Transcript Slide 0
HIPAA Executive Office Training January 2003 Cindy Fillman Department of Public Welfare Office of General Counsel Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young LLP HIPAA – How did we get here? Health Insurance Portability and Accountability Act Required Secretary of HHS to promulgate standards to implement the Administrative Simplification Portion of the Law (standard transactions). 1 Intended to “improve the efficiency and effectiveness of the health care system.” Requires protection of security and privacy of Protected Health Information (PHI) maintained electronically and otherwise. HIPAA – How did we get here? REGULATIONS Electronic Transactions and Code Sets Unique Employer Identifier National Provider Identifier Security and Electronic Signature Privacy 2 COVERED ENTITIES • • Health care providers who engage in covered transactions Health plans Includes Medicare and Medicaid and other specified government programs Includes government programs that do not fall out with specific exclusion for those programs: Whose principal purpose is other than providing or paying the cost of health care, OR Whose principal activity is the direct provision of health care or the making of grants to fund the direct provision of health care • 3 Health care clearinghouses BUSINESS ASSOCIATES A Person or entity who on behalf of a Covered Entity Uses Accesses Rediscloses PHI either To provide services to a Covered Entity OR To perform or assist in the performance of a function or activity for, or on behalf of, the Covered Entity 4 DPW Priorities 5 How the Department Prioritized Definitions assigned to DPW (Hybrid Covered Entity part of Affiliated Covered Covered Entity) and Counties, Contractors and other Business Partners (Business Associates) Master Client Index Drove some Decision making What are we doing? 6 Appointing Privacy Officials for affected Offices/Bureaus. Training all members of the workforce Drafting policy and procedures and beginning new business practices Rewriting Contracts and Quasi-Contracts (Business Associate Language) Drafting/Revising Consents and Authorizations Documenting Decisions and Activities Training Committee comprised of personnel of impacted bureaus Basic format created by the committee Combination training to allow for flexibility Kickoff-October-December Computer and Blended Training-April Stand up (job specific)-June 7 Policy and procedures 8 High level HIPAA Handbook Adaptations made by each program office to meet their own needs Business processes changes to be phased in by April, 2002. Privacy Standards 9 Purpose: To safeguard privacy of health information by setting rules on the use and disclosure of individuals protected health information (PHI) Applies to: Covered entities and business associates who use, store, maintain, transmit, or dispose of patient health information in any form (verbal, written, or electronic) Privacy Standards (PHI) 10 Individually identifiable About an individual’s physical or mental health or condition About provision of or payment for health care Created or received by a provider, health plan, clearinghouse, or employer Transmitted or maintained in any medium (verbal, written, or electronic) Privacy Standards 11 Outline individual rights regarding PHI and obligations of providers, health plans, clearinghouses and business associates Give consumers greater control over use, and disclosure of PHI Restrict certain uses and disclosures of PHI by plans, providers, and clearinghouses, unless authorized by the patient or permitted by law Privacy Standards Rules restrict use and sharing of PHI Higher security and protection levels Greater individual control and access Greater accountability 12 Rules apply to covered entities Compliance deadline is April 14, 2003 Limit disclosures to the “minimum necessary” Minimum Disclosure 13 Except for medical treatment, release of PHI must be kept to the minimum amount necessary to accomplish the purpose of disclosure We must determine the minimum amount needed Privacy Obligations Plans and providers must create privacyconscious business practices and disclose only the minimum information required Department must: ensure internal protection of PHI monitor external disclosures of PHI Complete employee training, and establish procedures for addressing clients’ privacy complaints 14 Privacy Obligations 15 Plans and providers must inform clients of their business practices (privacy notice) Providers must obtain written consent from a client to use or disclose PHI, even if just for routine uses for treatment, payment, or operations A separate, specific authorization is required for non-routine disclosure Consent vs. Authorization 16 Consents cover T/P/O–authorizations cover most other uses and disclosures Authorizations are for specific disclosures May refuse to treat without consent; cannot refuse to treat a patient who won’t sign authorization Use and Disclosure 17 may use or disclose PHI without consent, an authorization, or giving an opportunity to agree or object, including: • For the payment activities of other CEs or providers who are not CEs, and for certain healthcare operations of other CEs. • • • • • When required by law For public health activities Reporting domestic violence or abuse and neglect For health oversight activities For judicial and administrative proceedings in response to a court order, or in response to a subpoena or discovery request if certain assurances are obtained De-Identified Information De-Identified Information is not subject to HIPAA requirements A Covered Entity may determine that health information is not individually identifiable by: Obtaining an opinion that information is not identifiable from an entity experienced with generally accepted statistical and scientific principles and methods for de-identifying information Removing specified identifiers of the individual or of relatives, employers, or household members 18 De-Identified Information 19 Names All geographic subdivisions (address, zip code) Account number Certificate/license number VIN/serial number All elements of dates (incl. birthdate and date of admission Device identifier/serial # Telephone/Fax numbers URL E-mail addresses IP address SSN Medical record number Biometric identifiers (voice/finger prints) Health plan number Photos Other unique characteristics Client Rights 20 Request restrictions on use and disclosure of PHI Obtain a disclosure history Review and copy their own medical records Request amendments or corrections the record Complain to the Department and to the Secretary of DHHS if privacy rights are violated Business Associate Agreements Terms and Template Other Agreements Trading Partner Chain of Trust User Agreements 21 Enforcement ENFORCER: Office of Civil Rights, HHS Complaint Driven Process(but indicate willingness to provide “guidance” first). PENALTIES: For failure to comply – Civil Money Penalties of $100 per violation, not to exceed $25,000 per year For knowingly disclosing or obtaining PHI – CRIMINAL PENALTIES CRIMINAL PENALTIES: Knowing only: $50,000, one year in prison, or both False pretenses: $100,000, five years, or both Use for commercial or personal gain or malicious harm: $250,000, ten years, or both 22 Practical Steps to Compliance Shred all PHI to be discarded Log off terminal when not in use Do not discuss specific cases in public places Verify fax locations 23 Be mindful of sharing only “minimum necessary” information Practical Steps to Compliance 24 Be aware of with whom you are sharing PHI Report breaches to Privacy Assure adequate safeguards/paperwork is in place Check with IT staff to be sure dial-in is secure Read and follow Privacy and Security Policies and Procedures