Director Of Corporate Compliance, Central VA Community
Download
Report
Transcript Director Of Corporate Compliance, Central VA Community
HIPAA Overview
(Health Insurance Portability and
Accountability Act 1996)
PCS HIPAA Privacy Rule Training - 7/18/2015
What is HIPAA?
Health Insurance Portability & Accountability
Act of 1996
Public Law 104-191
Sponsored by - Kennedy & Kassebaum
Five Titles:
Title 1:
Insurability and Portability
Title 2:
Administrative Simplification
Title 3:
Tax Implications
Title 4:
Group Health
Title 5:
Revenue
What is the purpose of
HIPAA ?
Reduce health care costs/fraud/abuse
Control use/disclosure of “protected health
information” (PHI)
Identify provider responsibilities and
accountability
Increase consumer’s rights - PHI
Regulate how PHI is transferred/managed by
technology, individuals, and agencies
Provide consistent standards
Assure privacy and security of confidential
protected healthcare information (PHI)
Administrative Simplification
HIPAA Regulations and Deadlines
Privacy Regulations - Identifies what health care
information is protected. Deadline April 14, 2003
Electronic Transaction/Code Sets - Sets uniform
standards. Deadline: October 2003 with Extension
Security Regulations - Identifies how information is to
be protected. Deadline: April 21, 2005
Identifier Standards - Employer, Payer, National.
Deadline: Employer ID finalized/Others Pending
HIPAA
Definitions
The nuts and bolts!
Healthcare Operations
Includes “general administrative and business
functions” necessary for a covered entity to
remain a viable business (i.e., audits, quality
improvement functions, assessments)
Health Information
Any information recorded in any form or
medium which:
Is created/received by a Covered Entity that
creates, receives, uses, or transmits PHI;
Relates to the past, present, or future
physical/mental health condition of an
individual, their participation in, or payment for
such services, and
Identifies the individual.
Protected Health Information (PHI)
All individually identifiable
health care data or information
collected, maintained, or
transferred by a Covered
Entity
Protected Health Information (PHI)
Examples
Name
Address
Social Security #
Birth Date
Demographic
info. (some)
Email address
Health Plan #
License/Certificate #
Vehicle identifiers
Bio-metric identifiers
Telephone numbers
Place of employment
Account numbers
Privacy Notice
Written document in plain language
Posted & shared with consumers at
intake
Explains how their PHI will be
used/disclosed by agency
Identifies consumer’s rights
Lists agency/provider duties to protect
PHI, abide by the Privacy Notice
Identifies how changes in notice will be
communicated
Designated Record Set
A group of records maintained by
or for a covered entity/agency
Includes any records used, in
whole or in part, to make
decisions, about the consumer’s
treatment (medical record,
billing, etc.)
PCS Clinical Records Policy
Use vs. Disclosure
Use
Sharing, utilization,
examination, &
analysis of PHI
maintained internally
within the agency
Disclosure
Release, transfer,
access to, or sharing
in any manner PHI
outside the agency
maintaining the
information
Minimum Necessary Rule
Rule applies to Uses/Disclosures
Covered Entities must make reasonable efforts to
limit use, disclosure, & requests for PHI to the
“minimum necessary” in order to accomplish the
intended purpose except when an authorization is
obtained
Minimum Necessary Rule
Amount of information needed to achieve the purpose
Applies to all forms of communication
Use - Requires policies & procedures classifying staff by
role/position and the PHI to which they may have access
Disclosure - Requires policies & procedures addressing criteria to
limit disclosure & reviewing of requests
Must limit requests to that which is necessary
Does not apply to consumer requests/authorizations, disclosures
required by law or healthcare provider for treatment purposes
Access to PHI
(Protected Health Information)
Opportunity to approach, inspect, review,
and make use of data or information
Actions by a consumer or healthcare
provider with appropriate
authorization
HIPAA’s
Privacy Rule
Privacy Rule
Applies to all protected healthcare
information (PHI)
Does not prohibit the exchange of PHI
for treatment, payment, or health care
operations (TPO) within the agency
Written Acknowledgement required
Privacy Rule Highlights
Protects privacy of medical records and covers:
Electronic records & printouts of records
Written records
Oral communications
Consumer acknowledgement that PHI may be used
for
routine purposes (TPO)
Privacy Notice - Documents consumer’s rights and the
agency’s responsibilities to protect and manage PHI
Consumers’ Rights under HIPAA
Consumers may:
Inspect/copy their medical record information
Request to amend information if they believe it to
be inaccurate or incomplete
Request must to be in writing
Agency must respond within 15 days (VA law)
If request is denied - consumer may appeal this
decision to the CSB or federal government
Consumer’s Rights under HIPAA
Consumers may:
Request a Disclosure History
Request confidential communications through
alternative addresses/phone numbers
Have access to a designated individual or
Office of Civil Rights at Health & Human
Services to report violations of their rights
Request restriction on use/disclosure of their
PHI
Privacy Regulations
Allow flow of PHI for treatment, payment, & related
health care operations (TPO)
Prohibit flow of PHI unless voluntarily authorized by
the consumer
Allow consumer to know who is accessing their PHI
outside of TPO use
Allow consumers to obtain access to their records &
request amendment of records if the consumer feels
they are inaccurate or incomplete
Provider Responsibilities
Provide formal complaint handling system
Allow use of de-identified data
Follow “minimum necessary” requirements
Establish Business Associate Agreements
Duty to mitigate damage if violations occur
Establish sanctions for HIPAA violations
Privacy Penalties
Wrongful Disclosure Offense: $50,000 fine,
imprisonment of not more than one year,
or both.
Offense Under False Pretenses: $100,000,
imprisonment, or not more than 5 years, or both.
Offense with Intent to Sell Information:
$250,000 fine, imprisonment of not more
than 10 years, or both.
Uses/Disclosures not requiring
Authorization
To the consumer or legally authorized
representative of the consumer
To health oversight agencies
To the Department of Health & Human Services for
investigation and enforcement purposes
By court order (as outlined in CFR 42 - strictest)
Uses/Disclosures not requiring
Authorization
To U.S. Public Health Authorities - to prevent
or control disease, injury, or disability
In following disclosure procedures for
deceased consumers as outlined in VA law
To consumers exposed to communicable
disease or at risk of contracting or spreading
disease - under law & public health
intervention/investigation
Uses/Disclosures not requiring
Authorization
For reports of suspected child abuse or neglect to
the appropriate authority
For reports about an adult victim of abuse, neglect,
or domestic violence
State’s mandatory reporting laws
Inform
the individual of the report
Seek the individual’s agreement when possible
Can report without the individual’s agreement
Uses/Disclosures not requiring
Authorization
Healthcare Oversight Activities
Authorized by Law:
•
•
•
•
•
Audits
Investigations (as permitted by CFR 42)
Inspections (i.e., Health Inspection of facilities)
Civil/criminal/administrative proceeding/action by a
properly executed court order (CFR 42)
Other appropriate oversight actions:
Government
regulatory programs
Government benefit programs - for eligibility
Privacy Preemption
HIPAA
Will preempt
other federal or
state laws relating
to PHI
(Except for those
more stringent
than HIPAA)
HIPAA is not added red tape
but...
Applying BEST PRACTICES to protect
Mr. Hipp’s confidential healthcare
information in a world where
inappropriate sharing of PHI could result
in:
Identity theft
Loss of privacy and control over
healthcare information
Possible discrimination practices
Consumer Rights violations
How does the Privacy Rule
affect Piedmont CSB?
New HIPAA Forms &
Policies
Privacy Notice
Right to Access Policy
Request For Amendment Policy
Minimum Necessary Policy & Procedure
Tele-facsimile Policy
Email Policy
Business Associates Agreement
Authorization to Release Information
Privacy Notice
Replaces the “Your Rights” Form
Describes use and disclosure of health
information.
Special circumstances for disclosure.
Other uses and disclosure only with
authorizations.
Describes revisions to policy.
Lists, Privacy Officer, Regional Advocate and
Office of Health & Human Services contact
numbers.
MUST BE POSTED AT ALL SERVICE SITES
Right to Access PHI
All individuals and/or legally appointed representatives have a right to
inspect and/or obtain a copy of their medical record.
Exceptions
Use in civil, criminal proceeding
Inmate of correctional facility and if could jeopardize health &
safety
Involved in research that includes treatment he/she agreed not to
have access to the information.
The individuals psychiatrist or psychologist has determined that
the information could be injurious to the individuals mental or
physical well-being.
Procedures outlined in policy
Request to Amend Medical Record
All consumer have a right to
request an amendment to his/her
medical record.
Must be requested in writing to the
primary clinician.
PCS has 60 days to respond to the
request. Can request an extension
of 30 days.
Denial of Request to
Amend
a. May deny the request if the information was not
created by the agency;
b. May deny the request if the individual who created
the information that the individual served wants amended
is no longer an employee of the agency;
c. May deny the request if the information in the record
is currently accurate and complete.
Amendment Approved
a. The agency shall make the amendment. The minimum amendment
accepted is identifying the information to be amended then providing a link to
the amended information.
b. Inform the individual served that the amendment(s) is accepted.
c. Obtain from the individual served the names and addresses of individuals
who need to have the amended information.
d. Attempt to reach those individuals who need to have the amended
information.
e. Attempt to contact other persons or business associates regarding the
amended information if the information was detrimental to the client.
Minimum Necessary
Policy
Privacy Rule requires that covered entities take
reasonable steps to limit the use and disclosure
of PHI.
Only the information necessary to meet the
request is to be released.
The medical record in it’s entirety will not
routinely be released.
All release of information must be approved by
the lead clinician.
Fax Policy
All personnel must strictly observe
fax policies.
May be faxed under certain
circumstances
May not be faxed under certain
circumstances
Protocol for faxing PHI.
Security of PHI when faxing.
Email Policy
The e-mail system and all messages generated or handled by
PCS’s equipment is considered part of business operations.
PCS reserves the right to monitor, audit, delete email messages.
It is not the policy of PCS to routinely monitor the contents of email.
Only when a situation warrants such an action.
All emails containing PHI MUST BE encrypted before sending.
Email encryption procedures will be forthcoming. Until then, no PHI
should be sent via email.
Business Associates
Agreement
Business Associates - An entity that does things on
our behalf and with whom we share/give access to
PHI
Business Associate Agreement - Establishes
permitted uses, disclosures, and safeguards for PHI
Examples:
CSB Attorney, CARF, social services, auditors…
Authorization to Release
Info
Changes made to the disclaimer
statement.
Authorizations must be on file before any
information can be released.
All releases of information must be
recorded and made available to
consumers upon request.
Frequently Asked
Questions
Documentation on PCS Intranet.
Other questions, contact Kippy
Cassell
HIPAA is basically instituting best
practices to protect the consumers
privacy and confidentially.