Transcript Administrative Simplification Provisions of HIPAA

Primer on HIPAA:
A Presentation to the Tort
Section of the Alaska Bar
Association
Joan M. Wilson
DAVIS WRIGHT TREMAINE
Anchorage, Alaska
[email protected]
(907) 257-5337
Overview of Presentation
HIPAA Lay of the Land
Covered Entities
HIPAA Privacy Requirements

Authorizations

Law Enforcement

Court Orders/Subpoenas
HIPAA Security Requirements
Enforcement
HIPAA — The Big Picture
Not Just One Issue
Health Insurance Portability and
Accountability Act of 1996
HIPAA
Title I
Portability
Electronic
Signature
Health
Identifiers
Title II
Administrative
Simplification
Transaction
Standards
Titles III,
IV, V
Security
Privacy
Privacy and Security
Privacy
Security
Ensures:
•Privacy
•Accessibility
•Integrity
of electronic
health information
Protects all individually
identifiable health
information:
•Paper
•Electronic
•Oral
Privacy of electronic
health information
Covered Entities
Health Plans (including many employee benefit
plans)

Plans that provide or pay for medical care, including
Medicare and Medicaid
Health Care Clearinghouses

Entities that process or facilitate processing nonstandard data elements into standard data elements, or
vice versa
Providers who electronically transmit any
health information in a HIPAA covered
transaction

Furnishes, bills or is paid for health care in the normal
course of business
Standard Transactions
Claims or encounter
information
Enrollment and
disenrollment
Health plan eligibility
Payment and remittance
advice
Referral certification
and authorization
Health care claim status
Premium payments
Coordination of benefits
Standard Transactions
Requirements for Covered Entities
Providers don’t have to conduct electronic
transactions, but they must use the
standards if they do
Health plans must —



Use the standards for electronic transactions
Accept standard transactions from providers, and
process them promptly
Use the standards if requested of others
Providers and plans may use
clearinghouses to comply
CEs are not permitted to vary the standards
Standard Transactions
AHA, Provider Groups Urge Action to
Prevent HIPAA Transactions 'Train Wreck‘

“Rejection of non-standard transactions and resulting
reversion to paper transactions by significant number
of providers will lead to a major disruption of
payments” – Fault Payers
American Clinical Laboratory Assoc.
American Health Care Association
American Hospital Association
American Medical Association
Premier, Inc.
VHA, Inc.
Standard Transactions
Not a One-Sided Issue





OCR Survey – 94% of Medicare Part B Providers Expect
Compliance, but Do Worry about Trading Partners (Payers)
Y2K Comparisons
Commercial Reasonableness Guard Against Excessive Policing
Month to Two Month Learning Process
Advise
Other Reserves
Line of Credit
Testing
Privacy Overview
The Privacy Rule covers —
Permitted uses and disclosures of
protected information
Individual rights
Administrative requirements
Privacy
Protected Health Information
Information relating to—

Past, present or future physical or mental health or
condition provision of health care to an individual

Provision of health care or

Past, present or future payment for health care

Created/received by provider, plan, employer or clearinghouse, and
Individually identifiable or reasonable
likely to be identifiable
In any medium

Written

Verbal

Electronic
Use and Disclosure
General rule: A covered entity and its workforce,
may not use or disclose protected health
information, except —
 For treatment, payment and operations
 With individual permission
After opportunity to agree or object
With an authorization
 To the individual
 As otherwise permitted or required
by HIPAA
Preemption of State Law
General Rule: HIPAA preempts or supercedes all
“contrary” State laws
Exceptions:
 HHS determination
 State law that is “more stringent”
 Public health reporting
 Insurance oversight
HIPAA — floor for privacy
requirements
Alaska law still will apply
in many cases
Required Disclosures
To the individual, pursuant to access right
To the Secretary of DHHS, to determine
compliance
Permitted Use and Disclosure —
Treatment
Treatment includes —

Provision of health care

Coordination of health care

Referral for health care

May disclose to other providers for treatment
Permitted Use and Disclosure —
Payment
Payment includes —
 Health plan activities to determine payment
responsibilities and make payment
 Provider activities to obtain reimbursement
Coverage determinations
Billing and claims management
Medical review, medical data processing
Review of services for medical
necessity, coverage,
appropriateness utilization review
Permitted Use and Disclosure —
Payment
Covered entities also may
disclose health information
to other providers to assist
them in obtaining payment
and limited operations
Permitted Use and Disclosure —
Health Care Operations
Health care operations include —
 Quality assessment and improvement
 Peer review, education, accreditation,
certification, licensing and credentialing
 Insurance-related activities
 Auditing and compliance programs
 Business planning and development
 Business management and general administration
 Sale, transfer, merger or consolidation of a
covered entity with another entity that is or will
become covered, including due diligence
Disclosures Requiring an
Opportunity to Object
Individuals must have opportunity to agree or object to
certain uses or disclosures of PHI:
 Directory (name, location, general condition & religious
affiliation)
 Disclosure to family/friends involved in patient’s treatment
of PHI directly related to their involvement
 Notification to responsible
person about location,
general condition or death
Individual Authorization
If a use or disclosure is not otherwise permitted, a
covered entity may not use or disclose PHI without a
valid authorization in place
Core elements:





Meaningful and specific description of information
Name or other specific identification of persons or class of
persons authorized to make and receive the requested use or
disclosure
Each Purpose
At the request of the individual sufficient on individual
initiation
Expiration date/ event
Signature/date/representation of authority
Individual Authorization
Required statements (in plain language):



Right to revoke in writing (with exceptions/limitation)
and explanation of how to revoke or reference to
Privacy Notice
Whether authorization is a condition of treatment
Potential for redisclosure and no further HIPAA
protection
Obtain appropriate signature –
copy to individual
Individual Authorization
Give a copy of authorization
Make sure authorization is:


Completely filled in
Signed by appropriate person
Defective authorization is not valid
Covered entity not required to
disclose PHI pursuant to
authorization -- disclosure
permissible


Duty of additional inquiry for
excessive authorizations?
Address policies/procedures
Permitted Disclosures
Absent Authorization
Government and Other Purposes
As required by other laws
Organ procurement
Public health activities
Research purposes, under
limited circumstances
Victims of abuse, etc.
Health oversight activities
Workers’ compensation
Law enforcement purposes
Decedents - coroners
and medical examiners
Imminent threat to health or
safety (to the individual or
the public)
Specialized government
function
Judicial and administrative
proceedings
Disclosures to Law Enforcement





Required by Law
Victims of Abuse
Law Enforcement Purposes
Victims, Suspects, Detainees
Imminent Threat to Health or Safety
Judicial and Administrative Proceedings
Subpoena vs. Court Order
Disclosures to Law Enforcement
Required by Law
 Suspected Child Abuse
 Suspected Elderly or Vulnerable Adult Abuse
 Certain Injuries
Burns
Bullet wound
Stabbing
Injuries likely to cause death
 unless clearly accidental
Disclosures to Law Enforcement
Conditions of Disclosure of Abuse
If the disclosure is required by law
If the individual agrees or
If the disclosure is authorized by statute and
regulation and provider believes the disclosure is
necessary
 to prevent serious harm to the individual or other
potential victims
 Or the individual is unable to agree because of
incapacity, a law enforcement officer represents
that the PHI is not intended to be used against the
individual and an immediate enforcement activity
would be materially and adversely affected by
waiting for the individual to be able to agree
Disclosures to Law Enforcement
Limited Information for Identification and
Location Purposes

If no subpoena, etc., a provider may disclose PHI in
response to a law enforcement official’s request for
the purpose of identifying or locating a suspect,
fugitive, material witness, or missing person
Disclosures to Law Enforcement
Limited Information for Identification and
Location Purposes

Subject to that request, Provider may
disclose only the following
Name and address
Date and Place of Birth
Social Security Number
ABO blood type and rh factor
Type of Injury
Date and time of treatment
Date and time of death
Description of distinguishing physical
characteristics
Disclosures to Law Enforcement
Limited Information for Identification and Location
Purposes
Excluded unless other court process or other
requirement
 DNA
 Dental Records
 Typing
 Samples or analysis of body fluids or tissue
Judicial or Administrative
Proceedings
A provider may Disclose PHI in the course of a judicial
or administrative proceeding, if
 Court or administrative tribunal order or
some providers require
 Subpoena or discovery request absent court order if
Satisfactory assurance of notice to patient or
Reasonable efforts to secure a protective order
Judicial or Administrative
Proceedings
Satisfactory assurance notice to patient, in a writing
by requestor and accompanying documentation that
evidences:
 good faith attempt to provide written notice to patient
 Notice contained sufficient information about the
litigation or proceeding to permit patient to raise an
objection
 Time to raise objection lapsed and
No objections filed
Objections filed and resolved by court and disclosure
is consistent with resolution
Judicial or Administrative
Proceedings
Reasonable Efforts to Secure a Protective Order, in
writing and accompanying documentation that
evidences
 Parties have agreed to a qualified protective order
and presented it to the court
 Party requesting information has sought the
protective order
Judicial or Administrative
Proceedings
Qualified Protective
Order
 Court or Tribunal Order
or Stipulation by the
Parties
Prohibit use of PHI
outside litigation or
proceeding
Requires return or
destruction of PHI
(original and copies)
at end of litigation or
proceeding
Judicial or Administrative
Proceedings
Absent Protective Order
from the parties,
Provider may still
disclose in response to
lawful process
 It makes reasonable
effort to provide notice
to the patient (as
above) or
 Seeks a qualified
protective order on its
own
Minors
General rule: Parents accorded rights to
children’s PHI
Except


Where state or other law expressly identifies the
parent’s or child’s rights
Agreement to the contrary
Minors
Where the law is silent and parent is
personal representative for child


Parent has access/control PHI
Personal Representative – state law question
Where the law is silent and parent is not
personal representative


May deny access if permitted under
state law and decision made by a
licensed health care provider
If law silent, no right to demand PHI
Minors
Exception

Disclosure permitted or denied where necessary to
avert serious or imminent threat to the safety or health
of the child
Use and Disclosure —
Minimum Amount Necessary
Amount of information to be restricted to
minimum necessary




Covered entities must make reasonable efforts
Not to use, disclose or receive
More than minimum amount
necessary
To accomplish the intended
purpose
Use and Disclosure —
Minimum Amount Necessary
Exceptions:

Disclosure to a provider for treatment
Not payment and operations

Release authorized by individual or
for individual’s own review

Disclosure to HHS

Compliance with HIPAA requirements

Required by law
Minimum Necessary
Information
CE may rely on scope of information
requested by —




A public official
Another covered entity
A “professional” providing services to the CE
Researchers (as long as the research
requirements are satisfied)
A CE may not disclose the entire
record, unless it is justified

But this does not apply to disclosure to
providers for treatment
Incidental Uses and
Disclosures
Allows “incidental” uses and disclosures
 Secondary use or disclosure
 Limited in nature
 Cannot be reasonably prevented
 By-product of otherwise permissible use or
disclosure
Examples include:
 Sign-in sheets; calling names in waiting
rooms
 Discussions in nursing station; rounds
 Joint treatment areas
Use and Disclosure —
Who is a Business Associate?
A person who, on
behalf of a covered
entity —


Billing
Firms
Performs or assists
with a function or
activity involving
Clearinghouses
Individually
identifiable
information, or
Otherwise covered Management
Firms
by HIPAA
Performs certain
identified services
Auditors,
Lawyers,
Actuaries
Covered
Entity
Consultants,
Vendors
Other
Covered
Entities
TPAs
Accreditation
Organizations
Business Associate Contracts
— Required Terms
A covered entity may disclose protected
health information to business associates
if it:


Obtains “satisfactory assurance” that
business associates will appropriately
safeguard the information
Business associate contract required
Business Associate Contracts
— Required Terms
Specific contract content requirements
include:






Use and disclose information only as authorized
Implement privacy and security safeguards
Report unauthorized disclosures
Assist with individual rights
Make available its records to HHS
Ensure subcontractors comply
Need to identify all possible
business associates of your
organization
Business Associates



Covered entity may be liable for a BA’s breach if it
knew of a “pattern of activity or practice” in violation of
the agreement and
Failed to take reasonable steps to cure the breach or
terminate the contract, or report to the Secretary
Otherwise, no affirmative duty
to monitor BAs
Business Associate Contracts
— Extension
Covered Entities May Operate Under Existing
Contracts for up to one year beyond April 14,
2003



Transition period available for existing written
contracts so long as the contract is not renewed or
modified between April 14, 2003
and April 14, 2004
Agreement deemed in compliance
until the sooner of modification
or April 14, 2004
Caveat: CE still is held to compliance
with privacy regulations
Group Health Plan/Plan
Sponsor
Plan may not disclose PHI to plan sponsor,
without following plan sponsor rules, except
 Summary health information to obtain
premium bids or modifying/terminating
the group health plan
 Enrollment and disenrollment
information
Group Health Plan/Plan
Sponsor
Plan sponsor may receive plan PHI



Amend plan documents
Firewalls between Employer and plan functions
Train personnel
Remember, Plan is a covered
entity
Individual Rights
Individual Rights — Right to
Notice of Privacy Practices
Individuals have a right to receive Notice of
Privacy Practices
What is the notice?



Document in sufficient detail to put the patient on
notice of CE’s practices
HHS recommends layered notice (summary + long
form)
Written in plain language
Specific content requirements including:
Individual rights and legal duties of covered entity
Complaints and contacts
Individual Rights — Right to
Notice of Privacy Practices
Provide notice to individuals by the first
date of service
Posted in prominent location
Available upon request
On website
Acknowledgment
Individual Rights —
Acknowledgement
Written acknowledgement of receipt of
notice of privacy practices replaces consent
Direct treatment providers

Make good faith effort

To obtain acknowledgment of receipt of notice

Attempt date of first service delivery,
including service delivered electronically
Document reasons if unable to obtain
signed acknowledgment
Individual Rights — Right to
Access to PHI
Individuals are entitled to access
(inspection and copying) of their own PHI
held by health plan or health care provider,
including their business associates
Exceptions —






Access likely to endanger life or physical safety
Information is about another, and access likely to
cause substantial harm to him or her
Information obtained under promise of confidentiality
Information compiled for legal proceedings
Psychotherapy notes
Prohibited by CLIA
Individual Rights —
Right to Access
Right to request access own protected
health information



Reviewable and unreviewable grounds for denial
Explanation of reasons for denial
Allow review of denial if appropriate
Individual Rights —
Right to Request Amendment
Individual may request amendment of
his/her records
In response, covered entity may —


Accept amendment
Deny of amendment
Grounds include: not created by entity;
information is accurate and complete;
information is not subject to access
Statement of disagreement (by individual)
Rebuttal statement (by covered entity)
Record-keeping/linking
Individual Rights —
Accounting of Disclosures
Right to receive an accounting of disclosures
Accounting includes:




Date of disclosure
Recipient name and address
Description of information disclosed
Purpose of disclosure
Individual Rights —
Accounting of Disclosures
Exceptions include:
 Treatment, payment and health care operations
 Individual access
 Directories, persons involved in care
 Pursuant to authorizations
 National security or intelligence
 Incidental disclosures
 Limited date set
 Prior to April 14, 2003
Individual Rights — Right to
Request Additional Protections
Right to request additional privacy protections

Covered entity may refuse

If agrees  bound (except in emergency)

Be careful in granting requests
Right to request to receive
communications in
alternative fashion

Must accommodate reasonable
requests
Administrative
Requirements
Administrative Requirements
Documented policies, procedures and systems
Designate privacy official and contact person
Implement safeguards to protect information from
intentional or accidental misuse
Mitigation for improper use or disclosure
Complaint mechanism
No intimidation/retaliation for exercising rights
No requirement to waive rights
Administrative Requirements
— Workforce Training and
Sanctions
Privacy and security awareness training to
 Entire workforce by compliance date
 New employees following hire
 Affected employees after material changes in
policies
Training to be documented
Systems of sanctions — consistent
enforcement
Security
Security Rule – Status
Proposed standards published August, 1998
Final standards published February 20, 2003
Statute and portions of privacy rule touching upon
security apply
Security
What Information Is Protected?
All health information pertaining to an
individual that is electronically maintained or
transmitted
Compare: the privacy standards
protect all individually identifiable
health information, in whatever
form
There Are Threats
Hackers & Crackers
Trusted Insiders


Employees
Consultants
Security
Key to Security Rules
Covered entities must:
Ensure the confidentiality, integrity and
availability of all electronic PHI created,
received, maintained or transmitted by CE
Protect against reasonably anticipated —


Threats or hazards to security or integrity
Unauthorized uses or disclosures
Ensure workforce compliance
with security role
Security Approach
Standards
Implementation specifications
 Required
 Addressable
Assess reasonableness
Implement if reasonable
If not reasonable, document reason,
implement equivalent alternative
Technology neutral
Security Overview
Administrative safeguards
Physical safeguards
Technical safeguards
Other requirements


Organizational requirements
Policies, procedures and
documentation
Security
Administrative Requirements
Security management process
 Risk analysis
 Risk management
 Sanction policy
 Information system activity review
Security official
Evaluation
Security
Administrative Requirements
Workforce security ─ authorization,
clearance, termination
Information access management
Security awareness and training




Reminders
Log-in monitoring
Malicious software
Password
Security
Administrative Requirements
Policies and Procedures
 Contingency plan
 Data back-up plan
 Disaster recovery plan
 Emergency mode of operation plan
 Security incident
procedures
Business Associate
Contracts
Security
Physical Safeguards
Device and media controls




Disposal
Media re-use
Accountability
Data back-up and storage
Facility access controls


Contingency operations
Facility security plan
Workstation use
Workstation security
Security
Technical Safeguards
Access control



Unique use identification
Emergency access
Encryption and automatic layoff are optional
Audit controls
Integrity
Entity/person authentication
Transmission security
Security
Organizational Requirements
Business associate contracts
 Consistent with privacy BAC
 Content requirements
Administrative, physical and technical safeguards
to reasonably and appropriately protect
confidentiality, integrity and availability of
electronic PHI
Agents use appropriate safeguards
Report security incident
Termination
Security
Organizational Requirements
Group health plans





Consistent with privacy rule
Amend plan
Implement safeguards
Agents use appropriate safeguards
Report security incident
Security
Policies and Documentation
Implement reasonable policies and
procedures
Documentation
HIPAA Penalties and
Enforcement
Civil penalties
 $100 per violation
 $25,000 annual cap for violations of “identical”
requirement
Criminal penalties
 Wrongful disclosure: up to $5,000 and/or 1 year jail time
 False pretenses:  $100,000 and/or 5 yrs imprisonment
 For profit/with malice: up to $250,000 and/or 10 yrs in
jail
Other “penalties”or liability
 Standard of care
 Reputation
Potential Civil Liability —
Ratcheting Duty of Care
Tort – Negligence
Tort – Invasion of Privacy
Tort – Breach of Confidence (Physician-Patient)
Tort – Defamation
Tort – Fraud
Statutory – Consumer Fraud
Contract – Breach of Confidentiality
Clauses/Policies
Contract – Breach of Express or Implied
Warranty
Contract – Suits by Business Associates
Employment-related suits (HIPAA sanctions
issues)
HIPAA Myths
A patient cannot be listed in a hospital’s directory
without the patient’s consent
A patient’s family member may no longer pick up
prescriptions for the patient
Public Health and Law Enforcement Officials have
new rights to access patient records without consent

Providers May Call Law Enforcement And Let Them Know When
Certain Patients Are Discharged
If a patient refuses to sign an Acknowledgment of
receipt of a Privacy Practice Notice, the Government
Can Prevent The Doctor from Treating Her
HIPAA Myths
HIPAA Eliminates the Use of Sign-In Sheets in
Medical Offices – In Fact, Providers Must Issue
Patients Vibrating Pagers To Alert the Patient to
Enter the Treatment Room
HIPAA Eliminates The Ability to Provide Telephone
Reminders of Appointments
HIPAA Requires An Accounting of All Uses of PHI
Because an Authorization Must State the Purpose of
Disclosure, the Minimum Necessary Rule Applies to
Patient-Authorized Disclosures
HIPAA Myths
Children Must Sign Release Forms Before Their
Parents Can See Their Medical Records
Providers May Not Disclose Medical Records to the
Family of the Deceased Until An Executor Has Been
Appointed
Patients may receive a copy of their medical records,
but Providers may charge $5 to $300 per page to
copy the records
Covered Entities Must Remove Their Names From
The Outside of Buildings So That People Driving By
Will Not See That Patients Are Entering
Questions?