HIPAA and YOU
Download
Report
Transcript HIPAA and YOU
HIPAA and YOU:
Compliance Doesn’t Have to Hurt
By Michael Sommerkamp
Legal Counsel for
Indiana State Emergency
Management Agency
[email protected]
About This Presentation
This presentation is not intended as legal advice and
all EMS providers are strongly encouraged to consult
with their attorneys and medical directors when
drafting and implementing policies regarding HIPAA
compliance, disclosures of PHI, and disclosure of
PHI to law enforcement officers.
This PowerPoint presentation, FAQs, and a
hypertext version of its content are available at:
http://www.in.gov/sema/ems/hipaa_present.html
So What is HIPAA And What Does it Do?
Background and Vocabulary [Slide 1 of 3]
The Office of Health and Human Services (“HHS”)
created the Health Insurance Portability and
Accountability Act (“HIPAA”), which affects the
handling of Private Health Information (“PHI”) by
Covered Entities (“CE”)
HIPAA has 4 primary components, but this
presentation will only address the Privacy Rule,
which became enforceable on April 14, 2003
The Privacy Rule creates a national floor for privacy
standards and supercedes less stringent state laws
So What is HIPAA And What Does it Do?
Background and Vocabulary [Slide 2 of 3]
HHS’ Office of Civil Rights (“OCR”) is in charge of
enforcement actions
The intent of the Privacy Rule is to give
individuals basic rights regarding the use of PHI,
which should NEVER compromise patient care
So What is HIPAA And What Does it Do?
Background and Vocabulary [Slide 3 of 3]
Penalties for violations of HIPAA include:
–
–
Civil Penalty: $100 per violation, maximum per year of
$25,000
Criminal Penalties:
Wrongful Disclosure: Fine of not more than $50,000 and
not more than 1 year imprisonment
Disclosure under False Pretenses: Fine of not more than
$100,000 and not more than 5 years imprisonment
Commercial Advantage, Personal Gain, or Malicious
Harm: fine of not more than $250,000 and 10 years
imprisonment
The Privacy Rule’s Golden Rule
For EMS Providers
HIPAA should NEVER
adversely affect the
quality of patient care
rendered or impede the
ability of a health care
provider to care for a
patient
But Why Me?!?
(Or am I a Covered Entity)
45 CFR § 160.103
A covered entity is a health plan, a health
clearinghouse, or a health care provider;
Who electronically transmits health information;
For a transaction covered under HIPAA.
Common transactions include: eligibility inquiries,
health claims and other billing matters done by you
or for your benefit (Use of a 3rd party billing
company does NOT exempt you from HIPPA)
Sending data to SEMA or NFIRS is NOT a covered
transaction
Hybrid Entities
45 CFR 164.504
Hybrid entities are usually governmental entities or
large corporations whose primary business is NOT
providing health care
These entities segregate their components that
perform health care functions from the
components not related to performing health care
functions.
By doing this, only those components that perform
health care functions must comply with HIPAA.
And If I’m Not a Covered Entity?
Don’t Start to Celebrate Yet...
Medicare will NOT pay claims that
are NOT submitted electronically
after October 16, 2003 (unless a 1
year waiver is sought and granted)
OCR is currently offering an
educational “grace period”
HIPAA privacy standards have
become the popular standard of
care--Maybe expected by YOUR
potential jury pool in a State Law
privacy case...
But We Can Barely Afford Band-Aids
(Or Scalability of Requirements)
HHS expects that small providers will
develop less expensive and less complex
privacy measures than larger providers
Limitations on small providers are to be
considered when reviewing safeguards
Small providers “will not be required to
change their business practices dramatically”
[Is this a sample of HIPAA Humor?!?]
Well, If I Gotta’ Do This
Implementation
Strategies
Requirements of Covered Entities
(Slide 1 of 3)
The Privacy Rule requires CEs to “Protect PHI, which
includes all individually identifiable health
information regardless of whether it is in electronic
form, paper, or oral communications.”
Designate a Privacy Official
Look for Leaks in your Privacy Policy
Conduct and document privacy training for your ENTIRE
workforce
Develop an Authorization Form for the release of PHI
Develop a Notice of Privacy Practices
Understand the interaction of HIPAA and State Laws
Requirements of Covered Entities
(Slide 2 of 3)
Understand Patient Rights and associated requirements
–
–
–
–
–
–
–
Notice of Privacy Practices
Access to Records
Right to ASK to Amend Records
Restrictions on Use or Disclosure
Alternative Communications
Accounting of Disclosures
How to File a Complaint
(45 CFR 164.520)
(45 CFR 164.524)
(45 CFR 164.526)
(45 CFR 164.522)
(45 CFR 164.522)
(45 CFR 164.528)
(45 CFR 164.530)
When disclosure is allowed, ALWAYS disclose the
MINIMUM NECESSARY PHI
Requirements of Covered Entities
(Slide 3 of 3)
Update employee policies & procedures
Identify Business Associates and adopt a form contract
Put in place reasonable administrative, technical, and
physical safeguards
The Standard for Protecting PHI
42 USC § 1320d-2(d) [Slide 1 of 4]
•
Covered entities shall maintain reasonable & appropriate
administrative, technical, and physical safeguards:
• To ensure the integrity and confidentiality of the
information (electronic, written, or spoken)
• To protect against any reasonably anticipated:
• Threats or hazards to the security or integrity of the
information; and
• Unauthorized uses or disclosures of the information;
and
• Otherwise to ensure compliance by officers &
employees.
The Standard for Safeguarding PHI
42 USC § 1320d-2(d) [Slide 2 of 4]
•
•
HHS has stated that the use of encoded radio or
electronic transmissions is NOT REQUIRED
Prudence dictates that you:
•
•
•
•
Maintain run sheets in a secured area and limit access
Add passwords to computers and networks that
contain PHI
Adding confidentiality statements on e-mails and faxes
that contain PHI
Maintain fax that receives PHI in secure location and
limit access
The Standard for Safeguarding PHI
42 USC § 1320d-2(d) [Slide 3 of 4]
Incidental Disclosures can be made for treatment, but the
care provider must use discretion and most secure
manner available
–
–
–
If a patient name must be used when contacting the
hospital, then use a cell phone if possible and available
If others not involved in treatment are near, then whisper
common sense and a team approach towards compliance
can go a long way
The Standard for Safeguarding PHI
42 USC § 1320d-2(d) [Slide 4 of 4]
Beware any use or discussion of PHI NOT specifically
permitted, such as:
–
–
–
–
discussing a run as you walk from ER to ambulance
discussing a run at the station/ Pizza Hut/ gym/ bar/ or
anyplace other than audit & review
discussing “interesting” runs, famous patients, or even
relatives or neighbors.
Interesting run: if discussing the run could embarrass
someone (think foreign object and orifice…)
These standards cover medics and billing agents,
and anyone else with access to PHI
When Unsure Whether You
Can Discuss A Run...
Ask yourself if Judge
Hang’em High would
agree that the
disclosure was for
the benefit of the
patient AND that it
was done with the
utmost discretion...
Designate a Privacy Official
All CEs must appoint a Privacy Officer
The Privacy Officer should develop a Privacy
Program and procedures with the assistance of both
the medical director and the attorney who would
defend the provider in a HIPAA action
The Privacy Officer can have other duties, but should
have the time and resources needed to fulfill
required HIPAA duties (and just maybe a large stick
to assist in enforcing Privacy Standards…)
Duties of a Privacy Officer
Policies must comply with HIPAA and State Law
Privacy Policies must be documented, disseminated
to, and followed by all employees through a privacy
training program
All employees MUST complete this program and
sign a statement that they have completed the
program and will comply with the policies
Who Is An Employee
For the purpose of
the the Privacy Rule
employees are
volunteers, students,
trainees, independent
contractors, and
anyone else under
your control.
Look for Leaks in Your
Privacy Policy
What “Leaks” can PHI seep through? Find and
patch them NOW
Guarding PHI HAS to be an ongoing task for
everyone: Students, EMTs, Billing Agents, the
Privacy Officer, and Management
Only those who need access to PHI should have
access; and then only the minimum necessary
Remember, HIPAA covers electronic, written and
oral disclosures of PHI
Develop An Authorization Form for
the Release of PHI 45 CFR 164.508
Most EMS disclosures fall under the Treatment,
Payment, and Health Care Operations (TPO)
exemption
Authorization is required for disclosures NOT
otherwise authorized under the Privacy Rule
Authorization is required for marketing NOT
conducted by the Covered Entity
Notice of Privacy Practices (NPP)
45 CFR 164.520 [Slide 1 of 2]
You must develop a compliant NPP
The NPP must be in plain language, which might require
a Spanish NPP if you serve a Spanish-speaking
community
You must make a Good Faith attempt to give a NPP to
each Pt or Pt’s representative AND to get a signed
Acknowledgement of Receipt in non-emergency
situations by each Pt or a Pt’s representative
In Emergency Treatment Situations, the NPP must be
given as soon as practical--maybe leave a copy at
hospital, mail w/ the bill…
Notice of Privacy Practices (NPP)
45 CFR 164.520 [Slide 2 of 2]
If a patient refuses a run she should still be given a NPP,
and her Acknowledgement of Receipt could be added to
the refusal form
Services who maintain a web site MUST post their NPP
on the site (**Look for these FREE examples**)
The NPP has many technical requirements: check the
requirements in the Rule as you look at examples
NPPS & Unemancipated Minors
[Slide 1 of 2]
The Privacy Rule does NOT address consent to treatment, so
Indiana law regarding the ability of minors to consent (or sign)
is unchanged
Just as a minor in Indiana is not deemed competent to refuse
treatment, a minor is likely not deemed competent to accept a
NPP or to sign for its acceptance
NPPS & Unemancipated Minors
[Slide 2 of 2]
In descending order the following may give consent
for medical treatment for an unemancipated minor
(or are able to accept or to sign to accept a NPP):
–
–
–
–
A court-appointed guardian; (if unavailable) then
A parent or person acting in loco parentis [acting as a
parent]; (if unavailable) then
An adult sibling; (if unavailable) then
A law enforcement officer who believes the minor’s
condition is “seriously impaired or endangered”
Patient Rights
[Slide 1 0f 2]
Patient Rights requirements are detailed and MUST
be precisely followed: See slide #18 for citations
Most patient rights MUST be listed on the NPP
If patient is not legally competent, then patient
representative can exercise patient’s rights
Patients must be allowed to access & copy their PHI
within 30 days of their request to access & copy
Patient Rights
[Slide 2 0f 2]
Patient must be given a NPP as soon as practical
and a good faith effort must be made to get a
Signature of Receipt
Patient has the right to REQUEST to amend records
Patients can request an accounting of unauthorized
and non-routine disclosures of their PHI for up to 6
yrs, but only for dates after April 14, 2003
Patients must be told how to file a complaint
Business Associates
45 CFR § 160.103
Entities who perform services on your behalf AND have
access to your PHI are Business Associates
Your employees & other care providers are NOT BAs
Some potential BAs: 3rd party billing companies,
outside claims consultants, outside medical directors,
software vendors, computer consultants, computer
repair personnel
Sample Business Associate contract available at:
http://www.hhs.gov/ocr/hipaa/contractprov.html
HIPAA & State Laws
(Slide 1 of 2)
HIPAA preempts less stringent state privacy laws
In addition to HIPAA requirements, all Indiana EMS
certificate holders, even the few who work for entities
NOT covered by HIPAA, risk being subject to fines and
suspension or revocation of their Indiana Certification for
the “Unauthorized disclosure of medical records or
other confidential patient information.” See 836 IAC 11-2(a)(8).
HIPAA & State Laws
(Slide 2 of 2)
EMS services provided by or under a contract with a public
agency must make the following information available:
– The date and time of the request for ambulance services
– The reason for the request for assistance
– The time and nature of the response
– The time of arrival at the scene
– The time of departure from the scene
– The name of the facility, if any, to which the patient was
delivered
See IC 16-31-2-11
Permitted Unauthorized Disclosures
(Slide 1 of 2)
Exemptions are found in 45 CFR § 164.512
Privacy Rule ALLOWS the disclosure of PHI for:
–
–
–
–
–
Treatment, Payment, and Operations
When Required by Law
Public Health Activities (sending run report data to
SEMA or NFIRS)
Victims of Abuse, Neglect, or Domestic Violence
Health Oversight Activities (SEMA hearings)
[List continued on next slide]
Permitted Unauthorized Disclosures
(Slide 2 of 2)
(Exemptions continued from previous slide)
–
–
–
–
–
–
–
Judicial & Administrative Proceedings
Law Enforcement
Births and Deaths
Organ and Tissue Donation
Research Purposes
Protect Public Safety
Specialized Government Functions
Your New Best Friend:
Treatment, Payment, and Health Care Operations
Treatment, Payment, and Operations (TPO) disclosures
are allowed without authorization
Treatment: giving PHI to other providers involved in
treating the patient, such as a hospital
Payment: receiving PHI from other providers (such as a
hospital) needed for billing for treatment (filing claims,
coordinating benefits, eligibility inquiries, collections,…)
Operations: audit & review, quality assessment, medical
or legal auditing…
Remember the EMS GOLDEN RULE: When disclosure
permitted, disclose the MINIMUM NECESSARY PHI
Disclosures Required by Law
[Slide 1 of 2]
The Privacy Rule allows most disclosures of PHI statutorily
required by Indiana law.
Only the minimum necessary PHI may be disclosed and only to
the recipient specified in the Indiana law (See the following
example)
Disclosures Required by Law
[Slide 2 of 2]
Example: Indiana Law requires a practitioner* who
initially treats an injury from fireworks or pyrotechnics
to submit a report to the State Dept. of Health. As
HIPAA exempts this and Indiana Law requires it, the
State Dept. of Health MUST be given this report. Yet,
the unauthorized release of the same information to
local law enforcement, which is not required by
either HIPAA or Indiana Law, would violate HIPAA.
*(A practitioner
holds an unlimited, limited, probationary, or
temporary license, certificate, or registration.) IC 35-47-7-6
Public Health Activities
Disclosures to public health authorities authorized by
State Law to receive that PHI
This SPECIFICALLY ALLOWS sending run report
data to SEMA or NFIRS
This also ALLOWS an EMS provider who was
exposed to blood or bodily fluids to request
notification if the patient has a communicable
disease. See IC 16-41-10.
Victims of Abuse, Neglect, &
Domestic Violence
HIPAA allows and Indiana Law requires:
– A person who believes an “endangered adult” is a
victim of battery, neglect, or exploitation to report
this to Adult Protective Services or to law
enforcement. IC 12-10-3 & IC 35-46-1-13.
– A person who believes that a child is a victim of
abuse or neglect to immediately notify their boss
and to immediately notify either local child
protective services or local law enforcement. IC
31-33-5.
Health Oversight Activities
This SPECIFICALLY ALLOWS disclosing PHI
for SEMA investigations
It also allows disclosures to other supervising
health entities:
–
–
Audits & Investigations by supervising hospitals and/
or physicians
Medicare audits and investigations
Judicial & Administrative
Proceedings
This also SPECIFICALLY ALLOWS disclosing PHI
for SEMA investigations
Disclosure must be made when a Judge, an
Administrative Law Judge, or a Grand Jury orders the
disclosure through a subpoena or a warrant
–
But NOT when an attorney or party to the litigation signs a
subpoena
Disclosures To Law Enforcement
When Disclosure to Law
Enforcement is Allowed
[Slide 1 of 5]
A CE may disclose PHI to Law Enforcement when:
–
–
–
Required by State Law (please see the note titled
“Mandatory Disclosures of PHI Required by Indiana Law,”
near the end of your informational packet)
Ordered by a court (warrant or subpoena signed by Judge,
Administrative Law Judge, or Grand Jury--NOT attorney)
Ordered by Administrative subpoena from authorized
agency
When Disclosure to Law
Enforcement is Allowed
[Slide 2 of 5]
Needed to identify or locate a suspect, fugitive,
missing person, or witness a provider may release:
–
–
–
–
–
–
–
name & address
date & place of birth
social security number
blood type
type of injury
date & time of treatment (or death, if applicable)
distinguishing characteristics: height, weight, gender, race,
hair & eye color, scars, tattoos, & presence of facial hair
When Disclosure to Law
Enforcement is Allowed
[Slide 3 of 5]
If care recipient is a victim of crime AND:
–
–
–
–
–
unable to consent; AND
Officer states PHI needed to determine whether violation of
law occurred by someone other than victim; AND
PHI is NOT intended to be used against the victim; AND
Immediate Law Enforcement activity will be affected by
waiting until victim can give consent; AND
In your professional judgement you deem the disclosure is
in the best interest of the victim.
When Disclosure to Law
Enforcement is Allowed
[Slide 4 of 5]
Under IC 9-26-2-2, Indiana law enforcement officers
are statutorily required to gather the following
information:
–
–
–
–
–
Name and address of the owner and operator of each
vehicle involved in the accident
License number and description of each vehicle
Time and place the accident occurred
Name and address of each person injured or killed
Name and address of each witness to the accident.
(Continued on next slide)
When Disclosure to Law
Enforcement is Allowed
[Slide 5 of 5]
As State Law requires a law enforcement officer to
collect the preceding information, disclosing the
minimum necessary information should not violate the
Privacy Rule. However, EMS providers are, by their
nature, patient advocates and should always
encourage law enforcement officers to gather
information directly from the patient when possible, as
opposed to from the EMS provider.
Develop a policy with the assistance of your attorney,
CEO,provider hospital, and local law enforcement.
Specialized Government Function
If any of these arise, consult with your attorney
–
–
–
–
–
–
Military & Veteran Affairs
Department of Defense Activities
Required for national security
Required to Protect the President or other national
dignitaries
Security clearances
Inmates in governmental custody and others
Other Allowed Disclosures
Organ & Tissue Donation
For specific research purposes
To avert threats to safety: requires good faith
belief that the disclosure will:
–
–
–
prevent or lessen a serious & imminent threat to public
or a person’s health; or
to assist law enforcement AFTER an individual admits
to involvement in a violent crime; or
It appears the individual is a fugitive from the law
HIPAA Resources
(Slide 1 of 2)
Your starting points should be OCR’s HIPAA web site :
http://www.hhs.gov/ocr/hipaa/ AND
OCRs FAQs (Get this FREE Resource!!):
http://www.hhs.gov/ocr/hipaa/guidelines/guidanceallsections.pdf
The full text of the final regulation is available at:
http://www.hhs.gov/ocr/hipaa/privrulepd.pdf
Centers for Medicare and Medicaid Services (“CMS”):
http://www.cms.hhs.gov/hipaa/
CMS’ Compliance Checklist: http://www.hipaa.org/
SEMA’s HIPPA site: http://www.in.gov/sema/ems/hipaa.html
HIPAA Resources
(Slide 2 of 2)
CMS’ Ambulance Services Web Page:
http://www.cms.hhs.gov/suppliers/ambulance/default.asp
Phoenix Health Systems HIPAA page:
http://www.hipaadvisory.com
NEDARC’s HIPAA Web Site:
http://www.nedarc.org/HIPAA/HIPAA_info.htm