No Slide Title
Download
Report
Transcript No Slide Title
Slide 1
HIPAA Core Privacy Training
Presented By:
NC DHHS HIPAA Program Management Office Staff
Sarah Brooks, MPA, RHIA, CPM
Julie Burton, BS (HIM), CPM
April-May 2002
Page 1
NC DHHS HIPAA PMO
Slide 2
Welcome / Announcements
Introduction of Speakers
Facilities
Lunch Possibilities
Handouts
Slides on Website
– http://dirm.state.nc.us/hipaa/
Questions
Page 2
Use of Term “Client”
NC DHHS HIPAA PMO
Slide 3
PART ONE
Page 3
NC DHHS HIPAA PMO
Slide 4
Training Objectives
Comprehensive understanding of HIPAA Privacy
Regulations
Review NC DHHS Compliance Process
Relate HIPAA Privacy Regulations to NC DHHS
operations
NOTE: Presentation geared to state agencies
Prerequisite
Page 4
Basic understanding of privacy and confidentiality
practices in health care
NC DHHS HIPAA PMO
Slide 5
HIPAA Core Privacy Training Agenda
TOPIC
PRESENTER
Welcome/Announcements
HIPAA Overview
Privacy Introduction
Consents and Authorizations
Sarah Brooks
Sarah Brooks
Julie Burton
Sarah Brooks
BREAK (15 Minutes)
Consents and Authorizations (continued)
Client Rights
Use and Disclosure
Sarah Brooks
Julie Burton
Sarah Brooks
LUNCH (1 Hour, 15 Minutes)
Use and Disclosure
Minimum Necessary/Accounting of Disclosures
Sarah Brooks
Julie Burton
BREAK (15 Minutes)
Business Associates
Administrative Requirements
Compliance and Enforcement
Guidance, NPRM and Anticipated Modifications
Implementation
Please Turn in Evaluation Form
Page 5
NC DHHS HIPAA PMO
Julie Burton
Sarah Brooks
Julie Burton
Julie Burton
Sarah Brooks
Slide 6
Introduction to HIPAA
(Health Insurance Portability and
Accountability Act)
Page 6
NC DHHS HIPAA PMO
Slide 7
Purpose of HIPAA
Improve portability and continuity of health
insurance coverage in the group and individual
markets;
To combat waste, fraud, and abuse in health
insurance and health care delivery;
To promote the use of medical savings accounts;
To improve access to long-term care services and
coverage; and
To simplify the administration of health insurance
Page 7
NC DHHS HIPAA PMO
Slide 8
How the Law is Structured
HIPAA is divided into five titles - each
addresses a unique aspect of health
insurance reform.
Title II is also known as Administrative
Simplification
If Congress did not adopt legislation to
enact Administrative Simplification,
HHS was charged with promulgating
rules
HHS was limited to enacting rules
based on statutory language
Page 8
NC DHHS HIPAA PMO
Slide 9
Standards for Compliance
Electronic Transactions
– Compliance required 10/16/02
– With a plan filed, compliance extended
to 10/16/03
Claims Attachments
– Not drafted
Unique Health Identifiers
– Employer, Health Plan, Provider, and Individual Identifiers
– Compliance Deadline 24 months after publication
Page 9
NC DHHS HIPAA PMO
Slide 10
Standards for Compliance (cont'd)
Privacy
– Compliance required 4/14/03
– Proposed Amendments 3/27/02
– NOTE: Extension of Transaction compliance DOES NOT
extend Privacy Compliance
Security and Electronic Signatures
– Proposed regs issued August 12, 1998
– Security final regs not yet published
Enforcement
– Not yet drafted
Page 10
NC DHHS HIPAA PMO
Slide 11
Impact of Not Complying
Possible litigation
Potential withholding of
federal Medicaid and
Medicare funds
Penalties
Civil Monetary for
violations of each standard
Wrongful disclosure of
protected health
information
Page 11
NC DHHS HIPAA PMO
Slide 12
Terms You Should Know
To understand HIPAA, there are some important
terms you must know
They are:
Covered Entity
Hybrid Entity
Health Care Component
Page 12
NC DHHS HIPAA PMO
Slide 13
Covered Entity
Limited to Covered Entities:
– Health care providers who electronically transmit health
information in connection with a standard transaction
• Physicians, Hospitals, Labs, Public Health Departments
• Excludes providers who submit transactions on paper
– Health plans (provides or pays the cost of medical care)
• Medicaid, Medicare, Blue Cross
• Excludes Workers’ Comp, Disability, WIC, Government-funded
programs like Willie M (Income replacement & Public safety net
programs, ….)
– Health care clearinghouses (narrowly defined to those
that translates data from non-standard to standard
format)
Page 13
NC DHHS HIPAA PMO
Slide 14
Hybrid Entity
A Hybrid Entity is:
– A single legal entity that is a covered entity and whose
covered functions are not its primary functions
The hybrid entity is the covered entity
DHHS is a hybrid entity
The hybrid entity is responsible for ensuring that its
health care components comply with the rules
Page 14
NC DHHS HIPAA PMO
Slide 15
Health Care Component
DHHS is made up of “health care components”
(often called “covered health care components”)
A Health care component is a component of a
covered entity that performs covered functions
the qualify the component as a Health Care
Provider, Health Plan, or Health Care
Clearinghouse
Page 15
NC DHHS HIPAA PMO
Slide 16
Hybrid Entity
DHHS
“Hybrid Entity”
Health Care
Component
Covered
Function
Page 16
Covered
Function
Non-Health
Care
Component
NonCovered
Function
Non-Health
Care
Component
Covered
Function
NC DHHS HIPAA PMO
Health Care
Component
Covered
Function
Non-Health
Care
Component
Covered
Function
Slide 17
Who Is Covered in DHHS
Division of Mental Health, Developmental
Disabilities and Substance Abuse Services
– Substance Abuse Section, Adult Services
– Substance Abuse Section, Adolescent Services
– 12 state operated institutions (each institution and center
is covered in its entirety)
• 4 Psychiatric Hospitals
• 5 Mental Retardation Centers
• 2 Alcohol and Drug Abuse
Treatment Centers
• NC Special Care Center
Page 17
NC DHHS HIPAA PMO
Slide 18
Who Is Covered (cont'd)
Division of Medical Assistance
– Entire Division is Covered Health Care Component
Division of Public Health
– State Laboratory
– 13 state operated DECs (each center is covered in its
entirety)
Office of Education
– Governor Morehead School, Medical Services Unit
Page 18
NC DHHS HIPAA PMO
Slide 19
Health Care Component
Another component of the covered entity is part of
the entity’s health care component to the extent
that:
– (i) It performs, with respect to a health care component,
activities that would make such other component a
business associate of the health care component if the
two components were separate legal entities; and
– (ii) The activities involve the use or disclosure of
protected health information.
Page 19
NC DHHS HIPAA PMO
Slide 20
Others Who Are Impacted
DHHS areas which provide business services
that require the use or disclosure health
information owned by a covered health care
component
– DIRM
– Office of the Controller
– Others - not yet identified
Page 20
NC DHHS HIPAA PMO
Slide 21
DHHS Responsibilities
To ensure covered health care components
within the hybrid entity (DHHS) comply with the
HIPAA regulations
Ensure that transactions between DHHS health
care components and local agencies (e.g.,
MH/DD/SA area programs, local public health
departments, county DSS) comply with HIPAA
regulations
Page 21
NC DHHS HIPAA PMO
Slide 22
QUESTIONS?
Next: Introduction to the
Privacy Rule
Page 22
NC DHHS HIPAA PMO
Slide 23
Introduction to the Privacy Rule
Page 23
NC DHHS HIPAA PMO
Slide 24
HIPAA Privacy Regulations Milestones
HIPAA Act required privacy rules by 6-21-99
Congress did not act--HHS drafted privacy rules
Draft rules published in Federal Register 11-3-99
Over 52,000 comments
Final Rule: Published 12/28/00
2nd Comment period 2/28/01, plus >11,000
Privacy Rules effective 4-14-01
Privacy Rules implementation by 4-14-03
Guidance in July, 2001
Notice of Proposed Rule Making (NPRM) 3-27-02
Page 24
NC DHHS HIPAA PMO
Slide 25
Why Do We Need Privacy
Regulations?
The Privacy Regulations establish a federal
floor of safeguards to protect the confidentiality
of health information.
With information broadly held and transmitted
electronically, the old system of paper records in
locked filing cabinets is not enough.
The general public has had to rely on a
patchwork of state and federal laws to protect
health information.
Page 25
NC DHHS HIPAA PMO
Slide 26
What Do The Privacy Regulations
Cover?
Preempts state law unless state laws are more
Page 26
stringent
Requires a Notice of Privacy Practices
Requires consent to use or disclose information
for TPO
Limits the amount of information to be used or
disclosed to what is minimally necessary
Establishes requirements for use of protected
health information in a Facility Directory
Identifies use and disclosure for which an
authorization is or is not required
NC DHHS HIPAA PMO
Slide 27
What Do The Privacy Regulations
Cover? (cont)
Establishes client right to access his health
Page 27
information and limits situations wherein access
can be denied
Establishes client right to request amendment to
his health information
Establishes requirement for de-identification of
health information that can be disclosed with or
without consent or authorization
Provides special protections for psychotherapy
notes
Establishes a protocol for using protected health
information for marketing and fundraising
NC DHHS HIPAA PMO
Slide 28
What Do The Privacy Regulations
Cover? (cont)
Establishes client right to an accounting of
Page 28
disclosures
Specifies who may consent or authorize
disclosure of information on behalf of the client
Requires designation of a privacy officer and a
contact person for complaints
Requires identification of members of the
workforce who need access to PHI and
categories of information to which access is
needed
Requires training of all staff members
NC DHHS HIPAA PMO
Slide 29
What Do The Privacy Regulations
Cover? (cont)
Requires appropriate administrative, technical
Page 29
and physical safeguards to protect health
information
Requires new policies and procedures
Establishes content or documentation
requirements for policies, procedures, notices,
consents, authorizations, amendments,
accounting of disclosures, complaints and
compliance
Addresses fees that may be charged for
unauthorized disclosures
Requires compliance by April 14, 2003
NC DHHS HIPAA PMO
Slide 30
Purpose of Privacy
Regulations
Gives clients more control over their health
information.
Sets boundaries on the use and disclosure of
health records.
Establishes appropriate safeguards health care
providers and others must achieve to protect
privacy of client information.
Holds health care providers accountable with civil
and criminal penalties if they violate clients’ privacy
rights.
Page 30
NC DHHS HIPAA PMO
Slide 31
Objectives of Privacy
Regulations
To ensure each covered health care component
protects the health information it maintains.
To ensure a client’s health information is not used
inappropriately.
To ensure the minimum amount of information is
used or disclosed whenever possible.
– Does not apply to treatment
To ensure clients have more control over when and
how their personal health information is used.
Page 31
NC DHHS HIPAA PMO
Slide 32
Scope of Privacy Regulations
Includes all medical records and other protected
health information maintained by a health care
provider or a health plan.
Page 32
Covers information in any format
– Paper
– Electronic
– Oral
Affects use and disclosure of all
client health information
NC DHHS HIPAA PMO
Slide 33
What Does HIPAA Privacy Mean to
You Personally?
You have a right to privacy mandated through
federal regulations
You have a right to knowledge and education on
privacy protections
You have a right to more control over your health
information
You have a right to access your health information
You have a right to know “who else” is looking at
your health information
Page 33
NC DHHS HIPAA PMO
Slide 34
What Does HIPAA Privacy Mean
To You Professionally?
HIPAA impacts the majority of health care
operations of a health care provider
– More than just a medical records issue
– Privacy training required for all staff
HIPAA requires modifications in how health
information is handled and maintained
– More client involvement in use and disclosure
– More accountability about use and disclosures
HIPAA requires training and education of workforce
that ensures knowledge of requirements.
Page 34
NC DHHS HIPAA PMO
Slide 35
Name That Rule
The privacy regulation is broken down into rules:
– Part 160 General Admin Requirements for Admin Simplification
– Part 164 Privacy
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Page 35
164.501
164.502
164.504
164.506
164.508
164.510
164.512
164.514
164.520
164.522
164.524
164.526
164.528
164.530
164.532
164.534
Definitions
Use & Disclosure-General Rules
Use & Disclosure-Organizational Requirements
Consent for Use & Disclosure-TPO
Use & Disclosure-Authorization Required
Use & Disclosure-Opportunity to Agree/Object
Use & Disclosure-Agree/Object Not Required
Use & Disclosure-Other Requirements
Notice of Privacy Practices
Right to Request Restrictions
Right of Access to information
Amendment of information
Accounting of Disclosures
Administrative Requirements
Transition Provisions
Compliance Dates
NC DHHS HIPAA PMO
Slide 36
Sections of the Privacy
Regulations
Section I: Background and Purpose
– Basic information about need for rule
Section II: Preamble
– General information about each rule
Section III: Comments
– Comments to questions about rules
Section IV: Impact Cost Analysis
Section V: Privacy Standards
– Only 31 pages is the Regulation!!
Page 36
NC DHHS HIPAA PMO
Slide 37
Administrative Simplification??
Attempting to get through all the rules, questions,
comments, preamble, helpful hints, etc. is definitely
not simple.
Just understanding how the
Privacy Regulation is put
together helps the reader
know where to go to find
answers.
Page 37
NC DHHS HIPAA PMO
Slide 38
Putting It All Together
Assemble all pertinent information:
–
–
–
–
Part 160 and Part 164
Preamble
Comments
Guidance/NPRM
Get familiar with definitions
Organize materials by rule (Notebook in PMO)
– Electronic version on web (section by section)
– http://www.bricker.com/hipaa/hipaaindex.asp
Read one rule at a time
Read the Preamble about that rule; then
Read the comments about that rule
Page 38
NC DHHS HIPAA PMO
Slide 39
It Helps To Know
That in the privacy regulation, a “Rule” and a
“Standard” are the same thing.
That HHS intends for the privacy regulations to be
flexible and fit the needs of the health care provider,
taking into account the provider’s size and
resources.
– HIPAA calls this “SCALABILITY”
That individually identifiable health information
(IIHI) in Part160 Is called protected health
information (PHI) in Part 164
Page 39
NC DHHS HIPAA PMO
Slide 40
Individually Identifiable Health
Information (IIHI)
Any information, including demographic
information collected from an individual, that:
– a) Is created or received by a health care provider,
health plan, employer, or health care clearinghouse;
and;
– b) Relates to the past, present, or future physical or
mental health or condition of an individual, the
provision of health care to an individual, or the past,
present, or future payment of the provision of health
care to an individuals, and;
• (i) Identifies the individual, or
• (ii) With respect to which there is a reasonable basis to believe
that the information can be used to identify the individual
Page 40
NC DHHS HIPAA PMO
Slide 41
Protected Health Information
(PHI)
Individually identifiable health information (IIHI) that
becomes protected health information (PHI) in Part
164.
– Maintained on Paper
– Oral
– Electronic
Page 41
NC DHHS HIPAA PMO
Slide 42
It’s Good to Know
Privacy and Security go hand-in-hand
Privacy - What
– Individually Identifiable Health Information (IIHI)
defined in Part 160 becomes protected health
information (PHI) in Part 164
Security - How
– Protect information from accidental or intentional
disclosure and from alteration, destruction or loss
Page 42
NC DHHS HIPAA PMO
Slide 43
What Can I Learn From The
Privacy Regulations?
No one regulation stands alone. They intertwine
with each other.
The central theme in each regulation is PRIVACY.
How and when Protected Health Information can be
used and disclosed.
How “consent” and “authorization” are different.
When you have to obtain consent.
When you also have an authorization.
Page 43
NC DHHS HIPAA PMO
Slide 44
What Can I Learn From The
Privacy Regulations? (cont)
How HIPAA client rights different from the existing
mental health laws regarding client rights.
How to determine who is a Business Associate.
What it means to release only minimally necessary
information.
Just to name a few……...
Page 44
NC DHHS HIPAA PMO
What Constitutes A “Covered”
Component?
Slide 45
Being a health care provider
– person or entity that furnishes, bills, or is paid for health
care in the normal course of business
Being a health care plan
– individual or group plan that provides or pays for medical
care
Using and maintaining protected health information
Transmitting certain financial and/or administrative
transactions electronically
Page 45
NC DHHS HIPAA PMO
Slide 46
Who Must Comply With HIPAA
Privacy in DHHS
Health Care Providers
– DMH/DD/SAS (12 Institutions and two workgroups in the
Central Office)
– DPH (State Laboratory)
– Office of Education (One workgroup at the Governor
Morehead School for the Blind)
The 13 state operated DECs are health care providers that
are covered under the Family Educational Rights and
Privacy Act (FERPA) which HIPAA exempts
Health Care Plan
– DMA
Page 46
NC DHHS HIPAA PMO
Slide 47
What is Covered?
HEALTH INFORMATION
HEALTH INFORMATION that is individually
identifiable
HEATH INFORMATION that is created or received
by a covered health care component
HEALTH INFORMATION in a Designated Record
Set
Page 47
NC DHHS HIPAA PMO
Slide 48
Designated Record Set
The Privacy Regulations address protected
health information that is maintained in a
designated record set.
Page 48
NC DHHS HIPAA PMO
Slide 49
Define “Record”
Record
– any item, collection, or grouping of
information
– includes PHI
– maintained, collected, used or
disseminated by or for a covered
health care component
Page 49
NC DHHS HIPAA PMO
Slide 50
Define “Designated Record
Set”
Designated Record Set
– Group of records about a client that is maintained by or
for a covered health care component that includes
• Records maintained by health care providers
• Records maintained by or for a health plan
• Records that are used whole or in part to make
decisions about a client.
Page 50
NC DHHS HIPAA PMO
Slide 51
Examples of Designated
Record Set
Financial Records
– Enrollment/Payment/Claims
adjudication
– Patient Accounts folder
Page 51
Medical Records
– Case Management Records
– Hearts and HSIS Systems
NC DHHS HIPAA PMO
Slide 52
When Is It Covered?
Let me count the ways……………………………
–
–
–
–
–
–
–
–
–
When you use it
When you disclose it
When you store it
When you see it on your computer
When it is lying on your desk
When you share it with another health care provider
When you share it with a contracted service provider
When you are talking about it face to face
When you are talking about it over the phone
ARE YOU GETTING THE PICTURE?????
Page 52
NC DHHS HIPAA PMO
Slide 53
What is Not Covered?
When it is NOT protected health information!
De-identified Health Information
– Information that is de-identified is no longer considered to
be protected health information, and is thus exempt from
the other provisions of the regulation.
– Means of De-Identifying:
•
•
•
•
Page 53
Removing
Coding
Encrypting
Otherwise eliminating or concealing
NC DHHS HIPAA PMO
Slide 54
De-identifying Health
Information
Name
Geographic subdivisions
smaller than a state
including:
– State address
– City
– County
Page 54
Zip codes & their
equivalent geocodes,
except for the initial three
digits of a zip code if:
– The geographic unit formed
by all zip codes with the
same 3 digits contains more
than 20,000 people and,
– The initial three digits of a zip
code for all geographic units
containing 20,000 or fewer
people is changed to 000
NC DHHS HIPAA PMO
Slide 55
De-identifying Health
Information
All elements of dates
(except year) for all dates
directly related to an
individual, including:
–
–
–
–
Page 55
Birth date
Admission date
Discharge date
All ages over 89 & all
elements of dates (including
year) indicative of such aged,
can aggregate into a single
age category of 90 or older
Telephone numbers
Fax Numbers
Electronic mail addresses
Social Security Numbers
Medical Record Numbers
Health plan beneficiary
number
NC DHHS HIPAA PMO
Slide 56
De-identifying Health
Information
Account numbers
Certificate/license numbers
Vehicle identifiers
Page 56
Device identifiers and
numbers Web Universal
Resource Locators (URLS)
Internet Protocol (IP)
address numbers
Biometric identifiers
Full face photographic
images & comparable
images
Any other unique identifier,
code, etc.
NC DHHS HIPAA PMO
Slide 57
De-identification of PHI
Covered health care components will need to
review reports currently used and disclosed
– If reports contain identifying information
• Determine if report can be changed to be de-identified
• If de-identification not possible, determine purpose of
report and areas that receive report
• Verify report recipients need all information contained on
report
– Best Practice for reports distributed outside of
component - de-identification
Page 57
NC DHHS HIPAA PMO
Slide 58
HIPAA Regulations in Electronic
Form
HIPAA Regulations may be located on the website
of the US Dept of HHS
http://aspe.hhs.gov/adminsimp/Index.htm
Two versions
– Text version-Easier to download,/revise/search/find
– PDF version - Must have Abode Acrobat
– Test version does not retain the same page numbers as
the Federal Regulation. PDF version does retain same
page numbers.
Page 58
NC DHHS HIPAA PMO
Slide 59
QUESTIONS?
Next: Consents and
Authorizations
Page 59
NC DHHS HIPAA PMO
Slide 60
LET’S GET DOWN TO THE
NITTY GRITTY OF HIPAA
PRIVACY!!
Page 60
NC DHHS HIPAA PMO
Slide 61
Patient records
"You can't just walk in and ask to access patient
records. HIPAA would call that fantasizing.”
Cartoon by Dave Harbaugh
Page 61
NC DHHS HIPAA PMO
Slide 62
Consents and Authorizations
Page 62
NC DHHS HIPAA PMO
Slide 63
Prerequisite Concepts
Treatment, Payment, and Health Care
Operations (TPO)
Direct and Indirect Treatment Relationships
Use and Disclosure
Page 63
NC DHHS HIPAA PMO
Slide 64
TPO - Treatment
Page 64
NC DHHS HIPAA PMO
Slide 65
Treatment
Provision, coordination or management of
health care and related services
Coordination and management of health care
by a health care provider with a third party
(e.g., HMOs)
Consultations among health care providers
Referrals of patients from one health care
provider to another (e.g., institution to area
program)
Page 65
NC DHHS HIPAA PMO
Slide 66
TPO - Payment
Page 66
NC DHHS HIPAA PMO
Slide 67
Payment
Activities by a health plan to obtain premiums
(not applicable to Medicaid) or fulfill obligations
for coverage and the provision of benefits (e.g.,
Medicaid eligibility)
Activities by either a provider or a health plan
to obtain or provide reimbursement (e.g.,
Medicaid payment of claims; provider filing of
claims)
Page 67
NC DHHS HIPAA PMO
Slide 68
Examples of Payment
Billing and Claims Management (e.g., filing
claims, remittance advises, adjudication of claims)
Determinations of eligibility or coverage
(including Coordination of Benefits [COB] and
determination of cost sharing amounts)
Risk adjusting amounts due (e.g., Monthly
Medicaid Liability, Ability to Pay)
Utilization Review Activities (e.g., pre-certification,
prior approval, concurrent and retrospective reviews)
Page 68
NC DHHS HIPAA PMO
Slide 69
Examples of Payment
Debt Collections
– Includes release of PHI by a health care provider to
an insurer that is not a “health plan” to obtain
payment (e.g., PHI may be disclosed to obtain
reimbursement from a disability insurance carrier)
– Obtaining information about the location of the
client is a routine activity to facilitate the collection
of amounts owed and the management of accounts
receivable
Page 69
NC DHHS HIPAA PMO
Slide 70
Release of Payment Information
A covered health care component may release
only the PHI about the client for its payment
activities (e.g., can’t use PHI of a family member)
One covered health care component may not
disclose PHI for payment activities of a second
covered health care component (e.g., Dix can’t
disclose PHI to Wake Medical Center for a client
they did not refer)
Page 70
NC DHHS HIPAA PMO
Slide 71
Release of Payment Information
Covered health care components may release
PHI for payment purposes to non-covered
components
–
Page 71
For example, Western Carolina Center may
disclose protected health information to a
financial institution in order to deposit a check
into a client’s account
NC DHHS HIPAA PMO
Slide 72
Release of Payment Information
May release the following PHI to consumer
credit reporting agencies (e.g., Equifax) in order
to collect premiums or reimbursement
–
–
–
–
–
–
Page 72
Name and address
Date of birth
Social Security Number
Payment history
Account number
Name and address of health care provider and/or
health plan
NC DHHS HIPAA PMO
Slide 73
TPO - Health Care Operations
Page 73
NC DHHS HIPAA PMO
Slide 74
Health Care Operations
Quality assessment and improvement activities
– Outcomes evaluation and development of clinical guidelines
– Case management and care coordination
– Contacting health care providers and clients with information about
treatment alternatives
Competency and performance reviews
– Reviewing competence/qualifications of health care professionals
– Evaluating practitioner and provider performance
– Health plan performance
Conducting training programs
– Students, trainees, or practitioners in areas of health care learn
under supervision to practice or improve their skills as health care
providers
– Training of non-health care professionals
Page 74
NC DHHS HIPAA PMO
Slide 75
Health Care Operations
Accreditation, Certification, Licensing
Credentialing
Underwriting and other insurance related
activities
Medical review
Legal services
Auditing functions (including fraud and abuse
detection and compliance programs)
Business planning and development
Page 75
NC DHHS HIPAA PMO
Slide 76
Health Care Operations
Business management and general administrative
activities
– Activities relating to implementation of and compliance
with the HIPAA regulations
– Customer service
– Resolution of internal grievances
– Due diligence in connection with the sale or transfer of
assets
– Creating de-identified health information
– Some fund-raising and marketing
Page 76
NC DHHS HIPAA PMO
Slide 77
Direct vs. Indirect Treatment Relationship
Indirect Treatment Relationship
Direct Treatment Relationship
Page 77
Treatment relationship
between an individual and a
health care provider that is
not an indirect treatment
relationship (hands on, face
to face)
Relationship between an individual
and a health care provider in which:
–
The health care provider delivers
health care to the individual based
on the orders of another health
care provider; and
–
The health care provider typically
provides services or products, or
reports the diagnosis or results
associated with the health care,
directly to another health care
provider, who provides the services
or products or reports to the
individual
NC DHHS HIPAA PMO
Slide 78
Use vs. Disclosure
Use
Disclosure
The sharing, employment, The release, transfer,
application, utilization,
provision of access to, or
examination, or analysis
divulging in any other
of Protected Health
manner of PHI outside
Information (PHI) within
the covered health care
the covered health care
component holding the
component that maintains
information.
the PHI.
Page 78
NC DHHS HIPAA PMO
Slide 79
Consent vs. Authorization
Consent
Authorization
Written consent required before
direct treatment provider may
use PHI for TPO (with some
specific exceptions covered later)
If client refuses to sign consent
–
health care provider can deny
treatment
–
health plan may condition
enrollment on provision of
consent (if health plan
chooses to obtain consent)
Expiration date not required
General language
Page 79
Required for all non-TPO
uses/disclosures not otherwise
permitted by law
Customized document that gives
permission to use specified PHI for
specified purposes or disclose to
specified third party
If client refuses to sign
authorization, health care provider
can not deny treatment
Expiration date required
Precise language
NC DHHS HIPAA PMO
Slide 80
Consent for Use and Disclosure of
PHI for Treatment, Payment and
Health Care Operations
Page 80
NC DHHS HIPAA PMO
Slide 81
Consent Required
In most cases, Health Care Providers in a direct
treatment relationship must obtain consent
To access PHI for treatment, payment or health care
operations
To use PHI for treatment, payment or health care
operations
To disclose PHI for treatment, payment or health
care operations
Page 81
NC DHHS HIPAA PMO
Slide 82
Consent - Not Required
Consent for Use and Disclosure of PHI for
Treatment, Payment and Health Care Operations is
not required when:
– Health Care Provider has indirect treatment relationship
with client (e.g., Lab, Xray)
Direct care provider consent covers indirect treatment providers
When health care providers with direct treatment relationship
consult with another health care provider, the provider being
consulted does not need to obtain consent
– Client is an inmate as defined under 164.501 (may apply
to Pre-Trial clients at Dix; House Bill 95 clients; NGRI awaiting final determination by AG)
Page 82
NC DHHS HIPAA PMO
Slide 83
Consent - Not Required
Consent for Use and Disclosure of PHI for
Treatment, Payment and Health Care Operations
is not required when: (cont’d)
– In the following situations, health care providers must
document attempt to obtain consent and reason why
not obtained:
• Emergency treatment situation
• Unable to obtain consent due to substantial
communication barriers and consent to receive
treatment is inferred by client
• When required by law to treat and unable to obtain
consent (e.g., involuntary commitment)
Page 83
NC DHHS HIPAA PMO
Slide 84
Consent - Not Required
If a covered health care
component not required to
obtain consent chooses to
obtain consent, the consent
must meet the Privacy
regulatory requirements for
Consent
– Indirect Treatment Provider
(e.g., State Lab)
– Health Plan (e.g.,Medicaid)
Page 84
NC DHHS HIPAA PMO
Slide 85
Consent - Content Requirements
May be brief and written in general terms
Plain language
Inform client that information may be used and
disclosed for treatment, payment and health care
operations (TPO)
State client’s right to review the provider’s Notice
of Privacy Practices, request restrictions and to
revoke consent
Inform client that notice may change and how to
obtain revised notice
Page 85
NC DHHS HIPAA PMO
Slide 86
Consent - Content Requirements
Client may revoke consent in writing
– except to extent covered health care component has taken
action in reliance on the consent
– (Implementation Note)
Consent
•
revocation after service provided does not prevent billing
•
covered health care component does not have to retrieve PHI used
or disclosed prior to revocation
Client may request restrictions on uses or
disclosures of health information for TPO
– Covered health care component does not have to agree to
the requested restriction(s)
– Covered health care component is bound by any restrictions
to which they agree
Page 86
NC DHHS HIPAA PMO
Slide 87
Consent - Content Requirements
Dated and signed by client (or
personal representative / legally
responsible person)
(Implementation Note)
– Do not need to verify Signature
– Electronic consent is acceptable
– Electronic signature on consents
is acceptable if component
adopts electronic signature
standards
Page 87
NC DHHS HIPAA PMO
Slide 88
Combining Consents
Can combine with other legal consent forms
– Example: Consent to Treatment; Benefits Assigned
– Consent for TPO must be:
• visually and organizationally distinct from other consents
• must be separately signed and dated by client
Cannot combine with Notice of Privacy Practices
Cannot combine with most authorizations
– Exception in research
Page 88
NC DHHS HIPAA PMO
Slide 89
Consent - Administrative Issues
Client must be given covered health care
component’s Notice of Privacy Practices and may
review the notice prior to signing the consent
If consent not obtained due to emergency or
communication barriers, must obtain consent as soon
as feasible
Consent only needed one time (even for treatment of
unrelated conditions)
– Providers may want to obtain consent each admission since
it may be easier than locating prior consents
Page 89
NC DHHS HIPAA PMO
Slide 90
Consent - Administrative Issues
Certain integrated covered health care
components may obtain one joint consent
– DHHS as a single legal entity does not qualify
– May need to consider in relation to local public health
departments and area programs
If Health plans (e.g., Medicaid) choose to obtain
consent, must obtain at time of enrollment
– Local DSS agencies may be required to obtain the
consent
Consent does not apply to psychotherapy notes (must
have authorization)
Page 90
NC DHHS HIPAA PMO
Slide 91
Personal Representatives
Page 91
NC DHHS HIPAA PMO
Slide 92
Personal Representatives
Parent, guardian or other person acting in loco
parentis usually has
– authority to make health care decisions about minors
– right to obtain access to health information about
minor child
Exceptions
– State or other law does not require consent of parent
or other person before minor can obtain particular
health care service
– Personal Representative agrees to confidentiality
between minor and provider
Page 92
NC DHHS HIPAA PMO
Slide 93
Personal Representatives
Step 1
– Determine if minor is emancipated
Step 2
– If minor not emancipated, determine if minor has
authority to act on his/her own behalf with respect to PHI
Minor consents to his/her own health care (e.g., mental health)
Minor can obtain service without consent of personal
representative (e.g., court ordered)
Personal representative agrees to confidentiality between minor
and provider
Provider believes child may be victim of abuse or neglect
Page 93
NC DHHS HIPAA PMO
Slide 94
Personal Representatives
Step 3
– If steps 1 and 2 do not apply, confirm that parent,
guardian, or person standing in loco parentis has
authority to act on minor’s behalf
Request copies of guardianship papers
If parent name is different from child, determine relationship to
child
HHS Secretary Tommy Thompson
– “parents will have access about the health and wellbeing of their children, including information about
mental health, substance abuse and abortion”
Page 94
NC DHHS HIPAA PMO
Slide 95
QUESTIONS?
BREAK - 15 Minutes
Next: Consents and
Authorizations (cont’d)
Page 95
NC DHHS HIPAA PMO