Date post: | 04-Jan-2016 |
Category: |
Documents |
Upload: | anastasia-owens |
View: | 26 times |
Download: | 1 times |
HIPAAThe Health Insurance Portability and Accountability Act of 1996
(Public Law 104-191)Impact on Pathologist
Trina ShanksUniversity Pathology Services, Inc. & The OSU Department of Pathology
Objectives
HIPAA Historical Background Privacy Rule Purposes of the Privacy Rule Privacy Rule affects on Pathologists Privacy assessment gaps Research Provisions
HIPAA Historical Background
Enacted in August 1996, HIPAA included a wide array of provisions designed to make health insurance more affordable and accessible. With support from health plans, hospitals and other health care businesses, Congress included provisions in HIPAA to require HHS to adopt national standards for certain health care transactions, codes, identifiers and security. HIPAA also set a three-year deadline for Congress to enact comprehensive legislation to protect medical records and other personal health information. When Congress did not enact such legislation by August 1999, HIPAA required HHS to issue health privacy regulations.
Title I Portability
Protects Americans with pre-existing conditions from losing health insurance when changing jobs.
Prevents discrimination in health care coverage.
Title II Administrative Simplification
Standardization of electronic patient health, administrative and financial data
Unique health identifiers for individuals, employers, health plans and health care providers
Security standards protecting the confidentiality and integrity of “individually identifiable health information (PHI-Protected Health Information),” past, present or future
HIPAA Administration Simplification RulesEach rule is being approved individually. Once each rule is approved,
there is a 2 month comment period and a 24 month implementation window = 26 months to live
HIPAA Rules Approved Date Required Compliance Date
Privacy
December 28, 2000 Last changes in March 2002
April 14, 2003
EDI Transaction & Code Sets
August 17, 2000 October 16, 2002 1 year extension
National Employer ID
May 31, 2002
July 30, 2004
Security
February 20, 2003
April 21, 2005
National Provider ID
Comment period ended July 6, 1998
???
National Health Plan ID
Under Development
???
Who is affected?
All healthcare organizations. This includes all health care providers, even
1 doctor physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and medical universities.
Privacy Rule Provisions
Limit the non-consensual use and release of private health information
Give patients new rights to access their medical records and to know who else has accessed them
Restrict most disclosure of health information to the minimum needed for the intended purpose
Establish new criminal and civil sanctions for improper use or disclosure
Establish new requirements for access to records by researchers and others
Purpose of the Privacy Rule
Protect and enhance rights of consumers to their health information and control the inappropriate use of the information.
Improve the quality of health care in the U.S. by restoring trust in the health care system.
As Modified, Privacy Rule is:
Flexible and Scalable Workable Balanced
The Privacy Rule “strikes a common sense balance by providing consumers with personal privacy
protections and access to high quality health care.”
HHS Secretary Thompson
Treatment, Payment & Health Care Operations (TPO)
Covered Entities may use/disclose Protected Health Information (PHI) to carry out essential health care functions.
Treatment
Treatment-the provision, coordination, or management of health care by one or more health care providers.
Payment
Payment-activities of health care providers to obtain payment or reimbursement for their services. Health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for the provision of health care.
Health Care Operations
Health Care Operations-administrative, financial, legal and quality improvement activities. Necessary to run business and to support core functions of treatment and payment. Quality assessment and improvement activities. Training, accreditation, certification, credentialing, licensing, reviewing competence, evaluating performance. Fraud and abuse detection. Underwriting, rating, other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits. Conducting or arranging for medical review, legal services, or auditing. Business planning and development. Business management and general administrative activities.
The HIPAA privacy regulations affect pathologists in three ways. 1. HIPAA requires that a pathologist or laboratory
develop and implement policies and procedures to govern their use and disclosure practices with respect to PHI.
2. Must establish and implement policies and procedures to provide for certain rights that must be afforded to patients.
3. Must establish and implement policies and procedures to document certain administrative steps that the pathologist must take to ensure that PHI is properly protected.
Privacy Assessment Gaps
Submitted self-assessments Direct observation Reports from staff
Medical Information Access
Finding: PCs, printers, faxes in areas accessed by the public
Concern: Personal information accessible by unauthorized individuals
Action: Review your environment. Do not place equipment that collects/receives PHI in areas where the information can be seen by visitors or other patients
Medical Information Disposal
Finding: Printouts are not properly discarded
Concern: Paper reports disposed of in the trash can resurface
Action: Instruct staff never to place legible patient identifiable reports in the trash. Use bins for shredding, or shred before disposing.
Medical Information Storage
Finding: Medical records are not secured Concern: Patient records are not to be accessed by
anyone who is not involved in the treatment, payment or hospital operations related to the patient except as authorized by the patient.
Recommendation: Records are to be kept in secure medical record storage areas, with limited access. Sign off of the system before leaving the area.
Conversations
Finding: Healthcare conversations are overheard
Concern: Patient information is to be discussed in private
Action: Remind staff of the need to use conference room, step away from public settings, be discreet when speaking on the telephone
Patient Communications
Finding: Patient care areas have various practices related to contacting patients
Concern: Patients have the right to control release of information
Recommendation: Do not leave messages or speak to family member or friend without giving notice to the patient or obtaining consent.
Note: When patient is not present or incapacitated-uses and disclosures are permissible using professional judgment to determine if in best interest of individual. Consider minimal necessary.
Need More Info?
http://www.cms.gov/hipaa/hipaa2/ http://www.hhs.gov/ocr/hipaa
OSUMC Newsline, Progressline, Connections, Med Staff News & Webster
OSUMC posters with monthly tips
Medical Center Privacy Office via email at “Privacy Office”
or 293-4477
Questions?
Research
Research Provisions- Covered entities may use and disclose PHI for research:
-with individual authorization, or
-without individual authorization under limited circumstances
What Research is Affected?
Records research that uses existing PHI, such as: Research databases and repositories
Research that includes treatment of research participants, such as: Clinical trials
Relationship to Other Research Rules
The Privacy Rule does not override the Common Rule or FDA’s human subject protection regulations
Common Rule vs. Privacy RuleResearch WITH patient permission
Common Rule/FDA Regulated
IRB review of research and informed consent
Privacy Rule
Valid authorization
Privacy Authorization
Research participant authorization to use or disclose PHI is required for most clinical trials and some records research
-May be no expiration date or event or may continue until “end of research study”
-May be combined with informed consent to participate in research
Common Rule vs. Privacy RuleResearch WITHOUT patient permission
Common Rule
IRB Review-
4 waiver criteria
Privacy Rule
-IRB/Privacy Board Review-3 wavier criteria
-Preparatory research;
-Research on decedents; or
-Limited data set
Use and Disclosure of PHI of Research WITHOUT Individual Authorization
Four Options:
Option 1: Obtain documentation that an IRB or Privacy Board has approved an alteration to or waiver of authorization based on the following 3 wavier criteria;
3 Waiver Criteria
1. The use of disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements
Minimal Risk Elements
a. An adequate plan to protect the identifiers from improper use/disclosureb. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining identifiers or such retention is otherwise required by law; andc. Adequate written assurances that PHI will not be reused/disclosed to any other person or entity, with certain exceptions.
Wavier criteria…
2. The research could not practicably be conducted without the alteration or waiver
3. The research could not practicably be conducted without access to and use of the PHI
Use and Disclosure of PHI of Research WITHOUT Individual Authorization
Option 2: Obtain representation that the use or disclosure is necessary to prepare a research protocol or for similar purposes preparatory to research
-No PHI removed from Covered Entity
Use and Disclosure of PHI of Research WITHOUT Individual Authorization
Option 3: Obtain representation that the use or disclosure is solely for research on decedents protected health information
Use and Disclosure of PHI of Research WITHOUT Individual Authorization
Option 4: Only use or disclose limited data set/”indirect identifiers” (e.g. zip codes, dates of service, age, death)
-Requires a data use agreement
Accounting for Research Disclosures
Upon request, must provide accounting for research disclosures made without individual authorization (except for disclosures of the limited data set).
For 50+ records:-List of protocols for which PHI may have been disclosed, and -Researcher contact information
Ongoing Research at Time of Compliance Date (4/14/03) Grandfathers in use or disclosure of PHI as
permitted by the following if obtained prior to the compliance date:-Legal permission for the use or disclosure of PHI;-Informed consent for the research; or-An IRB waiver of informed consent under the Common Rule.
Questions?