Post on 13-Jan-2016
transcript
HIPAA HIPAA
and and
Disaster SituationsDisaster Situations
By
LYNDA M. JOHNSON
Friday, Eldredge & Clark
Protects “individually identifiable health information” held by “covered entities”
HIPAA - “The Health Insurance Portability and Accountability Act of 1996.”
Individually identifiable health information is information that is subset of health information, including demographic information collected from an individual and:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
i. That identifies the individual; or
ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Covered Entities are:
Health Care Providers
Health Plans
Health Care Clearinghouses
Information Protected by HIPAA is called “Protected Health Information”
or “PHI”
WHAT INFORMATIONIS COVERED?
ANY HEALTH INFORMATION RELATING TO:
Past, present or future physical or mental health or condition
Provision of healthcare or
Past, present or future payment for healthcare
Created/received by provider, plan, or clearinghouse
Individually identifiable or presents reasonable basis to believe the information can be used to identify the individual
Includes demographic information
In any medium:
Written Verbal Electronic
“Protected Health Information” (PHI)
Covered Entities may use and disclose PHI fro purposes of treatment, payment,
and healthcare operations.
“TREATMENT” generally means the provision, coordination or management of healthcare and related services among healthcare providers or by a healthcare provider with a third party, consultation between healthcare providers regarding a patient, or the referral of a patient from one healthcare provider to another.
TREATMENT
“PAYMENT” encompasses the various activities of healthcare providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of healthcare.
PAYMENT
“HEALTHCARE OPERATIONS” are defined to include the business, management and operational activities of a healthcare entity.
HEALTHCARE OPERATIONS
AUTHORIZATION
Written permission from patient to “use” or “disclose” PHI for a purpose OTHER THAN treatment, payment or healthcare operations.
Privacy Regulations allow Covered Entities to disclose PHI for a variety of purposes including:
Treating patients
Identifying, locating and notifying family members, guardians or those responsible for an individuals care
Obtaining the services of disaster relief agencies
Conducting public health activities
Preventing or lessening serious and imminent threats to health or safety
A “covered entity” may use or disclose PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts.
Covered Entity may exercise its “professional judgment” in making disclosures to disaster relief agencies.
After Hurricane Katrina, OCR issued a special bulletin addressing HIPAA Privacy and Disclosures in Emergency Situations. This bulletin clarified the definition of treatment in an Emergency Situation to include:
Sharing information with other providers
Referring patients for treatment (including linking patients with available providers in areas where patients had relocated)
Coordinating patient care with others (such as emergency relief workers or others) that can help patients find appropriate health services
This Bulletin also clarified that when a provider is sharing PHI with a disaster relief organization, it is not necessary to obtain the patient’s permission (or authorization) to share PHI if doing so would interfere with the organization’s ability to respond to the emergency.
President and HHS Secretary also have the authority to temporarily waive HIPAA requirements in an emergency. This was done with Hurricane Sandy.
The requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to “opt out” of the facility directory
The requirement to distribute a notice of privacy practices
The patient’s right to request privacy restrictions or to request confidential communications.
(Only if President AND Secretary declare a public health emergency.)
This “waiver” waives the imposition of sanctions and penalties for noncompliance with the following HIPAA requirements:
If only HHS Secretary issues the waiver, it If only HHS Secretary issues the waiver, it only applies: only applies:
To the area designated and for the period specified in the waiver
To hospitals that have instituted a disaster protocol
For up to 72 hours after hospital has implemented its disaster protocol
Penalties for violating Penalties for violating HIPAA RegulationsHIPAA Regulations
Prior to 2009, fines ranged from $100-$25,000 per violation and were capped at $25,000 for any calendar year.
Beginning in February of 2009, new tiered structure for penalties went into effect.
New maximum penalty for violation of the same HIPAA provision is $1.5 million per year. Prior to HITECH, the maximum was $25,000 per year.
Violation Category Each Violation Total CMP for Violations of an
Identical Provision in a Calendar Year
Unknowing $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected
$10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected
At least $50,000 $1,500,000
There are also criminal penalties that can be imposed. In Arkansas, we have more criminal indictments for HIPAA violations than any other state!
QUESTIONSQUESTIONS
Lynda M. JohnsonLynda M. JohnsonFriday, Eldredge & Clark, LLPFriday, Eldredge & Clark, LLP
Ljohnson@fridayfirm.comLjohnson@fridayfirm.com
501-370-1553501-370-1553