Introduction - Owen & Fazio, P.C.
Download
Report
Transcript Introduction - Owen & Fazio, P.C.
HIPAA PRIVACY RULE: AN OVERVIEW
GUIDE FOR BUSINESSES
Written by
PRIYAL PARMAR
7557 Rambler Road, Suite 1465
Dallas, Texas 75231
(214) 891-5960
(214) 891-5966 – Facsimile
[email protected]
INTRODUCTION
HIPAA
was enacted on August 21, 1996 as a set of basic
national privacy standards and fair information practices
to protect the privacy of the health information of
consumers, and to protect an individual’s right to access
and control the use of personal health information (PHI)
This
presentation provides a summary of the HIPAA
Privacy rule. The goal of this presentation is to provide a
guideline that businesses can use to ensure compliance
with HIPAA. This information is not exhaustive and the
attorneys at Owen & Fazio, P.C. can provide more detailed
guidance upon request.
WHO HAS TO COMPLY WITH
HIPAA?
Covered entities – This includes:
All health plans – individual or group health plan that provides, or pays the
cost of, medical care (includes health insurers)
A health plan that has >50 participants is automatically a covered entity
An entity is not considered to be a health plan for Hipaa purposes if:
It falls under the Public Health Service Act
It provides incidental health care services
All health care clearing houses – any public or private entity that processes
(or facilitates the processing) of health information received from another
entity in a non standard format
Health care providers – provide medical and health services and any person
or organization that furnishes, bills, or is paid for health care services or
supplies in the normal course of business
Those health care providers that transmit health information in electronic form in
connection with a standard transaction
Examples of standard transactions: eligibility request, claim submission, claim
status inquiry, claim payment, referral request, medical services authorization
WHAT IS COVERED?
Protected Health Information (PHI) – Information that:
Relates to the past, present, or future physical or mental health or condition of
an individual, OR
Relates to the provision of health care to an individual, OR
Relates to the past, present, or future payment for health care, AND
Is individually identifiable, AND
Is transmitted by electronic media, maintained in any medium described in the
definition of electronic media or transmitted or maintained in any other form or
medium.
What is excluded from PHI?
PHI in education records covered by Family Educational Right and Privacy Act FERPA
Employment records held by the covered entity in its role as an employer
De-identified information. This can be accomplished by using two methods:
MIT method – qualified people use statistics and scientific methods to show that there
is a very small risk that the information could be used by others to identify a subject of
the information.
Safe-harbor method – remove all of the 18 enumerated identifiers
USES AND DISCLOSURES
Those that require no patient permission
Those that require patient’s oral agreement
Treatment
Payment
Health care operations
Public policy activities
Directory information – name, location, general condition, religious affiliation
Disclosures to persons involved in the individual’s care or payment of care
Disclosure to family members of the patient’s general condition and death for the
purpose of notification
Those that require patient’s written authorization
Disclosure of psychotherapy notes
Disclosure for marketing purposes
REQUIRED ELEMENTS OF A
WRITTEN AUTHORIZATION
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Specific description of the information to be disclosed
Specific identification of the covered entity authorized to make the use or
disclosure
Specific identification of the person(s) to whom the covered entity may make
disclosure
Specific description of each purpose
Expiration date or event
Signature of the individual
Date
Information regarding right to revoke the authorization and the exceptions to it
Ability or inability of the covered entity to condition treatment, payment,
enrollment in the health plan, or eligibility for benefits, on the authorization
Potential for the information disclosed pursuant to the authorization to be
subject to re-disclosure by the recipient
NOTE:
The authorization must be written in plain language
Covered entity must provide the individual with a copy of the signed
authorization
Covered entity must retain a copy of the signed authorization for itself
The authorization is considered defective if:
Expiration date has passed
It is not filled out completely
It is known to be revoked
It contains false material
REQUIRED DISCLOSURES
Must be disclosed:
When
When
individual requests his/her own PHI
the Department of Health and
Human Services (DHHS) requests the PHI
to investigate a covered entity’s compliance
with HIPAA
MINIMUM NECESSARY RULE
Covered entity must make reasonable
efforts to limit PHI to the minimum
necessary to accomplish the intended
purpose of the use, disclosure, or request
If it is a routine disclosure, the covered
entity is required to implement policies
and procedures to restrict such disclosures
to the minimum necessary standard
INDIVIDUAL RIGHTS
Right to Receive Notice
Purpose – to notify individual about protections of health
information by the covered entity
Must post notice in a conspicuous place where patients
are likely to look. Ex: payment window
Must also keep copies for patients to take
If the covered entity has a website, the notice must be
posted on the website as well
Note: The next 5 slides explore the Right to Receive
Notice in more detail
What are the components of the
notice?
It must contain a statement that additional
uses and disclosures require written
authorization
It must clearly outline the covered entities
legal duties with respect to the information
It must give instructions on how to file a
complaint with the Department of Health and
Human Services if the individual feels that
his/her privacy rights have been violated
Who must give notice?
Any health care provider with a direct treatment (not indirect)
relationship with the individual must give notice
Indirect treatment relationship – when a health care provider
delivers health care to the individual based on the orders of
another health care provider and the health care provider
typically provides services or products, or reports the
diagnosis or results associated with the health care, directly
to another health care provider, who provides the services or
products or reports to the individual
Ex: radiologists, pathologists, clinical laboratories
Health care clearing houses, correctional institutions, and group
health plans that provide benefits through health maintenance
organization (HMO) contracts are not required to give notice, but
must provide one upon request by an individual
Affiliated covered entities under common ownership or control
may designate themselves as one single entity and produce a
single notice
When must notice be given?
At the time of enrollment of new client or time
of first service delivery
Within 60 days of making a material revision
to the notice
Any time patient requests a notice
A health plan should remind enrollees about
how to obtain a copy of the notice at least
once every 3 years.
Who must the notice be
given to?
o
EACH ENROLLEE, NOT each
covered spouse or dependent
Acknowledgment
Once notice is given, a covered entity should
obtain a written acknowledgement by either:
Signature on the notice
Initials on the notice cover sheet
Signature on a separate list
If covered entity is unable to obtain
acknowledgement, it must document its good
faith attempts to obtain it and reason(s) why
it was not obtained
RIGHT TO ACCESS PHI
Patients have right to inspect and
copy their PHI in a designated
record set (group of records
maintained by or for a covered
entity that are medical records,
billing records, enrollment,
payment, claims adjudication,
case management record systems
or records used by covered
entities to make decisions about
individuals)
Exceptions
Psychotherapy notes
Information in anticipation of
legal proceedings
PHI that is subject to Clinical
Laboratory Improvement
Amendments (CLIA) to the
extent the provision of access
to the individual would be
prohibited by law or exempt
from CLIA
Covered entity must comply in a timely
manner, usually 30 days
For records not maintained on
site, covered entity has 60 days to
comply
A one time extension of 30 days is
allowed, but covered entity must
give individual the need and the
reason(s) for the extension.
Covered entity must have a procedure
in place to challenge denial of access
Two situations when access can be
denied and no appeal is available:
Inmates of a correctional
institution
Research participants, but only
until research is completed.
If access is denied, individual must
receive a written explanation of the
basis for denial. It should be easy to
understand and inform of any existing
appeal rights. It must also alert the
individual of the availability of the right
to complain to the covered entity or
the DHHS.
RIGHT TO AMEND PHI
Individuals have the right to amend
incorrect or incomplete PHI
A covered entity must respond timely
to the request for amendment within
30 to 60 days
RIGHT TO AN ACCOUNTING OF
DISCLOSURES OF PHI
Individuals have the right to receive an accounting of disclosures of PHI made by a
covered entity in the 6 years prior to the date on which the accounting is requested.
Accounting must include:
Date of disclosure
Name of the entity or person who received the PHI and address if known
Brief description of PHI disclosed
Brief statement of the purpose of the disclosure
Exceptions to the right to receive an accounting:
To individuals or their personal representatives for treatment, payment, or
healthcare operations
For national security or intelligence reasons
For a facility’s directory
PHI made prior to the April 14, 2003 compliance deadline
Pursuant to an authorization
To correctional institutions or law enforcement officials
Incident to a use or disclosure otherwise permitted or required by this subpart
Covered entity must act on the request within 60 days
The first accounting in a 12 month period is free but subsequent requests may be
charged a reasonable cost-based fee
APPOINTMENT OF PRIVACY
OFFICER
A covered entity must appoint a
privacy officer who is in charge of
developing and implementing policies
and procedures
It must also designate a person/office
for receiving complaints
WORKFORCE TRAINING
All members of the workforce must be
trained by the compliance date
New members must be trained within a
reasonable time
If material changes are made, all
workforce members affected by the
change must be trained within a
reasonable time.
PENALTIES AND ENFORCEMENT
Individuals can lodge complaints with the attorney general, state
insurance commissioner, state medical board or the United States
Department of Health and Human Services (DHHS) Office for Civil Rights
DHHS can impose civil penalties between $100,000 to $250,000
Civil penalties can only be imposed for willful violations
If a reasonable cause is found, no penalties are given as long as the
covered entity corrects the non-compliance within 30 days
Civil penalties cannot be imposed if criminal penalties have already been
imposed
Criminal penalties
Knowing violations of HIPAA = $50,000 or less and/or 1 year or less in
prison
Using false pretenses to violate HIPAA = $100,000 or less and/or 5
years or less in prison
Intent to gain personally or commercially or with intent to cause
malicious harm by the misuse of IIHI = $250,000 or less and/or 10
years or less in prison.
COMPLIANCE DATES
Health care providers, health care
clearinghouses, and health plans must
comply by April 14, 2003
Small health plans must comply by April
14, 2004
BUSINESS ASSOCIATES
A person or organization outside the covered entity that performs, or assists in the
performance of, function and activities of HIPAA. Ex: legal, actuarial, accounting,
etc.
HIPAA does not apply directly to a business associate, but may apply to them
indirectly if there is a business associate agreement
A business associate agreement is a contract between a covered entity and a
business associate and must contain the following required elements:
Establish permitted uses and disclosures
State that the business associate will not use information for further uses and
disclosures not in the agreement
State that the business associate will use appropriate safeguards to prevent the
use or disclosure of information other than as provided by the contract
The business associate will report to the covered entity regarding any use or
disclosure not in the agreement
Business associate must agree to get all of its subcontractors to comply with the
business associate agreement
Business associate must make PHI available for inspection and copying
Business associate must make PHI available for amendment
Business associate must make its records available to the Secretary of DHHS to
check the covered entity’s compliance with HIPAA
Business associate must agree to return or destroy all information at the end of
the contract if feasible to do so
Agreement must establish that the covered entity can terminate the contract
with the business associate for any violations
STATE PREEMPTION
HIPAA preempts any state law unless the
state law is more stringent.
HIPAA WEB SITES
Association of American Medical Colleges,
www.aamc.org
American Health Information Management Association,
www.ahima.org/journal
Department of Health and Human Services,
www.aspe.dhhs.gov
Health Privacy Project, www.healthprivacy.org
United States Department of Health and Human
Services, www.hhs.gov/news/facts/privacy.html
Phoenix Health Systems HIPAAdvisory,
www.hipaadvisory.com
REFERENCES
Alex Bednar, HIPAA Implications for Attorney-Client Privilege, St.
Mary’s University Law Journal, 35 St. Mary’s L. J. 871 (2004)
Texas Administrative Agencies Tackle Compliance with the Health
Insurance Portability and Accountability Act’s Privacy Rule, Texas
Tech Journal of Texas Administrative Law, 5 Tex. Tech J. Tex. Admin.
L. 87 (2004)
Nancy A. Lawson, Jennifer M. Orr and Doedy Sheehan Klar, The
HIPAA Privacy Rule: An Overview of Compliance Initiatives and
Requirements, Defense Counsel Journal, 70 Def. Couns. J. 127
(2003)
Department of Health and Human Services, www.aspe.dhhs.gov
Health Privacy Project, www.healthprivacy.org
United States Department of Health and Human Services,
www.hhs.gov/news/facts/privacy.html
45 C.F.R. 160 and 164