclosures • When requested by patient
A Hypothetical Case HistoryCopying information from chart • Must allow patients to inspect charts • Must provide copies when requested
A Hypothetical Case HistoryCorrection of information • Patients may request ‘corrections’ • No obligation to make changes • Must document request and any changes
HIPAA Privacy & Security – Section 3Using & Sharing Information Who can have what information and under what circumstances?
Overview • Uses and disclosures that… • Do not require patient authorization • Require specific patient authorization • Disclosures to family members • Incidental disclosures
Authorization not needed for… • Treatment of the patient • Obtaining payment • Out day-to-day operations • Legally mandated reporting or disclosure
Authorization not needed Use and Disclosure for Treatment • Definition of treatment • Collection of information • Review of patient records and test results • Consultation with other providers • Referral to another provider • Transmitting information to other providers • No restriction on information sharing
Authorization not needed Use and Disclosure for Payment • Definition of payment • Eligibility inquiries • Coverage determinations • Submission of claims • Claim status inquiries • Remittance of payment • Credit card and other payment methods • Standard transaction data elements
Authorization not needed Use and Disclosure for Operations • Health Care Operations include: • Maintenance of medical records • Maintenance of accounting records • Quality assurance activities • Staff credentialing and performance evaluation • Conducting financial and management audits • Investigating complaints • Supporting legal activities • Resolving grievances • General business management • Staff may use and disclose only the minimum necessary information
Authorization not needed Legally Mandated Disclosures • Police and Law Enforcement • Public Health Reporting • Reportable infectious diseases • Vital events (birth and death) • Abuse and Neglect Reporting • Licensing and regulatory oversight • Legal proceedings
Disclosures to Family Members • Disclosure is permitted… • To spouses • To parents and legal guardians • To others involved in care • Obtaining patient’s permission • When patient is able to object • When patient is not able to object • Allows sharing of Information related to the patient’s care
Incidental Disclosures • Examples of incidental disclosure • An overheard conversation among staff members • An overheard discussion between staff and patients • An overheard telephone call to a patient • Test results being filed in patient records • Incidental disclosures are permitted……but should be avoided • Incidental disclosures need not be documented • Try to minimize incidental disclosures! • Conduct discussions in private areas • Limit discussion when others are present
Quiz 2: Using & Sharing Information • Are there any limits on the use or disclosure of patient information for the purpose of treatment? • Does a patient have to authorize the disclosure of information to a health plan? • Does a patient have to authorize disclosure of information to law enforcement agencies? • Does HIPAA prevent us from complying with state-mandated disease reporting, e.g., for infectious diseases? • Can we use patient information for any purpose without obtaining the patient’s authorization?
HIPAA Privacy & Security – Section 4Notice of Privacy Practices Helping patients understand how their information will be used – and how their privacy is protected
What the Notice Tells Patients • How their information will be used • With whom their information will be shared • When an authorization is needed • How to request an accounting of uses and disclosures • How to request access to information • How to request changes in information
Review of the Notice • Uses and disclosures that don’t require authorization • Treatment • Payment • Health care operations • Legally mandated disclosures • Patient rights • Request restrictions on use and disclosure • Request confidential communications • Obtain an accounting of uses and disclosures • Review protected health information • Request changes to information
Providing the Notice to Patients • Responsibility of receptionist • Provide during first patient visit • Review key provisions • Discuss and resolve requests for… • Restrictions on use and disclosure • Confidential communications
Acknowledgement By Patient • Staff must try to obtain acknowledgement • Documents that notice was given • Required on first visit only • Obtain prior to treatment • Use of acknowledgement form • Patient signature and date • Document attempt if patient can’t acknowledge • Emergency treatment exception • Patient gets a copy of the acknowledgement • Original filed with patient record
Quiz 3: Notice of Privacy Practices • Does a patient have to be given a Notice prior to treatment? • Does a patient have to be given a Notice on each visit? • Does the patient have to sign the acknowledgement of the Notice? • Do staff have to document a patient’s inability or refusal to sign an acknowledgement of the Notice? • Can a patient restrict use and disclosure of protected health information?
HIPAA Privacy & Security – Section 5Authorization Using and disclosing information for purposes not covered by the notice
When is authorization needed? • Medical/clinical research • Investigational treatment • Research protocols • Exception for “de-identified” data • Marketing • Promoting third-party products/services • Providing mailing lists to others • Other uses and disclosures except • For treatment, payment, health care operations • To comply with legal mandates
Content of Authorization • Authorization must… • Identify the information to be used or disclosed • Identify users/persons to whom disclosed • Identify purposes of use or disclosure • Note the potential for redisclosure • Conditioning treatment on authorization • Treatment available only to research subjects • Treatment requested by the patient for disclosure • Authorization may signed by… • Patient, or • Patient representative
Obtaining Authorization • Review authorization form with patient • What information will be used • What the information will be used for • Who will use the information • Note the potential for re-disclosure • Obtain patient/representative signature • File authorization form in records
Quiz 4: Authorization • Is an authorization needed if a patient has signed a consent to participate in a research program? • Does an authorization have to specify the information to be disclosed and the purpose of the disclosure? • Does an authorization have to identify who will use or receive the information? • Does a patient have to authorize disclosure of a camp or school physical? • Can a patient be denied care if he or she doesn’t authorize use or disclosure of information in a research study? • Does a patient have to authorize disclosure of information to himself or herself or to a spouse?
HIPAA Privacy & Security – Section 6Privacy Accounting Informing patients of certain uses and disclosures of protected health information
Recording Uses/Disclosures • The goal of the accounting • Let patients know who has received their information – and why • Facilitate amendment/correction when erroneous information has been disclosed • Does not require tracking of… • Uses and disclosures for purposes of treatment, payment, and health care operations • Uses and disclosures covered by an authorization • Bottom line: only requires tracking and disclosure of… • Legally mandated disclosures • Unauthorized disclosures
Requesting an Accounting • Patients submit an accounting request • Fees for accounting • No charge for first accounting • May charge for second and subsequent accountings in 12 month period