Transcript Document

HIPAA is the acronym for the
Health Insurance
Portability and Accountability Act of 1996.
45 C.F.R. Subtitle A, Subchapter C, PARTS 160 -164
7/21/2015
1
42 C.F.R. PARTS 160 & 164
the “HIPAA Privacy Rule”
ADMINISTRATIVE REQUIREMENTS:
STANDARDS FOR PRIVACY OF
INDIVIDUALLY INDENTIFIABLE
HEALTH INFORMATION
7/21/2015
2
Who Has To Comply with the HIPAA
Privacy Rule?
COVERED ENTITIES
7/21/2015
3
What is the PURPOSE of the
HIPAA Privacy Rule?
Public Policy:
 To improve efficiency and effectiveness of healthcare delivery
 To protect the rights of patients by providing them with:
 access to their PHI (private health information)
 assurance of confidentiality by providing:
 information and
 control over the use & disclosure of their PHI
 To restore public trust in the health care system
7/21/2015
4
WHAT IF A COVERED ENTITY DOES NOT
COMPLY WITH THE HIPPA PRIVACY
RULE?
The Covered Entity faces:
•
Possible civil penalties of up to $25,000 annually
and/or
•
Possible criminal penalties of up to $ 250,000 and/or 10
years imprisonment
7/21/2015
5
What or who is a “Covered Entity”?
Covered Entities:
*
Ambulance services that bill electronically
Non-Covered:
*
Fire Department is not specifically covered, as fire departments in NYS
cannot bill for services.
*
There are, however, privacy laws that do apply to fire departments
7/21/2015
6
NOTE: Page 3 of the New York State Department of Health
Bureau of Emergency Medical Services, POLICY STATEMENT: No.
02 – 05 Date: 10/29/02 (Supercedes/Updates: 85-01, 96-01)
RE: Prehospital Care Reports (PCRs) states the following:
Confidentiality & Disclosure Of PCRs/Personal
Healthcare Information:
 Maintaining confidentiality is an essential part of all
medical care, including prehospital care. The
confidentiality of personal health information (PHI)
is covered by numerous state and federal statutes,
Polices, Rules and Regulations, including the Health
Insurance Portability & Accountability Act of 1996
(HIPAA) and 10 NYCRR.
7/21/2015
7
Policy Statement No. 02-05 quotes
10 NYCRR Part 800.21 which states in relevant part
that:

Every person certified at any level pursuant to these
regulations shall:
(a) At all times maintain the confidentiality of
information about the names, treatment, and
conditions of patients treated except:
(1) A prehospital care report shall be completed for
each patient treated when acting as part of an
organized prehospital emergency medical service, and
a copy shall be provided to the hospital receiving the
patient and to the authorized agent of the department
for use in the State's quality assurance program;
7/21/2015
8
Policy Statement No. 02-05 has interpreted the Health Insurance
Portability & Accountability Act of 1996 (HIPAA) as requiring all
healthcare providers to have a written policy on protecting Personal
Health Information (PHI), including PCRs.
Such a policy should include (but not be limited to):

Indicate that requests from patients for PCR copies be in writing;

That the agency will maintain a copy of the written request with the original PCR;



Maintaining the confidentiality of the information contained on a PCR as well as the
actual PCRs;
Conducting security training for all employees/members in proper security procedures to
protect personal health information; and
Documenting security training of employees/members.

7/21/2015
Page 4 of Policy Statement No. 02-05
9
OKAY, SO I AM A COVERED ENTITY, NOW
WHAT DO I DO?
A covered entity must provide a measure of privacy
protections to all patients and may only share
“protected health information” (PHI) to the
“minimum necessary” to accomplish the
intended purpose…
and comply by April 14, 2003.
7/21/2015
10
WHAT MUST BE PROTECTED?
PROTECTED HEALTH INFORMATION
(“PHI”)
7/21/2015
11
What is PHI?


PHI IS individually identifiable health information that is:

Transmitted by electronic media;

Maintained in any medium described in the definition of electronic media; or

Transmitted or maintained in any other form or medium.
Although individually identifiable health information is contained in:


Education records
Employment records held by a covered entity in its role as employer
those records are NOT included in the definition of Protected Health Information!
7/21/2015
12
WHAT IS: Individually Identifiable Health Information
“(IIHI”)?
IT IS:
health information, including demographic information collected from a patient,

and:
is created or received by a covered entity;

and

or

relates to the past, present, or future physical or mental health or condition of a patient;
the provision of health care to a patient;
the past, present, or future payment for the provision of health care to a patient; and


identifies the patient; or
there is a reasonable basis to believe that the information can be used to identify
the patient.
7/21/2015
13
Individually Identifiable Health Information (“IIHI”) is
information that could be used directly or indirectly to
identity the patient and must be protected. IIHI includes:


















Names;
Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip codes
All elements of dates (except year) for dates directly related to a patient, including birth date, admission date,
discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such
age, except that such ages and elements may be aggregated into a single category of age 90 or older;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code;
7/21/2015
14
AS A COVERED ENTITY, HOW CAN I USE & DISCLOSE PHI?


As a direct treatment provider, a covered entity may
use or disclose a patient’s PHI for purposes of
treatment, payment or healthcare operations (“TPO”)
without obtaining advance written consent from the
patient.
However, a covered entity must obtain a patient’s
authorization to use and disclosure information for
purposes of other than treatment, payment and health
care operations.
7/21/2015
15
Treatment means the:



provision,
coordination, or
management of health care & related services including
the:



coordination/management of health care by a health care provider
with a third party;
consultation between health care providers relating to a patient; or
referral of a patient for health care from one health care provider to
another.
For example, you can transmit information to a hospital or ALS
7/21/2015
16
Payment means:
The activities undertaken by:

A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and
provision of benefits under the health plan; or


A covered health care provider or health plan to obtain or provide reimbursement for the
provision of health care; and
Activities related to payment such as:






Determinations of insurance eligibility or coverage
Risk adjusting amounts due;
Billing, claims management, collection activities and related health care data processing;
Review of health care services with respect to medical necessity, coverage under a health plan,
appropriateness of care, or justification of charges;
Utilization review activities; and
Disclosure to consumer reporting agencies of any of the following PHI:

reimbursement:

Name and address;

Date of birth;

Social security number;

Payment history;

Account number; and

Name and address of the health care provider and/or health plan.
7/21/2015
17
Health Care Operations include:

Conducting quality assessment/improvement activities (i.e., CQI);

Reviewing competence/qualifications of health care professionals;

Underwriting, premium rating, and other activities relating health insurance or health benefits;

Conducting or arranging for medical review, legal services, and auditing functions ;

Business planning & development;

Business management/general administrative activities of the entity;

Resolution of internal grievances;

Due diligence in connection with sale/transfer of assets to a covered entity;

Creating de- identified health information; and

Training
7/21/2015
18
Accordingly,

Providing PCR copies to the receiving
hospital, other providers giving care in a
tiered system and to the EMS program
agency for QI does not constitute a violation
of the HIPAA regulations.
…Page 5 of the New York State Department of Health Bureau of
Emergency Medical Services, POLICY STATEMENT: No. 02 – 05
(10/29/02) RE: Prehospital Care Reports (PCRs)
7/21/2015
19
Okay, I can use and disclose PHI for purposes of
treatment, payment and health care operations
without getting the patient’s prior consent, but …
Are there limits on what I may USE
and DISCLOSE?
YES!
... Based on the “minimum necessary” standard
7/21/2015
20
THE “MINIMUM NECESSARY” STANDARD




The "minimum necessary" standard requires covered
entities:
to make reasonable efforts
to limit the use and disclosure of and request for PHI
to the minimum necessary
to accomplish the intended purpose.
7/21/2015
21
The “MINIMUM NECESSARY” STANDARD
The Covered Entity must determine those classes within
their workforce who may routinely have access and use of
the minimum necessary PHI, noting that such access and
use is only permitted while on duty or during actual work
shifts based on:
•
•
the nature of job functions and responsibilities
the nature of the information required to fulfill those
functions and responsibilities
7/21/2015
22
The “MINIMUM NECESSARY” STANDARD to
accomplish the intended purpose

EMTs and Paramedics: directly involved in the
treatment of a patient need access to:
 as much PHI as is necessary to provide patient
treatment, transport and post-event patient activities,
including but not limited to intake forms from the
dispatch center, from family and caretakers and the
PCRs (Prehospital Care Reports).
7/21/2015
23
The “MINIMUM NECESSARY” STANDARD to
accomplish the intended purpose

Dispatchers: may use and access PHI necessary
to:


effectively dispatch the EMS provider and
complete intake forms in the course of pre and postpatient event activities.
7/21/2015
24
The “MINIMUM NECESSARY” STANDARD
to accomplish the intended purpose

Billing Clerks and other office support personnel: may have
access to:




intake forms,
PCRs,
billing claims forms,
insurance information and other relevant records obtained from other
facilities, such as hospitals and nursing homes such as patient face sheets,
discharge summaries, physician certification statements, mobility
assessments and statements of medical necessity
as part of their duties to in order to determine:
•
•
•
medical necessity for the services provided,
complete patient billing forms for internal use or to submit to third-party billing
companies and
for reimbursement or collection activities.
7/21/2015
25
The “MINIMUM NECESSARY” STANDARD to
accomplish the intended purpose

Training Coordinators: may have access and
use to:

intake forms from the dispatch center and PCRs
but only to the extent necessary to carry out:



training,
re-training and
quality assurance activities.
Since, in most cases, access and use of the individually identifiable patient information is
contained in such documents but is not necessary for the intended use, such identifying
information should be blackened out before using for such activities
7/21/2015
26
The “MINIMUM NECESSARY” STANDARD to
accomplish the intended purpose

Field Supervisors: may access and use intake forms from
the dispatch center and PCRs:


in overseeing the pre- and post-patient event and
in fulfilling their overall supervisory, quality assurance review,
counseling, disciplinary and training functions.
7/21/2015
27
The “MINIMUM NECESSARY” STANDARD to
accomplish the intended purpose

Department Managers: may access and use all PHI
necessary to appropriately supervise and manage
“Emergency Medical Services Entity” and its Personnel.
7/21/2015
28
The “MINIMUM NECESSARY” STANDARD to
accomplish the intended purpose

Privacy Officer: must have access and use of all PHI
maintained by “Emergency Medical Services Entity” in
order to properly monitor compliance pursuant to his/her
job.
(See, Privacy Officer Job Description for further detail.)
7/21/2015
29
The “Minimum Necessary” standard does NOT apply,
so do not hold back when the:

disclosures to or requests by a health care provider are for
treatment;

uses or disclosures are made to the patient;

specific uses and disclosures are pursuant to a valid authorization.

certain disclosures are made to the U.S. Secretary of Health &
Human Services for oversight/enforcement purposes;

uses or disclosures are required by law (i.e. court order);

uses or disclosures are required for HIPAA compliance
7/21/2015
30
WHAT ELSE MUST A
COVERED ENTITY DO?
A covered entity must take steps to protect and
safeguard a patient’s PHI by establishing and
implementing policies and procedures that:


will protect against intentional and unintentional
improper uses and disclosures of PHI and
which limit the disclosure of PHI to the amount
reasonably necessary to achieve the purpose of
the disclosure.
7/21/2015
31
WHAT ELSE MUST A
COVERED ENTITY DO?
A covered entity must inform patients of its
privacy policy and procedures through the
use of a Notice of Privacy Practices.
7/21/2015
32
A Notice of Privacy Practices is:

A document created by you and given
to patients to inform them of your uses
and disclosures of PHI and their rights
with respect to such disclosures
7/21/2015
33
When must a Notice of Privacy
Practices be given to a patient?
On the date of first service EXCEPT:
in the event of an emergency, in which case the
Notice must be provided as soon as reasonably
practical after the emergency.
As a practical matter, the Notice may:



be left at the hospital with direction that it be given to
the patient as soon as the emergency subsides
be sent by mail
7/21/2015
34
Does a covered entity need to document
that it has given a patient the Notice?

Yes,
except in emergency situations
7/21/2015
35
Does the Covered Entity have to
document the provision of the Notice?

A covered entity must make a good faith effort to
obtain a patient's a written receipt acknowledging
receipt of a covered entity’s Notice of Privacy
Practices (“Acknowledgment”)

However, this requirement is waived

in emergency situations where obtaining a
patient's acknowledgment is not be feasible or
practicable
7/21/2015
36
HOWEVER, where extenuating, emergency
circumstances do not exist,
such as non-emergency transportation by ambulance providers:



of the elderly, who may be suffering from an incapacitating or stressful
condition whereby they require transport by ambulance, but are not in
a crisis situation;
patient assist (MVA w/o injury); or
in those cases where a patient executes a patient refusal.
In these types of situations, the EMS Provider:
•
is expected to provide patients with the Notice at the time of service
and
•
make a good faith effort to obtain their acknowledgment of receipt.
7/21/2015
37
What Information Must Be in a Notice of
Privacy Practices?
•
A Notice of Privacy Practices must be written in
plain language and contain the following header
or otherwise be prominently located:
“THIS NOTICE DESCRIBES HOW MEDICAL
INFORMATION ABOUT YOU MAY BE USED AND
DISCLOSED AND HOW YOU CAN GET ACCESS TO
THIS INFORMATION. PLEASE REVIEW IT
CAREFULLY.”
AND….
7/21/2015
38
What Information Must Be in a
Notice of Privacy Practices?



a detailed description, including at least one example, for each
applicable purposes (treatment, payment, and health care operations);
a description of each of the other purposes for which the covered entity
is permitted or required to use or disclose PHI without the patient’s
written authorization;
a statement that other uses and disclosures will be made only with the
patient's written authorization and that the patient may revoke such
authorization
… AND
7/21/2015
39
What Information Must Be in a Notice of
Privacy Practices?
Separate statements for certain uses or disclosures in sufficient detail stating that:



the covered entity may contact the patient to provide appointment reminders (for nonemergency transport), treatment alternatives or other heath-related benefits and services
that may be of interest to the patient; or
the covered entity may contact the patient to raise funds for the covered entity (but not for
the benefit of a third party
A Statement of the patient’s rights and brief description of how the patient may
exercise these rights, including the right to:






request restrictions on certain uses and disclosures of PHI, including a statement that the
covered entity is not required to agree to a requested restriction;
receive confidential communications of PHI;
inspect and copy PHI;
amend PHI;
receive an accounting of disclosures of PHI; and
obtain a paper copy of the notice from the covered entity upon request even if the patient
has previously agreed to receive the notice electronically
AND…
7/21/2015
40
…And

A statement of the covered entity’s duties stating that the covered entity is required:




by law to maintain the privacy of PHI and to provide patients with notice of its legal duties and
privacy practices with respect to PHI;
to abide by the terms of the notice currently in effect; and
to affirmatively reserve the right to change the terms of its notice and to make the new notice
provisions effective for all PHI and to give notice of any change in its privacy practice prior to
issuing a revised notice. The statement must also describe how it will provide patients with a
revised notice.
A statement that patients may complain to:



A Notice of Privacy Practices must contain:
the covered entity and
to The Secretary
if they believe their privacy rights have been violated, including a brief description of how the
patient may file a complaint with the covered entity, and a statement that the patient will not be
retaliated against for filing a complaint.
The name, or title, and telephone number of a person or office to contact for further
information concerning privacy practices and the effective date (which may not be earlier
than the date on which the notice is printed or otherwise published).
7/21/2015
41
WHEN IS AN AUTHORIZATION REQUIRED?

Covered Entities must obtain a patient’s authorization for:
 the use and disclosure of PHI for purposes OTHER than
treatment, payment and health care operations and for
various public purposes.
 All such use or disclosure must be consistent with such
authorization.
 The covered entity must document and retain all signed
authorizations.
7/21/2015
42
To Be Valid, An Authorization Must Be Written in Plain Language and
Contain the Following Core Elements:

A description of the information to be used or disclosed that identifies the information in a
specific and meaningful fashion;

The name or other specific identification of the person(s), or class of persons, authorized to
make the requested use or disclosure;

The name or other specific identification of the person(s), or class of persons, to whom the
covered entity may make the requested use or disclosure;

An expiration date or an expiration event that relates to the patient or the purpose of the use
or disclosure;


A statement of the patient's right to revoke the authorization in writing and the exceptions to
the right to revoke, together with a description of how the patient may revoke the
authorization; and
A statement that information used or disclosed pursuant to the authorization may be subject to
re-disclosure by the recipient and no longer be protected by this rule
(con’t)
7/21/2015
43
AND the Authorization must also contain:



A statement that treatment is not conditioned on the signing of the authorization,
[except in certain specifically stated circumstances (i.e., research projects)]
A statement as to whether the use or disclosure of the requested information is to be
used for marketing purposes that will result in direct or indirect remuneration to the
covered entity from a third party
be signed and dated by the patient; or


if signed by a personal representative of the patient, a description of such representative’s authority to
act for the patient must be provided.
A covered entity must provide the patient with a copy of the signed authorization.
7/21/2015
44
An Authorization is
NOT
valid, if:

the expiration date has passed or the expiration event is known by the
covered entity to have occurred;

the authorization has not been filled out completely, with respect to the
required elements

the authorization is known by the covered entity to have been revoked;

any material information in the authorization is known by the covered
entity to be false.
An authorization for use or disclosure of PHI may not be combined with
any other document to create a compound authorization, except in
limited circumstances.
7/21/2015
45
To Be Valid, An Authorization MAY NOT:


Condition the provision of treatment on the provision of an
authorization, (except that a covered health care provider may
condition the provision of research-related treatment on provision of
an authorization).
And a patient may revoke an authorization provided under this section
at any time, provided that the revocation is in writing, except to the
extent that:

the covered entity has taken action in reliance thereon; or

if the authorization was obtained as a condition of obtaining
insurance coverage, other law provides the insurer with the right
to contest a claim under the policy.
BEST ADVICE: Upon receipt and before any disclosure, all authorizations
should be reviewed carefully by the Privacy Officer and if in any doubt
about compliance, consult your attorney!
7/21/2015
46
CAN I SHARE PHI, without getting a patient’s
authorization, with any of the following:
Independent Dispatch Centers

Billing service/agency

Collection agency

Accountants

Attorneys

Consultants or Administrative/Management Services Companies

Answering services

Lockbox services

Transcription services

Practice management software vendors

Electronic medical records software vendors

Hardware maintenance services

Off-site record storages
AND

ANY other independent contractor who provides any functions requiring the use or
disclosure of PHI for or on behalf of the EMS al Services Entity

?
7/21/2015
47
YES,
if they are…”business associates”

providing certain functions, activities, or
services to you or on your behalf
and

they agree to be subject to certain
conditions.
7/21/2015
48
UNDER WHAT CONDITIONS MAY A COVERED ENTITY
SHARE PHI WITH A BUSINESS ASSOCIATE?
A covered entity may share PHI with its “business associate” as long as the covered entity obtains
satisfactory assurances from its business associate through a written contract that the “business
associate” will, among other things,:

use the information only for the purposes for which it was engaged,

safeguard the information from misuse,

help the covered entity comply with its duties to provide patients with access to health
information about them and a history of disclosures,

not use or further disclose the PHI except as permitted under such written contract, the HIPAA
Privacy Rule and applicable State law, as each may be amended from time to time;
AND

under NO circumstances, disclose PHI for any independent use of its own.
7/21/2015
49
What Must Be Done under HIPAA

CONDUCT CURRENT STATUS ASSESSMENT (GAP ANALYSIS): take steps

APPOINT A PRIVACY OFFICER

For routine and recurring uses and disclosures:
to assess their current status with respect to patient privacy.
who will be responsible for the development and
implementation of the covered entity’s privacy policies. A contact person must also be designated
who will be responsible for receiving complaints.


Current practices and procedures must be reviewed with the intent to revise existing policies
and procedures or create new policies and procedures that will protect against intentional and
unintentional uses and disclosures that violate HIPAA and limit the disclosure of PHI to the
amount reasonably necessary to achieve the purpose of the disclosure.
For all other disclosures:

Covered entities must establish criteria that will limit the disclosure of PHI to the amount
reasonably necessary to achieve the purpose of the disclosure and review all requests for
disclosure according to such criteria.
7/21/2015
50

DRAFT WRITTEN POLICIES & PROCEDURES dealing with:













Uses and Disclosures of PHI, including those that require authorization and
those that do not
Revocation of Authorization
Disclosures to personal representatives
Disclosures to Business Associates
Compliance with the rules regarding the release of minimum necessary PHI
Implementation of the right to request restrictions on the release of
information
Creation of De-Identified information
Complaints
Accountings
Access to PHI
Sanctions for personnel who fail to comply with policies and procedures
Changes to Policies and Procedures
Retention of copies of policies and procedures for at least 6 years after
creation (even if amended in the interim)
7/21/2015
51

DRAFT NOTICE of PRIVACY PRACTICES

DRAFT CONFORMING FORMS

TRAINING: Covered Entity must train all personnel about its PHI policies and

REVIEW ALL CONTRACTS and ENTER INTO BUSINESS
ASSOCIATES AS NECESSARY

HAVE EMPLOYEES, VOLUNTEERS, TRAINEES and OTHERS SIGN
CONFIDENTIALITY AGREEMENTS
procedures, as necessary and appropriate to carry out their function within the entity

For current personnel, by April 14, 2003

For new personnel, within a reasonable period after joining the entity

For all personnel within a reasonable time after any material policy and/or procedure
change
7/21/2015
52