Transcript University Pathology Services, Inc

HIPAA
The Health Insurance Portability and Accountability Act of 1996
(Public Law 104-191)
Impact on Pathologist
Trina Shanks
University Pathology Services, Inc. & The OSU Department of Pathology
Objectives
HIPAA Historical Background
 Privacy Rule
 Purposes of the Privacy Rule
 Privacy Rule affects on Pathologists
 Privacy assessment gaps
 Research Provisions

HIPAA Historical Background

Enacted in August 1996, HIPAA included a wide array of
provisions designed to make health insurance more
affordable and accessible. With support from health plans,
hospitals and other health care businesses, Congress
included provisions in HIPAA to require HHS to adopt
national standards for certain health care transactions,
codes, identifiers and security. HIPAA also set a three-year
deadline for Congress to enact comprehensive legislation
to protect medical records and other personal health
information. When Congress did not enact such legislation
by August 1999, HIPAA required HHS to issue health
privacy regulations.
Title I Portability
Protects Americans with pre-existing
conditions from losing health insurance
when changing jobs.
 Prevents discrimination in health care
coverage.

Title II Administrative Simplification
Standardization of electronic patient health,
administrative and financial data
 Unique health identifiers for individuals,
employers, health plans and health care
providers
 Security standards protecting the
confidentiality and integrity of “individually
identifiable health information (PHIProtected Health Information),” past,
present or future

HIPAA Administration Simplification Rules
Each rule is being approved individually. Once each rule is approved,
there is a 2 month comment period and a 24 month implementation
window = 26 months to live
HIPAA Rules
Privacy
EDI Transaction &
Code Sets
Approved Date
December 28, 2000
Last changes in
March 2002
August 17, 2000
Required
Compliance Date
April 14, 2003
October 16, 2002
1 year extension
National Employer ID
May 31, 2002
July 30, 2004
Security
February 20, 2003
April 21, 2005
National Provider ID
Comment period
ended July 6, 1998
???
National Health Plan ID Under Development
???
Who is affected?
All healthcare organizations.
 This includes all health care providers, even
1 doctor physician offices, health plans,
employers, public health authorities, life
insurers, clearinghouses, billing agencies,
information systems vendors, service
organizations, and medical universities.

Privacy Rule Provisions





Limit the non-consensual use and release of
private health information
Give patients new rights to access their medical
records and to know who else has accessed them
Restrict most disclosure of health information to
the minimum needed for the intended purpose
Establish new criminal and civil sanctions for
improper use or disclosure
Establish new requirements for access to records
by researchers and others
Purpose of the Privacy Rule


Protect and enhance
rights of consumers to
their health information
and control the
inappropriate use of the
information.
Improve the quality of
health care in the U.S. by
restoring trust in the
health care system.
As Modified, Privacy Rule is:
 Flexible
and Scalable
 Workable
 Balanced
The Privacy Rule “strikes a common sense balance
by providing consumers with personal privacy
protections and access to high quality health care.”
HHS Secretary Thompson
Treatment, Payment & Health Care
Operations (TPO)
 Covered
Entities may
use/disclose Protected Health
Information (PHI) to carry out
essential health care functions.
Treatment
 Treatment-the
provision,
coordination, or management of
health care by one or more
health care providers.
Payment
 Payment-activities
of health care
providers to obtain payment or
reimbursement for their services.
Health plans to obtain premiums,
fulfill coverage responsibilities, or
provide reimbursement for the
provision of health care.
Health Care Operations

Health Care Operations-administrative, financial, legal and
quality improvement activities. Necessary to run business
and to support core functions of treatment and payment.
Quality assessment and improvement activities. Training,
accreditation, certification, credentialing, licensing,
reviewing competence, evaluating performance. Fraud and
abuse detection. Underwriting, rating, other activities
relating to the creation, renewal or replacement of a
contract of health insurance or benefits. Conducting or
arranging for medical review, legal services, or auditing.
Business planning and development. Business
management and general administrative activities.
The HIPAA privacy regulations
affect pathologists in three ways.



1. HIPAA requires that a pathologist or laboratory
develop and implement policies and procedures to
govern their use and disclosure practices with
respect to PHI.
2. Must establish and implement policies and
procedures to provide for certain rights that must
be afforded to patients.
3. Must establish and implement policies and
procedures to document certain administrative
steps that the pathologist must take to ensure that
PHI is properly protected.
Privacy Assessment Gaps
Submitted self-assessments
 Direct observation
 Reports from staff

Medical Information Access
Finding: PCs, printers, faxes in areas
accessed by the public
 Concern: Personal information accessible
by unauthorized individuals
 Action: Review your environment. Do not
place equipment that collects/receives PHI
in areas where the information can be seen
by visitors or other patients

Medical Information Disposal
Finding: Printouts are not properly
discarded
 Concern: Paper reports disposed of in the
trash can resurface
 Action: Instruct staff never to place legible
patient identifiable reports in the trash. Use
bins for shredding, or shred before
disposing.

Medical Information Storage



Finding: Medical records are not secured
Concern: Patient records are not to be accessed by
anyone who is not involved in the treatment,
payment or hospital operations related to the patient
except as authorized by the patient.
Recommendation: Records are to be kept in secure
medical record storage areas, with limited access.
Sign off of the system before leaving the area.
Conversations
Finding: Healthcare conversations are
overheard
 Concern: Patient information is to be
discussed in private
 Action: Remind staff of the need to use
conference room, step away from public
settings, be discreet when speaking on the
telephone

Patient Communications




Finding: Patient care areas have various practices related
to contacting patients
Concern: Patients have the right to control release of
information
Recommendation: Do not leave messages or speak to
family member or friend without giving notice to the
patient or obtaining consent.
Note: When patient is not present or incapacitated-uses
and disclosures are permissible using professional
judgment to determine if in best interest of individual.
Consider minimal necessary.
Need More Info?





http://www.cms.gov/hipaa/hipaa2/
http://www.hhs.gov/ocr/hipaa
OSUMC Newsline,
Progressline, Connections,
Med Staff News & Webster
OSUMC posters with
monthly tips
Medical Center Privacy Office via
email at “Privacy Office”
or 293-4477
Questions?
Research

Research Provisions- Covered entities may
use and disclose PHI for research:
-with individual authorization, or
-without individual authorization under
limited circumstances
What Research is Affected?


Records research that
uses existing PHI,
such as: Research
databases and
repositories
Research that includes
treatment of research
participants, such as:
Clinical trials
Relationship to Other Research Rules

The Privacy Rule does not override the
Common Rule or FDA’s human subject
protection regulations
Common Rule vs. Privacy Rule
Research WITH patient permission

Common Rule/FDA
Regulated
IRB review of research
and informed consent

Privacy Rule
Valid authorization
Privacy Authorization

Research participant authorization to use or
disclose PHI is required for most clinical
trials and some records research
-May be no expiration date or event or may
continue until “end of research study”
-May be combined with informed consent
to participate in research
Common Rule vs. Privacy Rule
Research WITHOUT patient permission

Common Rule
IRB Review4 waiver criteria

Privacy Rule
-IRB/Privacy Board Review3 wavier criteria
-Preparatory research;
-Research on decedents;
or
-Limited data set
Use and Disclosure of PHI of Research
WITHOUT Individual Authorization
Four Options:
Option 1: Obtain documentation that an IRB
or Privacy Board has approved an alteration
to or waiver of authorization based on the
following 3 wavier criteria;
3 Waiver Criteria
1. The use of disclosure of PHI involves no
more than a minimal risk to the privacy of
individuals, based on, at least, the presence
of the following elements
Minimal Risk Elements
a. An adequate plan to protect the identifiers from
improper use/disclosure
b. An adequate plan to destroy the identifiers at
the earliest opportunity consistent with conduct of
the research, unless there is a health or research
justification for retaining identifiers or such
retention is otherwise required by law; and
c. Adequate written assurances that PHI will not
be reused/disclosed to any other person or entity,
with certain exceptions.
Wavier criteria…
2. The research could not practicably be
conducted without the alteration or waiver
3. The research could not practicably be
conducted without access to and use of the
PHI
Use and Disclosure of PHI of Research
WITHOUT Individual Authorization
Option 2: Obtain representation that the use
or disclosure is necessary to prepare a
research protocol or for similar purposes
preparatory to research
-No PHI removed from Covered Entity
Use and Disclosure of PHI of Research
WITHOUT Individual Authorization
Option 3: Obtain representation that the use
or disclosure is solely for research on
decedents protected health information
Use and Disclosure of PHI of Research
WITHOUT Individual Authorization
Option 4: Only use or disclose limited data
set/”indirect identifiers” (e.g. zip codes,
dates of service, age, death)
-Requires a data use agreement
Accounting for Research Disclosures
Upon request, must provide accounting for
research disclosures made without
individual authorization (except for
disclosures of the limited data set).
 For 50+ records:
-List of protocols for which PHI may have
been disclosed, and
-Researcher contact information

Ongoing Research at Time of
Compliance Date (4/14/03)

Grandfathers in use or disclosure of PHI as
permitted by the following if obtained prior
to the compliance date:
-Legal permission for the use or disclosure
of PHI;
-Informed consent for the research; or
-An IRB waiver of informed consent under
the Common Rule.
Questions?