540 likes | 552 Views
Learn about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its history, regulations, fraud cases, and administrative simplification rules. Understand the purpose, compliance, and impact of HIPAA on healthcare data security.
E N D
HIPAA How to HIPAA Health Insurance Portability & Accountability Act of 1996 Presented by: Jeniece Poole, U of A Privacy Officer
HIPAA Privacy & Research Understanding YOUR responsibilities
Why Was HIPAA Created? • To establish minimum federal standards for safeguarding the privacy of individually identifiable health information
The History of HIPAA • Regulation has 3 areas of focus • Portability of/ and access to Health Benefits • Preventing Fraud and Abuse • Administrative Simplification
Teaching Hospital Physician’s FraudOIG Sanctions • Teaching Hospital Physicians’ Fraud • A four year investigation into billing practices in the University of Washington Medical System ended with the University's physician practice plans agreeing to pay $35 million in restitution, damages and penalties to the state and federal governments for over billing Medicare and Medicaid. This FCA settlement is the largest ever paid by a practice group related to a teaching hospital for failing to comply with Federal billing regulations. As a result of the investigation, two University physicians were convicted of criminal charges in connection with the fraud, and a former University neurosurgeon pleaded guilty to obstruction of a Federal criminal health care investigation. In addition, a University-affiliated nephrologists pleaded guilty to health care billing fraud and admitted engaging in fraudulent conduct spanning approximately 11 years during which the defendant wrote notes in patients’ dialysis records indicating that he was present when he was not.
Clinical Laboratory Fraud • The owner of a medical testing laboratory extradited from the Philippines pleaded guilty to defrauding the Medicare program by submitting bills for blood testing that was never performed. The owner admitted the lab submitted fraudulent bills to the Medicare and Medicaid programs for tests for RBC Protoporphyrin ( a test that detects iron deficiency and lead poisoning) , Thin Layer Chromatography ( a test used to detect drug metabolytes), and several more specialty blood tests. The laboratory did not have the ability to perform these tests. In the course of seventeen months, the lab submitted approximately $2.2 million in fraudulent bills. Medicare paid approximately $1.3 million of those claims.
HIPAA akaAdministrative Simplification Rule • Includes: • EDI (Electronic Data Interchange) • Privacy • Security • Unique Identifiers
PURPOSE OF ADMINISTRATIVESIMPLIFICATION • Protect the privacy and security of health information • Define standards for electronic submissions • Improve efficiency and effectiveness of the healthcare system
PURPOSE • Compliance with the rule involves implementation by a covered entity of policies and procedures to ensure the confidential use and disclosure of protected health information by all staff
PURPOSE • Protect the confidentiality and security of health information as it is used, disclosed and electronically transmitted • Create a framework, using standardized formats for transmitting electronic health information more efficiently
What Happened before HIPAA Various State Laws Applied No consistent rules Most states had privacy regulations Few states had financial resources to enforce strict compliance with regulations Arizona law for privacy and medical record safekeeping is over 150 years old
Regulatory Agencies Health and Human Services (HHS) Office of Civil Rights (OCR) Office for Human Research Protections (OHRP) Agency for Healthcare Research and Quality (AHRQ) Centers for Disease Control and Prevention (CDC) National Institutes of Health (NIH) Food and Drug Administration (FDA)
THE PRIVACY RULE • Assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote quality health care and to protect the public’s health and well being • Rule attempts to balance the important uses of information with the protection of the privacy of people who seek care and treatment
Privacy(effective 04/14/03) • Requires Covered Entities to safeguard patient health care information • Covered Entities are defined as: • Health Care Providers • Health Care Plans • Health Care Clearinghouses
EDI (Effective 10/16/03) Electronic Transmission of healthcare data transferred or received • Most commonly used for claims processing and payment • Reduction in paper transactions • Reduces risk of lost paper documents
Security Regulations(effective 04/21/05) • Electronic data integrity and confidentiality • Access only to authorized individuals • Availability of information
Security and PrivacyRule Distinctions • Inextricably linked • Protection of the privacy of the information depends on the security measures to protect the information • The Security Rule applies to information in electronic form • The Privacy Rule applies to information in any form
Who Must Complywith HIPAA?? • Health Plans • Health Care Clearinghouses • Health Care providers that transmit information electronically in connection with a HIPAA “standard transaction” • Researchers are not covered entities unless they are covered health care providers or are employed by covered entities
What is patient health care information? • Individually Identifiable Health Information (IIHI) • Protected Health Information (PHI) • Relates to the past, present or future physical or mental health condition of an individual
Personal Identifiers • This information can be in various forms and must be protected: • Electronic • Paper • Oral
What are Personal Identifiers? • names • geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial five digits of a zip code to 000 • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 • telephone numbers • fax numbers • electronic mail addresses • social security numbers • medical record numbers
More Personal Identifiers • health plan beneficiary numbers • account numbers • certificate/license numbers • vehicle identifiers and serial numbers including license plate numbers • device identifiers and serial numbers • Web Universal Resource Locator (URL) • biometric identifiers, including finger or voice prints • full face photographic images and any comparable images • internet protocol address numbers • any other unique identifying number characteristic or code
What is Research? • Research is defined as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge” • Distinguish from quality assurance • Distinguish from public health activities
Impact of HIPAA on Research • Confusion!! • Potential reduction in health care providers willing to share for (PHI) research • Places addition burden on IRB’s
Research and HIPAA • This rule applies to health care providers, including researchers when they provide health care (e.g., in a clinical trial) • Even if researcher do not provide health care, they must abide by the rule • The definition of “protected health information” includes information relevant to the provision of health care as well as information generated in the context of clinical research • Although some research information may not have proven clinical validity, the Privacy Rule considers it identifiable
Research and HIPAA • The regulation covers information – not tissue -except to the extent any identifiable medical information is attached to the tissue sample • Genetic information is not provided a higher standard of privacy coverage under this federal regulation • The regulation covers individually identifiable information in any form, including written, electronic or oral.
HIPAA vs. the Common Rule • Focus Common Rule: • safety and welfare of human subjects HIPAA: • Privacy of the health information of subjects
Common Rule Federally funded or regulated research Protects Rights and Welfare Human Subject (living) subject to research Board reviews All research protocols Annual and Continuing Reviews Informed Consent to participate in Research HIPAA All research where CE uses or discloses PHI Protects Privacy and Welfare Individual (living or deceased) subject information Establishes Privacy Board IRB may act as Privacy Board Board Reviews Authorizations for waivers No continuing review requirement Authorization & consent to PHI Research Privacy Regulations
HIPAA PHI is individually identifiable information that is transmitted or maintained in any form or medium by a CE or its business associate excluding school or employment records FDA Title 21 CFR 50& 56 Do not define Individually Identifiable Health Information HHS Human Subjects Protection Title 45CFR part 46 Private information must be individually identifiable in order for obtaining the information to constitute research involving human subjects. Individually identifiable means the identity of the subject may be ascertained by the investigator or associated with the information IDI AND OTHER REGUALTIONS
HOW CAN INFORMATION BE USED OR SHARED? De-Identify PHI • Remove listed identifiers, determine statistically that very small risk that information could be used to identify, or code identifiers • Tissue and blood is not PHI unless correlated with identifiers
How Can Information Be Used Or Shared? • Limited Data Set or partially de-identified: may use data related to individual, address (except street level) and other identifiers not listed • Must have “data use agreement” in place • Obtain subject authorization
How Can Information BeUsed Or Shared? • HIPAA requires numerous elements (refer to checklist) • HIPAA authorization requires IRB approval • IRB or Privacy Board may waive the need for an authorization • If PHI is solely to prepare for research and will not be removed from the premises
Waiver of Authorization • Minimum risk to PRIVACY • Plan to protect identifiers • Plan to destroy identifiers, ASAP • Written assurance not to reuse/redisclose • Research cannot be done without Waiver • Research cannot be done without PHI • PHI is the minimum necessary • Disclosures are tracked
HIPAA and Research • Under HIPAA, individual authorization is required to use or disclose PHI for research • HIPAA specifies required elements or statements, which are far more detailed that then information traditionally provided in the Common Rule consent
USE AND DISCLOSURE OF PHI USE = Sharing of PHI within an entity or component DISCLOSURE = Sharing of PHI outside an entity or component Under HIPAA, patients have the rights to request a complete listing of ALL disclosures of PHI for 6 years
Use and Disclosure of PHI HIPAA applies to USE & DISCLOSURE of certain health information that: • Identifies the individual • Relates to the individuals past, present or future • Health, healthcare treatment, or health care payment • Is maintained or disclosed electronically, on paper or orally
HIPAA’s Individual Rights Primary purpose of HIPAA is to assure that individuals: • Are informed as to the uses or discloses of PHI (Notice of Privacy Practices) • Give appropriate permission for use or disclosure • Benefit from safeguards in place to protect privacy
What if I don’t want to share my health information? • Each Notice of Privacy Practices contains information on who will be able to view your PHI, how it is shared and how it maintained • It is assumed that you agree with the provisions of the NOPP • If you do not want to share your information, you may exercise the opt-out option
Protecting My PHI • Opt-outs must be in writing • Opt-outs must be dated • An address will be provided in the NOPP • You may specify the provisions you do not want to have • You may revoke your opt-out at any time
HIPAA Authorization Form for Research • Specific description of PHI to be used or disclosed in the research • Name of persons or class of persons authorized to make disclosure • Name of persons or class of persons to whom disclosure will be made • Description of Specific research protocol or study • Expiration date of event or statement that authorization has not expiration
HIPAA Authorization Form for Research • Statement of participant’s right to revoke the authorization in writing and a description of how the person may revoke authorization • Statement that a participant may not revoke the authorization as to PHI already disclosed in research or description of other exceptions where participant may not revoke the authorization • Statement that the organization disclosing the PHI may not condition treatment, payment , enrollment or eligibility
HIPAA Authorization form for Research • Statement that PHI disclosed for research may be subject to redisclosure by the recipient and no longer protected by the rule • Must have participant’s signature and date • If authorization is executed by a personal representative of the participant, a description of the person’s authority to act for the participant
HIPAA Security • Security Standards effective 4/21/05 • Adopts standards for the security of electronic protected health information (ePHI) • 18 standards supported by specifications
Security Standards • FDA’s latest guidance and HHS’s HIPAA Security Focus on • Risk Assessment • Documentation • Supporting Training • Role based access
Prevent Inadvertent Disclosure • Computer display screen should not be visible to passers-by • Paper documentation should never be left unattended. Always lock paper records in a desk or file drawer. • Do not send personal identifiers in an e-mail or attachment without appropriate security (e.g., encryption/password protection of attached file) • Curtail hallway/elevator discussions • Shred document containing PHI , turn folders inward or turn upside down • Fax procedures (e.g., cover sheet, secure location, verification of number)
Disposal • Documentation should only be destroyed when the information is no longer needed and when it is not required to be maintained by law or as public record • Paper records: Shedding/Recycling in Appropriate Containers (not the office receptacle) • Digital records: Overwriting • Deleting files is NOT sufficient • Some storage systems may require physical destruction
Protect your data • Password protect your computer and screensaver • Password protect your storage devices and removable media • Use appropriate passwords • Keep anti-virus software current • NEVER share passwords • Never leave the computer when you are logged on • Manually initiate screensaver when not sitting at desk • Lock office door when you leave • Don’t leave written password where others can find them
Violations of Privacy • HIPAA specifies the penalties for misuse of personal identifiers • PERSONAL as well as INSTITUTIONAL liability • If you are not following University policies/procedures, you will be personally liable • Civil Penalties: $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated