Transcript HIPAA (Health Insurance Portability & Accountability Act

Columbia University
Health Sciences
Health Insurance Portability and
Accountability Act of 1996
(“HIPAA”)
HIPAA OVERVIEW
Health Insurance
Portability and Accountability
Act (HIPAA)
Administrative
Simplification
Insurance
Reform
[Portability]
[Accountability]
Transactions,
Code Sets, &
Identifiers
Compliance Date:
10/16/2002
and 10/16/03
Privacy
Security
Compliance Date:
4/14/2003
Compliance Date:
TBD
Fraud and
Abuse
(Accountability)
What is Covered
Individually identifiable health information:
 Created by a Columbia University
 Relates to a physical or mental health
condition at any time
 Identifies the individual or could reasonably
be used to identify the individual
Known as PHI
Who is covered
Covered Entities = A Health Plan, Healthcare
Clearinghouse, or a Health Care Provider who
transmits any health information in electronic
form in connection with a transaction covered
under HIPAA
Covered entities are required to contractually
bind other entities with whom they share
Protected Health Information (“Business
Associates”)
Basic HIPAA Requirement
“[Columbia University] may not use or
disclose an individual’s protected health
information except as otherwise permitted or
required.”
Permitted Uses/Disclosures of PHI
Individual access
TPO





Specialists
Labs
Other doctors
Other covered entities
Directories
Notice of Privacy Practices
Privacy rule looks at uses of PHI as
permissible within Treatment, Payment and
Healthcare Operations – once we give the
patient a Notice of Privacy Practices (NPP)
at the first treatment encounter, we can use
their PHI for any TPO purpose
NPP is a once in a lifetime requirement
(argues for good record keeping!)
Required Notice of Privacy Practices
Post NPP prominently at premises and on
websites
The patient will sign a separate
acknowledgement document that contains the
privacy officer contact information for that
facility
Give the patient a copy of NPP and
acknowledgement sheet
Required Notices of Privacy Practices
Describe Patient Rights to:
- Restrict
- Access
- Amend
- Accounting
- Alternative Communication Methods
- Complain
Columbia University Policy
Minors (under 18) in NYS have a right to confidential
treatment with respect to the following w/o a parents
consent or notice:





Abortion
Birth control
STD testing
HIV/AIDS testing
Mental health counseling
Outside of these areas, a physician can always decide
not to inform parents or keep a minors record
confidential if, in the physicians judgment, revealing the
medical information would have a negative impact on the
patient/physician relationship
Permitted by law
Outside of TPO or patient authorization,
the only other permitted use of PHI are
those required by law:




Investigations by HHS
Reporting about victims of abuse, neglect or
domestic violence
Adverse Event Reporting
Reporting to Public Health Authorities in
general
Minimum Information Necessary
Privacy Rule requires Columbia University to
make reasonable efforts to limit the use or
disclosure of, and requests for PHI to the
minimum necessary to accomplish the
intended purposes
Minimum Information Necessary
May not disclose entire medical record, except
to providers for treatment
Certain limited types of information cannot be
disclosed—e.g., psychotherapy notes
Minimum necessary does not apply to uses and
disclosures to patients pursuant to an
authorization, for HIPAA Compliance purpose,
that are required by law
Unintended Uses and Disclosures
Privacy Rule explicitly permits uses and disclosures that
occur as a result of an otherwise permitted use or
disclosure under the Privacy Rule.
Incidental use or disclosure is:



a secondary use or disclosure that cannot reasonably
be prevented
is limited in nature
occurs as a by-product of an otherwise permitted use
or disclosure
Columbia University must implement reasonable
safeguards to limit unintended uses and disclosures and
must implement the minimum necessary standard
requirements
HIPAA and Research
HIPAA
Disclosure
Universe
Authorization signed
by patient for
all clinical research
Waiver Criteria
applied before
records research
Exceptions Documented
• Preparatory to research
• Research on decedents
De_identified
Limited
data-set
TPO
Public
Safety and
Other
exceptions
HIPAA Authorization
Authorization signed
by patient for
all clinical research
Patient authorization elements









The information
Who may use or disclose the information
Who may receive the information
Purpose of the use or disclosure
Expiration date or event
Individual’s signature and date
Right to revoke authorization
Right to refuse to sign authorization
Redisclosure statement
HIPAA Waiver Criteria
Waiver requires IRB/Privacy Board approval
and documentation of three (3) waiver criteria:
1. Use or disclosure involves no more than
minimal risk to privacy of the subject
based on, at least:
a) Adequate plan to protect the information from
improper use and disclosure;
b) Adequate plan to destroy identifiers; and
c) Written assurances that the PHI will not be
disclosed further than as set forth in the waiver
HIPAA Waiver Criteria, con’t
2. The research could not practicably be
conducted without waiver or alteration
3. The research could not practicably be
conducted without access to and use of
the PHI
Note: HHS intends to issue future guidance for IRBs and
Privacy Boards on applying waiver criteria
Research View of PHI
Research Data Flow
Step 1
Researcher Certification
Protocol Submission
IRB (Rascal)/GCP/HR
Step 2
WEBCIS
Disclosures
For TPO
Step 3
Data Warehouse
Radiology
Cancer Center
Cardiology
Step 5
Automated
linkage
Authentication/Authorization
Central Authority
Surgery
Audit Trail
Monthly report
MSPH
Step 4
Research
Request
for PHI
Step 6
PHI Disclosed
to Researcher
Step 7
Compliance Audits
Central HIPAA
Compliance
Questions & Answers
Jeffrey P. Davis, Esq.
Associate Vice President/Privacy Officer
Columbia University Health Sciences
212-305-7315
[email protected]