Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | cameron-barber |
View: | 215 times |
Download: | 1 times |
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
11
Health Insurance Portability Health Insurance Portability & &
Accountability ActAccountability Act(HIPAA)(HIPAA)
PRIVACY AWARENESS PRIVACY AWARENESS EDUCATION AND TRAININGEDUCATION AND TRAINING
45 CFR 45 CFR §164.500 et seq§164.500 et seq
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
22
HOW IT ALL BEGANHOW IT ALL BEGAN
Kennedy-Kassebaum Bill-Amended Social Security Act Kennedy-Kassebaum Bill-Amended Social Security Act to allow for portability of health insurance (immediate to allow for portability of health insurance (immediate qualification for comparable coverage upon change of qualification for comparable coverage upon change of employment)employment)
Congress desired to promote Electronic Data Congress desired to promote Electronic Data Interchange to facilitate this portable health insurance Interchange to facilitate this portable health insurance and to reduce administrative costs of health care.and to reduce administrative costs of health care.
HIPPA Basics:2002 Washington and Lee UniversityHIPPA Basics:2002 Washington and Lee University
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
33
INTRODUCTIONINTRODUCTION
The privacy rule establishes The privacy rule establishes federal federal safeguards to safeguards to protect the confidentiality of patient health information. protect the confidentiality of patient health information. HIPPA will apply over and above Illinois state law.HIPPA will apply over and above Illinois state law.
Exception:Exception:
State lawsState laws regarding privacy protections more stringent regarding privacy protections more stringent privacy requirements, or state laws designed for public privacy requirements, or state laws designed for public health or state regulation.health or state regulation.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
44
INTRODUCTIONINTRODUCTIONThe Act was passed in 1996 to establish uniformity in the The Act was passed in 1996 to establish uniformity in the electronic exchange of health information.electronic exchange of health information.
PrivacyPrivacy Security Security ConfidentialityConfidentiality
Second category of regulations is the Privacy rules.Second category of regulations is the Privacy rules.The privacy rules call for providing:The privacy rules call for providing:
Patient Patient notificationnotification of their privacy rights of their privacy rights Patient Patient accessaccess to their medical records to their medical records Patient Patient consentconsent before releasing information before releasing information
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
55
INTRODUCTIONINTRODUCTION
Administration Simplification rules provided for Administration Simplification rules provided for implementation as follows:implementation as follows:
Privacy-Implemented April 2003 (April 2004 Small health Privacy-Implemented April 2003 (April 2004 Small health plans)plans)
Transactions Standards and Code sets-Implemented Transactions Standards and Code sets-Implemented October 2003October 2003
Security-Implemented April 2005 (April 2006 for small Security-Implemented April 2005 (April 2006 for small health plans)health plans)
Identifiers-for Providers, Implemented May 200; for Identifiers-for Providers, Implemented May 200; for Employers, Implemented July 2004Employers, Implemented July 2004
Standards of Enforcement-Effective March 16, 2006Standards of Enforcement-Effective March 16, 2006
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
66
INTRODUCTIONINTRODUCTION
The rules include standards to protect the use, transfer, The rules include standards to protect the use, transfer, and disclosure of health information. and disclosure of health information.
The rules protect patient information in all forms -- The rules protect patient information in all forms -- electronic, paper and oral information.electronic, paper and oral information.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
77
Why Protect Privacy of Information?Why Protect Privacy of Information?
Privacy is a right that confidentiality protects.Privacy is a right that confidentiality protects.
Individuals are likely to be more open with healthcare Individuals are likely to be more open with healthcare providers if they are assured that their sensitive health providers if they are assured that their sensitive health information will be kept confidential.information will be kept confidential.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
88
Why Confidentiality Needs To Be Why Confidentiality Needs To Be Protected?Protected?
Individuals should know that their sensitive health Individuals should know that their sensitive health information will not be released to unauthorized information will not be released to unauthorized entities.entities.
Individuals should not worry that they will be Individuals should not worry that they will be discriminated against because of their health discriminated against because of their health information.information.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
99
Privacy Rule PrinciplesPrivacy Rule Principles AccountabilityAccountability
Persons who misuse patient information will be subject to civil Persons who misuse patient information will be subject to civil and/or criminal penaltiesand/or criminal penalties
• Civil Penalties- $100 fine capped at $25,000 per year, per violation Civil Penalties- $100 fine capped at $25,000 per year, per violation (noncompliance)(noncompliance)
• Civil-No right to individual cause of actionCivil-No right to individual cause of actionCriminal Penalties-Wrongful disclosure-up to $50,000 and/or Criminal Penalties-Wrongful disclosure-up to $50,000 and/or
imprisonment up to one yearimprisonment up to one year• False pretenses-$100,000 and imprisonment up to 5 yearsFalse pretenses-$100,000 and imprisonment up to 5 years• Intent to sell, transfer or use PHI for commercial or personal Intent to sell, transfer or use PHI for commercial or personal
advantage or for malicious harm- $250,000 and/or imprisonment up advantage or for malicious harm- $250,000 and/or imprisonment up to 10 yearsto 10 years
Potential loss of accreditation and business partnersPotential loss of accreditation and business partners
The Medical Practice in Illinois The Medical Practice in Illinois §36:17 3§36:17 3rdrd ed. 2007 ed. 2007
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1010
Privacy Rule PrinciplesPrivacy Rule Principles
BoundariesBoundaries Patient health care information should be used for Patient health care information should be used for
health care purposes only health care purposes only Limit disclosure to “minimum necessary”Limit disclosure to “minimum necessary”
to accomplish purpose of useto accomplish purpose of use
Patient control Patient control Patients have the ability to control the release of their Patients have the ability to control the release of their
medical informationmedical information
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1111
Types of Covered EntitiesTypes of Covered Entities
Covered entities include health plans, health care Covered entities include health plans, health care providers, clearinghouses, and providers who transmit data providers, clearinghouses, and providers who transmit data electronically electronically Hospitals, HMO’s, Hospitals, HMO’s, physician practicesphysician practices, , dentistsdentists, ,
pharmacies, nursing homes, etc.pharmacies, nursing homes, etc. The SIU Dental School is included in its capacity as a The SIU Dental School is included in its capacity as a
healthcare providerhealthcare provider
Requirements extend toRequirements extend to business business associatesassociates through through contracts with covered entitiescontracts with covered entities
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1212
Is This Example a Health Plan?Is This Example a Health Plan?
University has a private psychiatrist on retainer to University has a private psychiatrist on retainer to evaluate students on a one-time referral from evaluate students on a one-time referral from University physician/counselors when behavioral University physician/counselors when behavioral concerns arise. University pays psychiatrist directly concerns arise. University pays psychiatrist directly for these sessions out of student health and for these sessions out of student health and counseling budget. Is this practice a “health plan” counseling budget. Is this practice a “health plan” under HIPAA?under HIPAA?
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1313
Endorsed vs. Sponsored PlansEndorsed vs. Sponsored Plans
Question: A university endorses one student health Question: A university endorses one student health insurance policy and allows that insurer to market the insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan. policy as the College Sponsored Student Health Plan. There is no contractual relationship between the college There is no contractual relationship between the college and the insurer and the students apply, pay premiums and the insurer and the students apply, pay premiums and file claims on their own. Is the college a Plan and file claims on their own. Is the college a Plan Sponsor for HIPAA?Sponsor for HIPAA?
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1414
Is This Example a Healthcare Provider?Is This Example a Healthcare Provider?
Patients at University Medical School are Patients at University Medical School are involved in a clinical trial study. Routine costs involved in a clinical trial study. Routine costs that are associated with the clinical trial study that are associated with the clinical trial study are billed electronically to the participating are billed electronically to the participating health plan. Is this a “healthcare provider” health plan. Is this a “healthcare provider” transaction under HIPAA?transaction under HIPAA?
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1515
Business AssociateBusiness Associate
A person or company that performs functions on behalf A person or company that performs functions on behalf of a covered entity of a covered entity
The function involves the creation or receipt of protected The function involves the creation or receipt of protected health information health information
A written contract between the covered entity and the A written contract between the covered entity and the business associate is necessarybusiness associate is necessary
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1616
Business Associate ExamplesBusiness Associate Examples
Transcription companiesTranscription companies Billing software vendorBilling software vendor Medical record copying serviceMedical record copying service Collection agenciesCollection agencies Malpractice attorneysMalpractice attorneys
Note: Individuals operating under the direct control of Note: Individuals operating under the direct control of the covered entity, such as contract staff, students, or the covered entity, such as contract staff, students, or volunteers are not BAsvolunteers are not BAs
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1717
Covered Entity Personnel Covered Entity Personnel RequirementsRequirements
Privacy Officer is responsible for development and Privacy Officer is responsible for development and implementation of privacy rule policies and implementation of privacy rule policies and proceduresprocedures
Should include a contact person to receive Should include a contact person to receive complaints and provide further informationcomplaints and provide further information
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1818
Protected Health Information (PHI)Protected Health Information (PHI)
To be considered protected health information, must:To be considered protected health information, must:
Relate to a person’s physical or mental health or the Relate to a person’s physical or mental health or the provision of or payment of health careprovision of or payment of health care
Identify or could be used to identify the subject of the Identify or could be used to identify the subject of the information (i.e. the patient)information (i.e. the patient)
Be created or received by a covered entity Be created or received by a covered entity
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
1919
Examples of Protected Health Examples of Protected Health InformationInformation
Information in a Information in a patient’s file, chart or medical recordpatient’s file, chart or medical record considered confidential or personal in natureconsidered confidential or personal in nature
BillingBilling or health care claims data or health care claims data
Research or reporting dataResearch or reporting data with individually with individually identifiable health informationidentifiable health information
PHI subject to the Clinical Laboratory Improvement PHI subject to the Clinical Laboratory Improvement Amendments of 1988Amendments of 1988
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2020
SafeguardsSafeguards
Attempt to:Attempt to:
Protect PHI from accidental or intentional use or Protect PHI from accidental or intentional use or disclosuredisclosure
Protect against inadvertent disclosure of PHIProtect against inadvertent disclosure of PHI
May vary based upon the size of the covered May vary based upon the size of the covered entity or type of activities undertakenentity or type of activities undertaken
The Medical Practice of Law in Illinois The Medical Practice of Law in Illinois §36:17 3§36:17 3rdrd ed. 2007 ed. 2007
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2121
SafeguardsSafeguards
Access to informationAccess to information Who needs accessWho needs access Limit access to type neededLimit access to type needed
Storage of informationStorage of informationLaptopsLaptopsBlackberries and hand held devicesBlackberries and hand held devicesRemote site transmissionsRemote site transmissions
Transmit of informationTransmit of informationWhere is the information going and to whomWhere is the information going and to whomFacsimileFacsimileE-mailE-mail
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2222
RequirementsRequirements
In order to comply, In order to comply, covered entities will have to:covered entities will have to:
Provide patients with a Provide patients with a written explanationwritten explanation of how the of how the organization may use and disclose their health organization may use and disclose their health informationinformation
Provide patients with the Provide patients with the ability to get copiesability to get copies of their of their medical information and request amendmentsmedical information and request amendments
Obtain patient authorization before sharing medical Obtain patient authorization before sharing medical information except as required by lawinformation except as required by law
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2323
Uses and Disclosures of PHIUses and Disclosures of PHI
To the individualTo the individual Uses authorized under the ActUses authorized under the Act Pursuant to a valid authorizationPursuant to a valid authorization To investigate or determine the covered entity’s To investigate or determine the covered entity’s
compliance under the Actcompliance under the Act Compliance with minimum necessary standard, Compliance with minimum necessary standard, except:except: As pertains to disclosures for health care provider As pertains to disclosures for health care provider
treatment, to the individual, pursuant to an authorization, treatment, to the individual, pursuant to an authorization, or as required by law.or as required by law.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2424
Uses and Disclosures of Protected Uses and Disclosures of Protected Health InformationHealth Information
Treatment, Payment, and Health Care Operations Treatment, Payment, and Health Care Operations (TPO)(TPO)
Does not require patient authorization to release PHIDoes not require patient authorization to release PHI Broad scope of activities supporting the provision of careBroad scope of activities supporting the provision of care Includes not only direct care but also most supporting Includes not only direct care but also most supporting
activitiesactivities The Rule supports a broad definition of this activity The Rule supports a broad definition of this activity
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2525
TreatmentTreatment, Payment, and Healthcare , Payment, and Healthcare Operations (TPO)Operations (TPO)
Includes Includes direct caredirect care of a patient of a patient
Includes Includes coordination of carecoordination of care with other health care with other health care staff, including laboratory, nursing staff, technicians, staff, including laboratory, nursing staff, technicians, etc.etc.
Includes Includes Quality Assurance and Risk ManagementQuality Assurance and Risk Management activities, including peer review and legal counselactivities, including peer review and legal counsel
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2626
Treatment, Treatment, PaymentPayment, and Health Care , and Health Care Operations (TPO)Operations (TPO)
Includes activities associated with Includes activities associated with direct paymentdirect payment, to , to include work verification, credit history, and address include work verification, credit history, and address validationvalidation
Also includes communications with Also includes communications with third party payersthird party payers, , collection agencies, and legal staff in the event of collection agencies, and legal staff in the event of non-paymentnon-payment
Includes communications through Includes communications through clearinghousesclearinghouses
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2727
Treatment, Payment, and Treatment, Payment, and Health Health Care OperationsCare Operations(TPO)(TPO)
QA events, including outcome evaluationsQA events, including outcome evaluations Competence evaluations of healthcare professionalsCompetence evaluations of healthcare professionals Underwriting, premium ratingUnderwriting, premium rating Medical and legal reviews, including fraud and Medical and legal reviews, including fraud and
abuse detectionabuse detection Business management activitiesBusiness management activities
Customer serviceCustomer service Fund raisingFund raising
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2828
Treatment, Payment, and Treatment, Payment, and Health Care Health Care Operations Operations (TPO)(TPO)
Consent:Consent: A covered entity may obtain consent of the individual to A covered entity may obtain consent of the individual to
use or disclose protected health information to carry out use or disclose protected health information to carry out treatment, payment or health care operations.treatment, payment or health care operations.
Consent of the individual does not permit use or Consent of the individual does not permit use or disclosure of PHI where the Act requires authorization.disclosure of PHI where the Act requires authorization.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
2929
ConsentConsent
Individual’s general written permission for a covered Individual’s general written permission for a covered entity to use or disclose PHI for purposes of treatment, entity to use or disclose PHI for purposes of treatment, payment or healthcare operations.payment or healthcare operations.
Must be obtained prior to use or disclosure.Must be obtained prior to use or disclosure.
Covered entity may condition treatment on individual’s Covered entity may condition treatment on individual’s provision of a signed consent.provision of a signed consent.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3030
AuthorizationAuthorization Grants permission to disclose PHIGrants permission to disclose PHI
Must be written in plain languageMust be written in plain language Should have an expiration dateShould have an expiration date Must be filled out completely and accuratelyMust be filled out completely and accurately
Examples of defective authorization:Examples of defective authorization: Expiration date has passed or is known by the Expiration date has passed or is known by the
covered entity to have passedcovered entity to have passed Authorization not properly completedAuthorization not properly completed Authorization known to have been revokedAuthorization known to have been revoked Material information known to be falseMaterial information known to be false
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3131
AuthorizationAuthorization
An authorization may not be combined with any other An authorization may not be combined with any other document to create a compound authorizationdocument to create a compound authorization
• Exceptions:Exceptions:
PHI for research study may be combined with PHI for research study may be combined with other written permission for the same study.other written permission for the same study.
Permission for psychotherapy notes may be Permission for psychotherapy notes may be combined with another authorization for combined with another authorization for psychotherapy notespsychotherapy notes
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3232
AuthorizationAuthorization
An individual may revoke an authorization at any time An individual may revoke an authorization at any time provided that it is in writingprovided that it is in writing
• Exception:Exception:
The covered entity has taken action The covered entity has taken action in in reliance on the authorization orreliance on the authorization or
The authorization was obtained as The authorization was obtained as a condition a condition of obtaining insurance coverage of obtaining insurance coverage
45 CFR 45 CFR §164.508(6)(5)§164.508(6)(5)
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3333
AuthorizationAuthorization
A covered entity must document and retain any signed A covered entity must document and retain any signed authorization under the Act.authorization under the Act.
If an authorization is sought from an individual for a use If an authorization is sought from an individual for a use or disclosure of PHI, the covered entity must provide the or disclosure of PHI, the covered entity must provide the individual with a copy of the signed authorization.individual with a copy of the signed authorization.
45 CFR 45 CFR §164.508(c)(4)§164.508(c)(4)
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3434
Authorization RequiredAuthorization Required
Examples:Examples:
If PHI to be used for Marketing purposesIf PHI to be used for Marketing purposes
Participation in research studyParticipation in research study
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3535
Authorization also required:Authorization also required: To Disclose Psychotherapy NotesTo Disclose Psychotherapy Notes
Exception:Exception:• To carry out treatment, payment or health care operations (TPO)To carry out treatment, payment or health care operations (TPO)• Use by the originator or the psychotherapy notesUse by the originator or the psychotherapy notes• Use by entity for training of students, trainees or practitioners in Use by entity for training of students, trainees or practitioners in
mental health learning under supervision to practice or improve mental health learning under supervision to practice or improve their skills in group, joint, family or individual counseling or,their skills in group, joint, family or individual counseling or,
• Use by covered entity to defend in a legal action or other Use by covered entity to defend in a legal action or other proceeding brought by the individual.proceeding brought by the individual.
45 CFR 45 CFR §164:508(a)(2)§164:508(a)(2)
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3636
AuthorizationAuthorization
Must be signed before releasing PHI for any Must be signed before releasing PHI for any purpose outside of TPO, except for:purpose outside of TPO, except for:
Public healthPublic health Law enforcement (abuse, neglect, domestic Law enforcement (abuse, neglect, domestic
violence)violence) And other permitted releasesAnd other permitted releases
45 CFR 164.51245 CFR 164.512
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3737
Minimum Necessary RequirementMinimum Necessary Requirement
A covered entity must make A covered entity must make reasonable efforts to reasonable efforts to limit PHI to the minimum necessary to accomplish the limit PHI to the minimum necessary to accomplish the intended purposeintended purpose of the use, disclosure, or request of the use, disclosure, or request
Does NOT apply:Does NOT apply: To disclosures to the patient To disclosures to the patient To disclosures for treatmentTo disclosures for treatment When required by lawWhen required by law
When permitted by an AuthorizationWhen permitted by an Authorization
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3838
What are an Individual’s Rights What are an Individual’s Rights Under HIPAA?Under HIPAA?
Right to Right to privacy protectionprivacy protection
Right to Right to access and copyaccess and copy PHI about them PHI about them
Right to Right to request an amendmentrequest an amendment to PHI about them to PHI about them
Right to an Right to an accounting of disclosuresaccounting of disclosures
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
3939
Rights to Privacy ProtectionRights to Privacy Protection
An individual may request restriction of the use or An individual may request restriction of the use or disclosure of PHI needed to carry out treatment, disclosure of PHI needed to carry out treatment, payment, or health care operations (TPO)payment, or health care operations (TPO)
A covered entity is not required to agree to the restriction A covered entity is not required to agree to the restriction and it may be difficult to guarantee compliance with the and it may be difficult to guarantee compliance with the requestrequest
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4040
Exemptions to Privacy ProtectionExemptions to Privacy Protection
Consent is not required for disclosure:Consent is not required for disclosure:
For reporting abuse, neglect, or domestic violenceFor reporting abuse, neglect, or domestic violence
Public Health for activities as authorized by law (vital Public Health for activities as authorized by law (vital statistics, CDC)statistics, CDC)
Adverse Drug Events (ADE)Adverse Drug Events (ADE)
Workplace related injury (OSHA)Workplace related injury (OSHA)
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4141
Individual’s Access to PHIIndividual’s Access to PHI
An individual has a right to inspect and obtain a copy of An individual has a right to inspect and obtain a copy of PHI about themselves (individual) in a designated record PHI about themselves (individual) in a designated record set with some exceptions. . . set with some exceptions. . .
psychotherapy notes psychotherapy notes
information compiled for use in a civil, criminal or information compiled for use in a civil, criminal or administrative actionadministrative action
PHI subject to the CLIA – PHI subject to the CLIA – Clinical Laboratory Improvements Clinical Laboratory Improvements Amendments of 1988 – 42 U.S.C 263aAmendments of 1988 – 42 U.S.C 263a
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4242
Exceptions to an Individual’s Exceptions to an Individual’s Access to PHIAccess to PHI
Covered entities are not required to provide access if:Covered entities are not required to provide access if:
Covered entity is a correctional institutionCovered entity is a correctional institution
If restrictions were agreed to in the course of If restrictions were agreed to in the course of treatment during on-going research (ex. Blind treatment during on-going research (ex. Blind clinical trial)clinical trial)
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4343
Amendment of PHIAmendment of PHI
An individual has a right to have a covered entity amend An individual has a right to have a covered entity amend protected health information or a record about the protected health information or a record about the individual in a designated record set for as long as the individual in a designated record set for as long as the PHI is maintainedPHI is maintained
45 CFR 45 CFR §164.526 (a)(i)§164.526 (a)(i)
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4444
Denial to AmendDenial to Amend
A covered entity can deny a request for amendment in A covered entity can deny a request for amendment in the following situations where PHI:the following situations where PHI:
Was not created by the covered entityWas not created by the covered entity Is not part of the designated record setIs not part of the designated record set Would not be available for inspection (such as Would not be available for inspection (such as
psychotherapy notes)psychotherapy notes) Is accurate and completeIs accurate and complete
45 CFR 45 CFR §164.526 (a)(2)§164.526 (a)(2)
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4545
Accounting of Disclosures Accounting of Disclosures of PHIof PHI
An individual has a right to receive an accounting An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in of disclosures of PHI made by a covered entity in the 6 years prior to the date on which the the 6 years prior to the date on which the accounting is requestedaccounting is requested
45 CFR 45 CFR §164.528 et seq.§164.528 et seq.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4646
Exceptions to Disclosure AccountingExceptions to Disclosure Accounting Include the following:Include the following:
To carry out treatment, payment and health care To carry out treatment, payment and health care operationsoperations
For national security or intelligence purposesFor national security or intelligence purposes
To correctional institutions or law enforcement To correctional institutions or law enforcement officialsofficials
That occurred prior to the compliance date for the That occurred prior to the compliance date for the covered entitycovered entity
45 CFR 45 CFR §164.528 et seq.§164.528 et seq.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4747
ProcessProcess
Handing out Privacy notices to patientsHanding out Privacy notices to patients New Signature on File (SOF) formNew Signature on File (SOF) form Registration face sheetRegistration face sheet Names excluded from most reportsNames excluded from most reports Standard fax cover sheetsStandard fax cover sheets Increased general awareness of patient confidentialityIncreased general awareness of patient confidentiality Update Research Consent and Authorization formsUpdate Research Consent and Authorization forms
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4848
Incidental DisclosuresIncidental Disclosures
Use that cannot reasonably be preventedUse that cannot reasonably be prevented Occurs in relation to a permitted use or disclosureOccurs in relation to a permitted use or disclosure Covered entity has implemented reasonable safeguards Covered entity has implemented reasonable safeguards
and applies minimum necessary standardand applies minimum necessary standard Determining factors depend on whether or not covered Determining factors depend on whether or not covered
entity had entity had reasonable policiesreasonable policies to protect against disclosure to protect against disclosure Procedures in place to manage against potential for Procedures in place to manage against potential for
disclosure and lossdisclosure and loss
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
4949
Incidental DisclosuresIncidental Disclosures
Examples:Examples: OK to leave messages on answering machinesOK to leave messages on answering machines OK to have patient sign-in sheetOK to have patient sign-in sheet OK to call names in waiting roomsOK to call names in waiting rooms OK to keep charts on doorsOK to keep charts on doors OK to discuss patients condition during training roundOK to discuss patients condition during training round
In all instances, only the minimum necessary information In all instances, only the minimum necessary information should be disclosedshould be disclosed
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5050
Security RuleSecurity Rule
PurposePurpose
Set standardsSet standards Implement specifications and requirements with Implement specifications and requirements with
respect to electronic protected health information.respect to electronic protected health information.
45 C.F.R. 45 C.F.R. §§164.302 et seq.164.302 et seq.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5151
Security RuleSecurity Rule
Requires:Requires:
1.1. Administrative safeguardsAdministrative safeguards
2.2. Technical safeguardsTechnical safeguards
3.3. Physical safeguardsPhysical safeguards
42 CFR 42 CFR §164.302 et seq.§164.302 et seq.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5252
Security RuleSecurity Rule
Types of access control to PHITypes of access control to PHI User basedUser based
Context basedContext based
Role basedRole based
EncryptionEncryption
45 CFR 45 CFR §302 et seq.§302 et seq.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5353
Security RuleSecurity Rule Requires:Requires: 1. 1. Contingency plan for protection of PHI in a Contingency plan for protection of PHI in a
disasterdisaster
2. 2. Audits of systems to insure that information is Audits of systems to insure that information is being used properlybeing used properly
3.3. Polices regarding alteration and destruction of Polices regarding alteration and destruction of PHIPHI
4. 4. Formal process for employee termination for Formal process for employee termination for inappropriate access to PHIinappropriate access to PHI
42 CFR 42 CFR §164.302 et seq.§164.302 et seq.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5454
Security RuleSecurity Rule
5. 5. Media control to ensure protection from unauthorized use or Media control to ensure protection from unauthorized use or disclosure of PHIdisclosure of PHI
6. 6. Policies related to physical access to PHIPolicies related to physical access to PHI
7. 7. Workstation logisticsWorkstation logistics
8. 8. Control over system changes to prevent inappropriate use or Control over system changes to prevent inappropriate use or disclosuredisclosure
9. 9. Response procedures for security incidentsResponse procedures for security incidents
10. 10. Protection of PHI sent across the InternetProtection of PHI sent across the Internet
42 CFR 42 CFR §164.302 et seq.§164.302 et seq.
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5555
Illinois Statutory Law: Illinois Statutory Law: Medical Patient Rights ActMedical Patient Rights Act
Every patient has a right to privacy and confidentiality in Every patient has a right to privacy and confidentiality in health carehealth care
Physicians may not disclose the nature or details of Physicians may not disclose the nature or details of services provided to patients without a written waiver services provided to patients without a written waiver signed by the patient or the patient’s guardian.signed by the patient or the patient’s guardian.
• Examples: Diagnosis and treatment information, Examples: Diagnosis and treatment information, photographs taken during treatment processphotographs taken during treatment process
The Law of Medical Practice in Illinois 3d ed. 2007The Law of Medical Practice in Illinois 3d ed. 2007
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5656
Medical Patient Rights ActMedical Patient Rights Act
Exceptions:Exceptions: Disclosure to patientDisclosure to patient Disclosure to patient’s authorized designeeDisclosure to patient’s authorized designee Persons directly involved in patient’s treatment, Persons directly involved in patient’s treatment,
payment processing for treatment or quality payment processing for treatment or quality assurance, peer review or utilization reviewassurance, peer review or utilization review
The Law of Medical Practice in Illinois 3d ed. 2007The Law of Medical Practice in Illinois 3d ed. 2007
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5757
Medical Patient Rights ActMedical Patient Rights Act
Other disclosures pursuant to law:Other disclosures pursuant to law: Sexually transmission of diseases informationSexually transmission of diseases information Information reporting criminally inflicted injuriesInformation reporting criminally inflicted injuries Suspected child abuseSuspected child abuse Public Health registry informationPublic Health registry information Vital StatisticsVital Statistics Compelling social considerations, e.g. threats of bodily Compelling social considerations, e.g. threats of bodily
harm to self or othersharm to self or others
The Law of Medical Practice in Illinois 3d ed. 2007The Law of Medical Practice in Illinois 3d ed. 2007
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5858
Medical Patient Rights ActMedical Patient Rights Act
Possible causes of action associated with disclosure:Possible causes of action associated with disclosure: Invasion of Privacy issue Invasion of Privacy issue
• Must be identifiable to the patientMust be identifiable to the patient• Unreasonable intrusionUnreasonable intrusion• Public disclosure of private facts about an Public disclosure of private facts about an
individualindividual• Appropriation of the name or likenessAppropriation of the name or likeness• Publication of information that places one in a false Publication of information that places one in a false
light.light.
The Law of Medical Practice in Illinois 3d ed. 2007The Law of Medical Practice in Illinois 3d ed. 2007
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
5959
HIV/AIDS Confidentiality HIV/AIDS Confidentiality & &
Testing CodeTesting Code
Information can only be revealed to:Information can only be revealed to: Subject of the testingSubject of the testing Legally authorized individualLegally authorized individual Spouse under specific circumstances (not required)Spouse under specific circumstances (not required) Parents of child under 18 years under specific Parents of child under 18 years under specific
circumstances (not required)circumstances (not required) Workforce authorized to have informationWorkforce authorized to have information
Version 1.0, July 8, 200Version 1.0, July 8, 20022
Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved
6060
HIV/AIDS Confidentiality HIV/AIDS Confidentiality & &
Testing CodeTesting Code Examples:Examples:
Direct patient careDirect patient care Accidental exposureAccidental exposure Department of Public Health RegistryDepartment of Public Health Registry Procurement/Processing of donor organs and Procurement/Processing of donor organs and
seminal fluid for artificial inseminationseminal fluid for artificial insemination Agencies authorized to monitor and evaluate programs and Agencies authorized to monitor and evaluate programs and
provide service reviewsprovide service reviews EMT, firefighters and law enforcement in direct contact with blood EMT, firefighters and law enforcement in direct contact with blood
or bodily fluidsor bodily fluids Temporary caretakers of children in protective services Temporary caretakers of children in protective services
The Law of Medical Practice in Illinois 3d ed. 2007The Law of Medical Practice in Illinois 3d ed. 2007