HIPAAThe Health Insurance Portability and Accountability Act of 1996

(Public Law 104-191)Impact on Pathologist

Trina ShanksUniversity Pathology Services, Inc. & The OSU Department of Pathology

Objectives

HIPAA Historical Background Privacy Rule Purposes of the Privacy Rule Privacy Rule affects on Pathologists Privacy assessment gaps Research Provisions

HIPAA Historical Background

Enacted in August 1996, HIPAA included a wide array of provisions designed to make health insurance more affordable and accessible. With support from health plans, hospitals and other health care businesses, Congress included provisions in HIPAA to require HHS to adopt national standards for certain health care transactions, codes, identifiers and security. HIPAA also set a three-year deadline for Congress to enact comprehensive legislation to protect medical records and other personal health information. When Congress did not enact such legislation by August 1999, HIPAA required HHS to issue health privacy regulations.

Title I Portability

Protects Americans with pre-existing conditions from losing health insurance when changing jobs.

Prevents discrimination in health care coverage.

Title II Administrative Simplification

Standardization of electronic patient health, administrative and financial data

Unique health identifiers for individuals, employers, health plans and health care providers

Security standards protecting the confidentiality and integrity of “individually identifiable health information (PHI-Protected Health Information),” past, present or future

HIPAA Administration Simplification RulesEach rule is being approved individually. Once each rule is approved,

there is a 2 month comment period and a 24 month implementation window = 26 months to live

HIPAA Rules Approved Date Required Compliance Date

Privacy

December 28, 2000 Last changes in March 2002

April 14, 2003

EDI Transaction & Code Sets

August 17, 2000 October 16, 2002 1 year extension

National Employer ID

May 31, 2002

July 30, 2004

Security

February 20, 2003

April 21, 2005

National Provider ID

Comment period ended July 6, 1998

???

National Health Plan ID

Under Development

???

Who is affected?

All healthcare organizations. This includes all health care providers, even

1 doctor physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and medical universities.

Privacy Rule Provisions

Limit the non-consensual use and release of private health information

Give patients new rights to access their medical records and to know who else has accessed them

Restrict most disclosure of health information to the minimum needed for the intended purpose

Establish new criminal and civil sanctions for improper use or disclosure

Establish new requirements for access to records by researchers and others

Purpose of the Privacy Rule

Protect and enhance rights of consumers to their health information and control the inappropriate use of the information.

Improve the quality of health care in the U.S. by restoring trust in the health care system.

As Modified, Privacy Rule is:

Flexible and Scalable Workable Balanced

The Privacy Rule “strikes a common sense balance by providing consumers with personal privacy

protections and access to high quality health care.”

HHS Secretary Thompson

Treatment, Payment & Health Care Operations (TPO)

Covered Entities may use/disclose Protected Health Information (PHI) to carry out essential health care functions.

Treatment

Treatment-the provision, coordination, or management of health care by one or more health care providers.

Payment

Payment-activities of health care providers to obtain payment or reimbursement for their services. Health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for the provision of health care.

Health Care Operations

Health Care Operations-administrative, financial, legal and quality improvement activities. Necessary to run business and to support core functions of treatment and payment. Quality assessment and improvement activities. Training, accreditation, certification, credentialing, licensing, reviewing competence, evaluating performance. Fraud and abuse detection. Underwriting, rating, other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits. Conducting or arranging for medical review, legal services, or auditing. Business planning and development. Business management and general administrative activities.

The HIPAA privacy regulations affect pathologists in three ways. 1. HIPAA requires that a pathologist or laboratory

develop and implement policies and procedures to govern their use and disclosure practices with respect to PHI.

2. Must establish and implement policies and procedures to provide for certain rights that must be afforded to patients.

3. Must establish and implement policies and procedures to document certain administrative steps that the pathologist must take to ensure that PHI is properly protected.

Privacy Assessment Gaps

Submitted self-assessments Direct observation Reports from staff

Medical Information Access

Finding: PCs, printers, faxes in areas accessed by the public

Concern: Personal information accessible by unauthorized individuals

Action: Review your environment. Do not place equipment that collects/receives PHI in areas where the information can be seen by visitors or other patients

Medical Information Disposal

Finding: Printouts are not properly discarded

Concern: Paper reports disposed of in the trash can resurface

Action: Instruct staff never to place legible patient identifiable reports in the trash. Use bins for shredding, or shred before disposing.

Medical Information Storage

Finding: Medical records are not secured Concern: Patient records are not to be accessed by

anyone who is not involved in the treatment, payment or hospital operations related to the patient except as authorized by the patient.

Recommendation: Records are to be kept in secure medical record storage areas, with limited access. Sign off of the system before leaving the area.

Conversations

Finding: Healthcare conversations are overheard

Concern: Patient information is to be discussed in private

Action: Remind staff of the need to use conference room, step away from public settings, be discreet when speaking on the telephone

Patient Communications

Finding: Patient care areas have various practices related to contacting patients

Concern: Patients have the right to control release of information

Recommendation: Do not leave messages or speak to family member or friend without giving notice to the patient or obtaining consent.

Note: When patient is not present or incapacitated-uses and disclosures are permissible using professional judgment to determine if in best interest of individual. Consider minimal necessary.

Need More Info?

http://www.cms.gov/hipaa/hipaa2/ http://www.hhs.gov/ocr/hipaa

OSUMC Newsline, Progressline, Connections, Med Staff News & Webster

OSUMC posters with monthly tips

Medical Center Privacy Office via email at “Privacy Office”

or 293-4477

Questions?

Research

Research Provisions- Covered entities may use and disclose PHI for research:

-with individual authorization, or

-without individual authorization under limited circumstances

What Research is Affected?

Records research that uses existing PHI, such as: Research databases and repositories

Research that includes treatment of research participants, such as: Clinical trials

Relationship to Other Research Rules

The Privacy Rule does not override the Common Rule or FDA’s human subject protection regulations

Common Rule vs. Privacy RuleResearch WITH patient permission

Common Rule/FDA Regulated

IRB review of research and informed consent

Privacy Rule

Valid authorization

Privacy Authorization

Research participant authorization to use or disclose PHI is required for most clinical trials and some records research

-May be no expiration date or event or may continue until “end of research study”

-May be combined with informed consent to participate in research

Common Rule vs. Privacy RuleResearch WITHOUT patient permission

Common Rule

IRB Review-

4 waiver criteria

Privacy Rule

-IRB/Privacy Board Review-3 wavier criteria

-Preparatory research;

-Research on decedents; or

-Limited data set

Use and Disclosure of PHI of Research WITHOUT Individual Authorization

Four Options:

Option 1: Obtain documentation that an IRB or Privacy Board has approved an alteration to or waiver of authorization based on the following 3 wavier criteria;

3 Waiver Criteria

1. The use of disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements

Minimal Risk Elements

a. An adequate plan to protect the identifiers from improper use/disclosureb. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining identifiers or such retention is otherwise required by law; andc. Adequate written assurances that PHI will not be reused/disclosed to any other person or entity, with certain exceptions.

Wavier criteria…

2. The research could not practicably be conducted without the alteration or waiver

3. The research could not practicably be conducted without access to and use of the PHI

Use and Disclosure of PHI of Research WITHOUT Individual Authorization

Option 2: Obtain representation that the use or disclosure is necessary to prepare a research protocol or for similar purposes preparatory to research

-No PHI removed from Covered Entity

Use and Disclosure of PHI of Research WITHOUT Individual Authorization

Option 3: Obtain representation that the use or disclosure is solely for research on decedents protected health information

Use and Disclosure of PHI of Research WITHOUT Individual Authorization

Option 4: Only use or disclose limited data set/”indirect identifiers” (e.g. zip codes, dates of service, age, death)

-Requires a data use agreement

Accounting for Research Disclosures

Upon request, must provide accounting for research disclosures made without individual authorization (except for disclosures of the limited data set).

For 50+ records:-List of protocols for which PHI may have been disclosed, and -Researcher contact information

Ongoing Research at Time of Compliance Date (4/14/03) Grandfathers in use or disclosure of PHI as

permitted by the following if obtained prior to the compliance date:-Legal permission for the use or disclosure of PHI;-Informed consent for the research; or-An IRB waiver of informed consent under the Common Rule.

Questions?