HIPAA and Privacy
Download
Report
Transcript HIPAA and Privacy
Health Insurance
Portability and
Accountability Act
(HIPAA)
Sources
Steven C. White, ASHA Director of Health
Care Economics and Advocacy
Janet Brown, ASHA, Director, Health
Issues Unit
Tim Weise, M.A., Michigan SpeechLanguage-Hearing Association
HIPAA
The Health Insurance Portability and
Accountability Act of 1996 (P.L. 104-191)
Mandates compliance with patient privacy
rules designed to maintain confidentiality of
medical information
No federal rules to protect privacy of health
information existed until Standards for
Privacy were published 12/28/2000
HIPAA PRIVACY
Provides Americans with a basic level of
protection that is essential to their full
participation of care
Final regulation takes effect April 14, 2003
“Covered entities” include health care
providers who conduct certain financial and
administrative transactions such as billing
electronically
Protected Health
Information
All medical records and other individually
identifiable health information used by or
disclosed by a covered entity in any form,
whether electronically, on paper, or orally,
are covered by the HIPAA final rule
Patient identifiers - name, SS#, telephone #,
medical health #, zip code
What is protected
health information?
(PHI)
Any information about past, present, or
future illnesses
Physical or mental health of an individual
Provision of health care for an individual
Payment information in cases where the
patient is individually identifiable
What is required by
HIPAA?
Posted privacy regulations
Pts. Must be made aware of privacy rights
Pt. Must sign a consent to have information
used and disclosed:
–
–
–
Clearly written
Provider may refuse treatment if patient will
not sign consent
Pt. May revoke consent in writing
And…
Provider must retain consent for six years
Clinician consultation with another clinician
is considered part of treatment and is
covered by consent
Pt. May need to sign Authorization for uses
other than those above (billing, etc.)
The covered entity
(provider, clinic, etc.)
must:
Try to disclose only minimum necessary
information
Adopt clear privacy policies in writing
Inform patients of policies
Train employees (students)
Designate a “privacy officer” to oversee
Secure files (hard copy or electronic)
Research and HIPAA
Is allowed if authorization is obtained
If no authorization, may be allowed if
waiver is approved by the IRB
Research data (NOMS, for example) needs
to be deidentified
What about public and
private schools?
Medical information created by the school
system for the student record (audiology
evaluations completed at school; SLP
evaluations) is part of the EDUCATIONAL
record and is not covered by HIPAA
Contractors with the school who maintain
records must comply with HIPAA standards
Establish Accountability for
Medical Records Use and
Release
Civil penalties - violation of standards subject to
civil liability - $100 per violation, up to $25,000
per person, per year for each requirement or
prohibition violated
Federal criminal penalties - up to $50,000 and one
year in prison for obtaining or disclosing protected
health information; up to $100,000 and up to and
up to 5 years in prison for obtaining health info
under false pretenses
Criminal Penalties
continued
Up to $250,000 and up to 10 years in prison
for obtaining or disclosing protected heath
information with intent to sell, transfer or
use it for commercial advantage, personal
gain or malicious harm
Balancing Public
Responsibility with
Privacy Protections
Final rule permits covered entities to
continue certain existing disclosures of
health information without individual
authorization for specific public
responsibilities
Includes emergency circumstances, public
health needs, research (generally limited to
when a waiver of authorization is
independently approved)
Useful Web Sites
Www.hhs.gov/ocr/hipaa
www.asha.professional.org
www.hcfa.gov/medicaid/hipaa/adminsim/pri
vacy
www.ahima.org/hot.topics (American
Health Information Management
Association web site)
Compliance Dates
Effective Date of Privacy Rule
–
April 14, 2003
Effective Date of EDI Rule
–
–
October 16, 2002
Enforcement
$100/Standard
Violation
Maximum $25,000/Year/Violation
What Are Covered
Entities?
Health Plans - Insurance Companies, ERISA
Health Care Clearinghouses
Health Care Providers
–
Who conduct certain electronic financial and
administrative transactions, such as electronic
billing and funds transfers
Business Associates
What is Protected
Health Information
(PHI)?
All Medical Records
Individually Identifiable Health Information
Any Such Information Used or Disclosed by a
covered Entity in Any Form
–
Electronic
–
Paper
–
Oral
De-Identified Information is Excluded
What Are Covered
Transactions?
Requests and Responses to Eligibility
Verification
Claims Submissions
Coordination of Benefits (COB)
Explanation of Benefits (EOB)
Remittance Advices (RA)
Encounter Data Submissions
Paper vs Electronic
Claims
Can Continue to Use Paper Submissions
–
Dual Submission Modes - Electronic & Paper
Paper Claims Will be Viewed Disfavorably
by 3rd Party Payers
Payers Can (Probably Will) Require
Standard Transaction
–
Must be Stipulated in Contract
Business Associate
Individuals or Organizations Who Contracts
with a Covered Entity for a Product or Service
that Requires Disclosure of PHI
Not Another Provider, Health Plan or
Clearinghouse
Contractual Assurance that the PHI is Secure
What Do I Need To Do?
Carefully Assess How All PHI is Currently
Generated, Stored and Transmitted in your
Practice Setting (Private Practice, Hospital,
SNF, School, etc.)
Become Knowledgeable of HIPAA Privacy
and EDI Rules as They Relate to Your
Practice Setting
–
ASHA Web Site (www.Professional.asha.org)
ASHA Information
Sources
–
–
–
www. Professional.asha.org
Janet Brown ([email protected])
Steve White ([email protected])
Some Questions To
Assess Your Situation
Does your program collect oral, paper, or
electronic information about clients?
Do you fax records to referral sources?
Do you maintain a fax log?
Do you email patient records in any form
that is identifiable?
Do staff have policies