360 likes | 822 Views
HIPAA PRIVACY TRAINING. THE UNIVERSITY OF ALABAMA. What is HIPAA?. The Health Insurance Portability and Accountability Act Law passed to ease the movement of healthcare data between providers.
E N D
HIPAA PRIVACY TRAINING THE UNIVERSITY OF ALABAMA
What is HIPAA? • The Health Insurance Portability and Accountability Act • Law passed to ease the movement of healthcare data between providers. • Places new restrictions on disclosure of “protected health information” (PHI) that will impact the University of Alabama.
UA is a “hybrid entity” – having several health care components under HIPAA. • HIPAA applies to UA’s “Health Care Components”: Capstone Medical Center, Brewer-Porch, the Speech & Hearing Clinic, Nursing Clinic and UA’s Group Health Insurance and other Health plans. It also applies to administrative departments, like the Legal Office and Auditing, Privacy Officer, etc. supporting any of these Health Care Components.
UA will have one common approach to compliance • One approach to HIPAA compliance, but each health care component will have its own policies and procedures to ensure the privacy of PHI.
HIPAA establishes rules for privacy, security, and electronic transmission of data. This training focuses on privacy. • For UA’s health care providers, the Privacy Rule: • Sets boundaries on the way providers use and release protected health information (PHI); • Establishes safeguards that we must achieve to protect the privacy of PHI; • Provides for adverse consequences including fines and jail sentences for failure to comply.
What is “protected health information” (PHI)? • PHI is any information, including demographic information, that is TRANSMITTED or MAINTAINED in any MEDIUM (electronic, paper, or spoken word) that is created or received by a health care provider, health plan, or health care clearinghouse that relates to or describes the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or future payment for the provision of healthcare to the individual.
Some records are not PHI: • Student records that fall under the Family Educational Rights and Privacy Act (FERPA). • Medical records, exempt from FERPA, of students 18 or over or attending UA and that are made or maintained by a health care provider and used only to treat the student and disclosed only to individuals providing the treatment. • The University’s Employment Records.
Possible Criminal Penalties for the Employee: • Wrongfully accessing or disclosing PHI: Fines up to $50,000 and up to 1 year in prison. • Obtaining PHI under false pretenses: Fines up to $100,000 and up to 5 years in prison. • Wrongfully using PHI for a commercial activity: Fines up to $250,000 and up to 10 years in prison.
Possible Civil Penalties for the University: • Up to $100 per violation. • Each name in a data set can be a violation. • Not to exceed $25,000 per year. • AND – civil monetary damages may be available to patients who win state tort claims, such as breach of privacy.
General Rule for Use & Disclosure of PHI • A covered entity can always use and disclose PHI for any purpose if it gets the person’s written authorization. • HIPAA requires certain components to be in the authorization in order for it to be valid. • There are many exceptions to the requirement for authorization.
Exceptions: • No authorization is needed if for Treatment, Payment and Healthcare Operations (TPO). • PHI (except psychotherapy notes) may be used/disclosed for the covered entity’s own TPO. • PHI may be disclosed to other covered entities or a health care providers for the payment activities of the entity that receives the information, such as an ambulance company. • PHI may be disclosed to another covered entity or health care provider for its health care operations, under limited circumstances.
No authorization is required to disclose to Business Associates • PHI may be disclosed to a Business Associate if the Covered Entity has executed a Business Associate Agreement with the Business Associate. • Each UA Health Care Provider identifies who its Business Associates are.
No authorization is needed to disclose PHI: • When required (not permitted) by law; • To Public Health/Legal Authorities charged with preventing and controlling disease, disability or injury; • To FDA to ensure quality, safety, or effectiveness of FDA-regulated products;
And: • To persons who may have been exposed to communicable disease or may be at risk of contracting or spreading a disease; • To entities charged with overseeing victims of abuse, neglect or domestic violence, consistent with reporting obligations; • To a health oversight agency for activities authorized by law (gov’t. licensing or accreditation agencies)
And • In response to a Court order; • In response to a subpoena that meets certain requirements (always check with the Legal Office); • Law enforcement officials seeking to identify a suspect, witness, or victim of a crime; • Coroners/medical examiners/funeral directors to identify a deceased person or determine a cause of death; • Organizations handling organ, eye or tissue donation;
And: • To prevent/lessen a serious and imminent threat to patients or others health and safety; • To military command authorities and federal officials for intelligence and national security activities; • To comply with workers compensation laws; • Facility directories, if asked by name. • Individuals involved in patient’s care or payment. • Persons involved in disaster relief.
Provide Notice to individuals of information practices. Authorization Forms Control access Account for use and disclosures Manage complaints Have a privacy officer Conduct training Provide sanctions Develop Business Associate Agreements Have policies and procedures HIPAA requires UA’s health care providers to:
Under HIPPA, patients have the right to: • Receive Notice of Health Information Practices. • Authorize use of their data. • Request access to their data. • Request an accounting of the uses and disclosures of their data. • Request amendment and corrections to their data. • Request restrictions on use of data. • File a complaint.
UA must meet the minimum necessary standard • Providers should disclose or use only the minimum necessary amount of PHI in order to do their jobs. • Minimum necessary does not apply to: 1. disclosures used for treatment; 2. to the individual who is the subject of the disclosure; 3. when a valid HIPAA authorization is signed; 4. Uses and disclosures required by law; 5. Disclosures to HHS.
Incidental disclosures are permitted if: • They cannot be reasonably prevented; • Are limited in nature; • Are a by-product of otherwise permitted use; and • The Covered Entity has established “reasonable safeguards” to ensure only necessary information is disclosed.
Incidental Uses and Disclosures Include: • Waiting room sign-in sheets • patient charts at bedside • physician conversations with patients in semi-private room • physicians conferring at nurse’s stations.
What HIPAA did not change: • Family and friends can still pick up prescriptions for sick people. • Physicians and Nurses do not have to whisper. • State laws still govern the disclosure of minor’s health information to parents. (a minor is under the age of 19 in Alabama)
UA’s covered health care providers are required to have and use: 1. Notice of Privacy Practices 2. Authorization Forms 3. Accounting for Disclosures 4. Business Associate Agreements UA has developed template forms and policies for health care components.
1. Notice of Privacy Practices • Notice of patient’s rights with respect to PHI and UA’s privacy practices. • Providers must make a good faith effort to obtain the patient’s written acknowledgement at the time of receipt of the Notice of Privacy Practices, except in emergency circumstances. • Each patient must receive a Notice of Privacy practices no later than the date of first service delivery.
The Notice of Privacy Practices: • Must list each type of disclosure that may be made by the covered entity and distinguish between those that are made pursuant to law and those that are not.
2. The Authorization Form • An Authorization Form is required for the use and disclosure of PHI for business-related purposes other than Treatment, Payment, and Operations and other than the permitted exceptions. • Authorizations are always required to disclose psychotherapy notes in order to give psychotherapy notes stronger protections.
Psychotherapy Notes • Must be kept separately from the patient’s medical record. • Consists of the “process notes” that the therapist makes about counseling sessions. • Does not include summary information used for treatment such as symptoms; summary notes; diagnosis, and medications.
Authorization Required for Marketing • UA is prohibited from using or disclosing PHI for marketing purposes without the patient’s express authorization. • Prohibited from selling patient lists to third parties. • CAN talk with patients about our treatment options, and have common health care communication about wellness, prescription refill reminders, therapies, and appointment notifications without an authorization.
Authorization for Marketing: • Must disclose if UA is receiving benefits or payment from any third party receiving the patient’s information.
3. Accounting For Disclosures • Individuals have the right to receive an accounting of disclosures of PHI made by UA, except for: -Disclosures made to carry out Treatment, Payment, and health care Operations; -PHI provided to the patient about them; -PHI disclosed to family members or friends involved in a patient’s care; -Disclosures made pursuant to authorization. UA has designed forms for tracking disclosures.
4. Business Associate Agreements • Business Associates perform specific tasks involving the use/disclosure of PHI on our behalf, such as billing, legal services, and accreditation. • UA must have a written agreement with Business Associates specifying the purpose for which PHI will be used or disclosed. • UA must be able to account for these disclosures to BAs and the BA must be able to track disclosures. • UA has a BAA Template. If we are the BA, use our BA form, or one similar.
HIPAA will put new requirements on research: • If you work for a Health Care Provider under HIPAA, do not release PHI for research unless: - The patient has signed a valid HIPAA authorization, or - The IRB at UA has approved a waiver of authorization; or - The IRB agrees that an exception applies. Separate training on HIPAA & Research is available through the Privacy Office.
Security Requirements • Must have appropriate administrative, technical and physical safeguards to protect the privacy of PHI. • Must control access to information. • Do not leave printed documents where unauthorized persons can see them. • Position computer screens so they cannot be seen by unauthorized persons. • Do not share your password. • Report suspected or known breaches of confidentiality to your Privacy Officer. • New Security Regulations have been issued. Compliance is required by 2005.
Where can I find out more about HIPAA? • The Privacy Officer in each health care component. • The UA Privacy Officer: Dr. John Dew 348-9831, jdew@aalan.ua.edu • www.hipaa.ua.edu