Version 1.0, July 8, 2002 Copyright © 2002, NCHICA, All Rights Reserved1 Health Insurance...

Version 1.0, July 8, 200Version 1.0, July 8, 20022

Copyright © 2002, NCHICA, All RiCopyright © 2002, NCHICA, All Rights Reservedghts Reserved

11

Health Insurance Portability Health Insurance Portability & &

Accountability ActAccountability Act(HIPAA)(HIPAA)

PRIVACY AWARENESS PRIVACY AWARENESS EDUCATION AND TRAININGEDUCATION AND TRAINING

45 CFR 45 CFR §164.500 et seq§164.500 et seq



22

HOW IT ALL BEGANHOW IT ALL BEGAN

Kennedy-Kassebaum Bill-Amended Social Security Act Kennedy-Kassebaum Bill-Amended Social Security Act to allow for portability of health insurance (immediate to allow for portability of health insurance (immediate qualification for comparable coverage upon change of qualification for comparable coverage upon change of employment)employment)

Congress desired to promote Electronic Data Congress desired to promote Electronic Data Interchange to facilitate this portable health insurance Interchange to facilitate this portable health insurance and to reduce administrative costs of health care.and to reduce administrative costs of health care.

HIPPA Basics:2002 Washington and Lee UniversityHIPPA Basics:2002 Washington and Lee University



33

INTRODUCTIONINTRODUCTION

The privacy rule establishes The privacy rule establishes federal federal safeguards to safeguards to protect the confidentiality of patient health information. protect the confidentiality of patient health information. HIPPA will apply over and above Illinois state law.HIPPA will apply over and above Illinois state law.

Exception:Exception:

State lawsState laws regarding privacy protections more stringent regarding privacy protections more stringent privacy requirements, or state laws designed for public privacy requirements, or state laws designed for public health or state regulation.health or state regulation.



44

INTRODUCTIONINTRODUCTIONThe Act was passed in 1996 to establish uniformity in the The Act was passed in 1996 to establish uniformity in the electronic exchange of health information.electronic exchange of health information.

PrivacyPrivacy Security Security ConfidentialityConfidentiality

Second category of regulations is the Privacy rules.Second category of regulations is the Privacy rules.The privacy rules call for providing:The privacy rules call for providing:

Patient Patient notificationnotification of their privacy rights of their privacy rights Patient Patient accessaccess to their medical records to their medical records Patient Patient consentconsent before releasing information before releasing information



55


Administration Simplification rules provided for Administration Simplification rules provided for implementation as follows:implementation as follows:

Privacy-Implemented April 2003 (April 2004 Small health Privacy-Implemented April 2003 (April 2004 Small health plans)plans)

Transactions Standards and Code sets-Implemented Transactions Standards and Code sets-Implemented October 2003October 2003

Security-Implemented April 2005 (April 2006 for small Security-Implemented April 2005 (April 2006 for small health plans)health plans)

Identifiers-for Providers, Implemented May 200; for Identifiers-for Providers, Implemented May 200; for Employers, Implemented July 2004Employers, Implemented July 2004

Standards of Enforcement-Effective March 16, 2006Standards of Enforcement-Effective March 16, 2006



66


The rules include standards to protect the use, transfer, The rules include standards to protect the use, transfer, and disclosure of health information. and disclosure of health information.

The rules protect patient information in all forms -- The rules protect patient information in all forms -- electronic, paper and oral information.electronic, paper and oral information.



77

Why Protect Privacy of Information?Why Protect Privacy of Information?

Privacy is a right that confidentiality protects.Privacy is a right that confidentiality protects.

Individuals are likely to be more open with healthcare Individuals are likely to be more open with healthcare providers if they are assured that their sensitive health providers if they are assured that their sensitive health information will be kept confidential.information will be kept confidential.



88

Why Confidentiality Needs To Be Why Confidentiality Needs To Be Protected?Protected?

Individuals should know that their sensitive health Individuals should know that their sensitive health information will not be released to unauthorized information will not be released to unauthorized entities.entities.

Individuals should not worry that they will be Individuals should not worry that they will be discriminated against because of their health discriminated against because of their health information.information.



99

Privacy Rule PrinciplesPrivacy Rule Principles AccountabilityAccountability

Persons who misuse patient information will be subject to civil Persons who misuse patient information will be subject to civil and/or criminal penaltiesand/or criminal penalties

• Civil Penalties- $100 fine capped at $25,000 per year, per violation Civil Penalties- $100 fine capped at $25,000 per year, per violation (noncompliance)(noncompliance)

• Civil-No right to individual cause of actionCivil-No right to individual cause of actionCriminal Penalties-Wrongful disclosure-up to $50,000 and/or Criminal Penalties-Wrongful disclosure-up to $50,000 and/or

imprisonment up to one yearimprisonment up to one year• False pretenses-$100,000 and imprisonment up to 5 yearsFalse pretenses-$100,000 and imprisonment up to 5 years• Intent to sell, transfer or use PHI for commercial or personal Intent to sell, transfer or use PHI for commercial or personal

advantage or for malicious harm- $250,000 and/or imprisonment up advantage or for malicious harm- $250,000 and/or imprisonment up to 10 yearsto 10 years

Potential loss of accreditation and business partnersPotential loss of accreditation and business partners

The Medical Practice in Illinois The Medical Practice in Illinois §36:17 3§36:17 3rdrd ed. 2007 ed. 2007



1010

Privacy Rule PrinciplesPrivacy Rule Principles

BoundariesBoundaries Patient health care information should be used for Patient health care information should be used for

health care purposes only health care purposes only Limit disclosure to “minimum necessary”Limit disclosure to “minimum necessary”

to accomplish purpose of useto accomplish purpose of use

Patient control Patient control Patients have the ability to control the release of their Patients have the ability to control the release of their

medical informationmedical information



1111

Types of Covered EntitiesTypes of Covered Entities

Covered entities include health plans, health care Covered entities include health plans, health care providers, clearinghouses, and providers who transmit data providers, clearinghouses, and providers who transmit data electronically electronically Hospitals, HMO’s, Hospitals, HMO’s, physician practicesphysician practices, , dentistsdentists, ,

pharmacies, nursing homes, etc.pharmacies, nursing homes, etc. The SIU Dental School is included in its capacity as a The SIU Dental School is included in its capacity as a

healthcare providerhealthcare provider

Requirements extend toRequirements extend to business business associatesassociates through through contracts with covered entitiescontracts with covered entities



1212

Is This Example a Health Plan?Is This Example a Health Plan?

University has a private psychiatrist on retainer to University has a private psychiatrist on retainer to evaluate students on a one-time referral from evaluate students on a one-time referral from University physician/counselors when behavioral University physician/counselors when behavioral concerns arise. University pays psychiatrist directly concerns arise. University pays psychiatrist directly for these sessions out of student health and for these sessions out of student health and counseling budget. Is this practice a “health plan” counseling budget. Is this practice a “health plan” under HIPAA?under HIPAA?



1313

Endorsed vs. Sponsored PlansEndorsed vs. Sponsored Plans

Question: A university endorses one student health Question: A university endorses one student health insurance policy and allows that insurer to market the insurance policy and allows that insurer to market the policy as the College Sponsored Student Health Plan. policy as the College Sponsored Student Health Plan. There is no contractual relationship between the college There is no contractual relationship between the college and the insurer and the students apply, pay premiums and the insurer and the students apply, pay premiums and file claims on their own. Is the college a Plan and file claims on their own. Is the college a Plan Sponsor for HIPAA?Sponsor for HIPAA?



1414

Is This Example a Healthcare Provider?Is This Example a Healthcare Provider?

Patients at University Medical School are Patients at University Medical School are involved in a clinical trial study. Routine costs involved in a clinical trial study. Routine costs that are associated with the clinical trial study that are associated with the clinical trial study are billed electronically to the participating are billed electronically to the participating health plan. Is this a “healthcare provider” health plan. Is this a “healthcare provider” transaction under HIPAA?transaction under HIPAA?



1515

Business AssociateBusiness Associate

A person or company that performs functions on behalf A person or company that performs functions on behalf of a covered entity of a covered entity

The function involves the creation or receipt of protected The function involves the creation or receipt of protected health information health information

A written contract between the covered entity and the A written contract between the covered entity and the business associate is necessarybusiness associate is necessary



1616

Business Associate ExamplesBusiness Associate Examples

Transcription companiesTranscription companies Billing software vendorBilling software vendor Medical record copying serviceMedical record copying service Collection agenciesCollection agencies Malpractice attorneysMalpractice attorneys

Note: Individuals operating under the direct control of Note: Individuals operating under the direct control of the covered entity, such as contract staff, students, or the covered entity, such as contract staff, students, or volunteers are not BAsvolunteers are not BAs



1717

Covered Entity Personnel Covered Entity Personnel RequirementsRequirements

Privacy Officer is responsible for development and Privacy Officer is responsible for development and implementation of privacy rule policies and implementation of privacy rule policies and proceduresprocedures

Should include a contact person to receive Should include a contact person to receive complaints and provide further informationcomplaints and provide further information



1818

Protected Health Information (PHI)Protected Health Information (PHI)

To be considered protected health information, must:To be considered protected health information, must:

Relate to a person’s physical or mental health or the Relate to a person’s physical or mental health or the provision of or payment of health careprovision of or payment of health care

Identify or could be used to identify the subject of the Identify or could be used to identify the subject of the information (i.e. the patient)information (i.e. the patient)

Be created or received by a covered entity Be created or received by a covered entity



1919

Examples of Protected Health Examples of Protected Health InformationInformation

Information in a Information in a patient’s file, chart or medical recordpatient’s file, chart or medical record considered confidential or personal in natureconsidered confidential or personal in nature

BillingBilling or health care claims data or health care claims data

Research or reporting dataResearch or reporting data with individually with individually identifiable health informationidentifiable health information

PHI subject to the Clinical Laboratory Improvement PHI subject to the Clinical Laboratory Improvement Amendments of 1988Amendments of 1988



2020

SafeguardsSafeguards

Attempt to:Attempt to:

Protect PHI from accidental or intentional use or Protect PHI from accidental or intentional use or disclosuredisclosure

Protect against inadvertent disclosure of PHIProtect against inadvertent disclosure of PHI

May vary based upon the size of the covered May vary based upon the size of the covered entity or type of activities undertakenentity or type of activities undertaken

The Medical Practice of Law in Illinois The Medical Practice of Law in Illinois §36:17 3§36:17 3rdrd ed. 2007 ed. 2007



2121

SafeguardsSafeguards

Access to informationAccess to information Who needs accessWho needs access Limit access to type neededLimit access to type needed

Storage of informationStorage of informationLaptopsLaptopsBlackberries and hand held devicesBlackberries and hand held devicesRemote site transmissionsRemote site transmissions

Transmit of informationTransmit of informationWhere is the information going and to whomWhere is the information going and to whomFacsimileFacsimileE-mailE-mail



2222

RequirementsRequirements

In order to comply, In order to comply, covered entities will have to:covered entities will have to:

Provide patients with a Provide patients with a written explanationwritten explanation of how the of how the organization may use and disclose their health organization may use and disclose their health informationinformation

Provide patients with the Provide patients with the ability to get copiesability to get copies of their of their medical information and request amendmentsmedical information and request amendments

Obtain patient authorization before sharing medical Obtain patient authorization before sharing medical information except as required by lawinformation except as required by law



2323

Uses and Disclosures of PHIUses and Disclosures of PHI

To the individualTo the individual Uses authorized under the ActUses authorized under the Act Pursuant to a valid authorizationPursuant to a valid authorization To investigate or determine the covered entity’s To investigate or determine the covered entity’s

compliance under the Actcompliance under the Act Compliance with minimum necessary standard, Compliance with minimum necessary standard, except:except: As pertains to disclosures for health care provider As pertains to disclosures for health care provider

treatment, to the individual, pursuant to an authorization, treatment, to the individual, pursuant to an authorization, or as required by law.or as required by law.



2424

Uses and Disclosures of Protected Uses and Disclosures of Protected Health InformationHealth Information

Treatment, Payment, and Health Care Operations Treatment, Payment, and Health Care Operations (TPO)(TPO)

Does not require patient authorization to release PHIDoes not require patient authorization to release PHI Broad scope of activities supporting the provision of careBroad scope of activities supporting the provision of care Includes not only direct care but also most supporting Includes not only direct care but also most supporting

activitiesactivities The Rule supports a broad definition of this activity The Rule supports a broad definition of this activity



2525

TreatmentTreatment, Payment, and Healthcare , Payment, and Healthcare Operations (TPO)Operations (TPO)

Includes Includes direct caredirect care of a patient of a patient

Includes Includes coordination of carecoordination of care with other health care with other health care staff, including laboratory, nursing staff, technicians, staff, including laboratory, nursing staff, technicians, etc.etc.

Includes Includes Quality Assurance and Risk ManagementQuality Assurance and Risk Management activities, including peer review and legal counselactivities, including peer review and legal counsel



2626

Treatment, Treatment, PaymentPayment, and Health Care , and Health Care Operations (TPO)Operations (TPO)

Includes activities associated with Includes activities associated with direct paymentdirect payment, to , to include work verification, credit history, and address include work verification, credit history, and address validationvalidation

Also includes communications with Also includes communications with third party payersthird party payers, , collection agencies, and legal staff in the event of collection agencies, and legal staff in the event of non-paymentnon-payment

Includes communications through Includes communications through clearinghousesclearinghouses



2727

Treatment, Payment, and Treatment, Payment, and Health Health Care OperationsCare Operations(TPO)(TPO)

QA events, including outcome evaluationsQA events, including outcome evaluations Competence evaluations of healthcare professionalsCompetence evaluations of healthcare professionals Underwriting, premium ratingUnderwriting, premium rating Medical and legal reviews, including fraud and Medical and legal reviews, including fraud and

abuse detectionabuse detection Business management activitiesBusiness management activities

Customer serviceCustomer service Fund raisingFund raising



2828

Treatment, Payment, and Treatment, Payment, and Health Care Health Care Operations Operations (TPO)(TPO)

Consent:Consent: A covered entity may obtain consent of the individual to A covered entity may obtain consent of the individual to

use or disclose protected health information to carry out use or disclose protected health information to carry out treatment, payment or health care operations.treatment, payment or health care operations.

Consent of the individual does not permit use or Consent of the individual does not permit use or disclosure of PHI where the Act requires authorization.disclosure of PHI where the Act requires authorization.



2929

ConsentConsent

Individual’s general written permission for a covered Individual’s general written permission for a covered entity to use or disclose PHI for purposes of treatment, entity to use or disclose PHI for purposes of treatment, payment or healthcare operations.payment or healthcare operations.

Must be obtained prior to use or disclosure.Must be obtained prior to use or disclosure.

Covered entity may condition treatment on individual’s Covered entity may condition treatment on individual’s provision of a signed consent.provision of a signed consent.



3030

AuthorizationAuthorization Grants permission to disclose PHIGrants permission to disclose PHI

Must be written in plain languageMust be written in plain language Should have an expiration dateShould have an expiration date Must be filled out completely and accuratelyMust be filled out completely and accurately

Examples of defective authorization:Examples of defective authorization: Expiration date has passed or is known by the Expiration date has passed or is known by the

covered entity to have passedcovered entity to have passed Authorization not properly completedAuthorization not properly completed Authorization known to have been revokedAuthorization known to have been revoked Material information known to be falseMaterial information known to be false



3131

AuthorizationAuthorization

An authorization may not be combined with any other An authorization may not be combined with any other document to create a compound authorizationdocument to create a compound authorization

• Exceptions:Exceptions:

PHI for research study may be combined with PHI for research study may be combined with other written permission for the same study.other written permission for the same study.

Permission for psychotherapy notes may be Permission for psychotherapy notes may be combined with another authorization for combined with another authorization for psychotherapy notespsychotherapy notes



3232


An individual may revoke an authorization at any time An individual may revoke an authorization at any time provided that it is in writingprovided that it is in writing

• Exception:Exception:

The covered entity has taken action The covered entity has taken action in in reliance on the authorization orreliance on the authorization or

The authorization was obtained as The authorization was obtained as a condition a condition of obtaining insurance coverage of obtaining insurance coverage

45 CFR 45 CFR §164.508(6)(5)§164.508(6)(5)



3333


A covered entity must document and retain any signed A covered entity must document and retain any signed authorization under the Act.authorization under the Act.

If an authorization is sought from an individual for a use If an authorization is sought from an individual for a use or disclosure of PHI, the covered entity must provide the or disclosure of PHI, the covered entity must provide the individual with a copy of the signed authorization.individual with a copy of the signed authorization.

45 CFR 45 CFR §164.508(c)(4)§164.508(c)(4)



3434

Authorization RequiredAuthorization Required

Examples:Examples:

If PHI to be used for Marketing purposesIf PHI to be used for Marketing purposes

Participation in research studyParticipation in research study



3535

Authorization also required:Authorization also required: To Disclose Psychotherapy NotesTo Disclose Psychotherapy Notes

Exception:Exception:• To carry out treatment, payment or health care operations (TPO)To carry out treatment, payment or health care operations (TPO)• Use by the originator or the psychotherapy notesUse by the originator or the psychotherapy notes• Use by entity for training of students, trainees or practitioners in Use by entity for training of students, trainees or practitioners in

mental health learning under supervision to practice or improve mental health learning under supervision to practice or improve their skills in group, joint, family or individual counseling or,their skills in group, joint, family or individual counseling or,

• Use by covered entity to defend in a legal action or other Use by covered entity to defend in a legal action or other proceeding brought by the individual.proceeding brought by the individual.

45 CFR 45 CFR §164:508(a)(2)§164:508(a)(2)



3636


Must be signed before releasing PHI for any Must be signed before releasing PHI for any purpose outside of TPO, except for:purpose outside of TPO, except for:

Public healthPublic health Law enforcement (abuse, neglect, domestic Law enforcement (abuse, neglect, domestic

violence)violence) And other permitted releasesAnd other permitted releases

45 CFR 164.51245 CFR 164.512



3737

Minimum Necessary RequirementMinimum Necessary Requirement

A covered entity must make A covered entity must make reasonable efforts to reasonable efforts to limit PHI to the minimum necessary to accomplish the limit PHI to the minimum necessary to accomplish the intended purposeintended purpose of the use, disclosure, or request of the use, disclosure, or request

Does NOT apply:Does NOT apply: To disclosures to the patient To disclosures to the patient To disclosures for treatmentTo disclosures for treatment When required by lawWhen required by law

When permitted by an AuthorizationWhen permitted by an Authorization



3838

What are an Individual’s Rights What are an Individual’s Rights Under HIPAA?Under HIPAA?

Right to Right to privacy protectionprivacy protection

Right to Right to access and copyaccess and copy PHI about them PHI about them

Right to Right to request an amendmentrequest an amendment to PHI about them to PHI about them

Right to an Right to an accounting of disclosuresaccounting of disclosures



3939

Rights to Privacy ProtectionRights to Privacy Protection

An individual may request restriction of the use or An individual may request restriction of the use or disclosure of PHI needed to carry out treatment, disclosure of PHI needed to carry out treatment, payment, or health care operations (TPO)payment, or health care operations (TPO)

A covered entity is not required to agree to the restriction A covered entity is not required to agree to the restriction and it may be difficult to guarantee compliance with the and it may be difficult to guarantee compliance with the requestrequest



4040

Exemptions to Privacy ProtectionExemptions to Privacy Protection

Consent is not required for disclosure:Consent is not required for disclosure:

For reporting abuse, neglect, or domestic violenceFor reporting abuse, neglect, or domestic violence

Public Health for activities as authorized by law (vital Public Health for activities as authorized by law (vital statistics, CDC)statistics, CDC)

Adverse Drug Events (ADE)Adverse Drug Events (ADE)

Workplace related injury (OSHA)Workplace related injury (OSHA)



4141

Individual’s Access to PHIIndividual’s Access to PHI

An individual has a right to inspect and obtain a copy of An individual has a right to inspect and obtain a copy of PHI about themselves (individual) in a designated record PHI about themselves (individual) in a designated record set with some exceptions. . . set with some exceptions. . .

psychotherapy notes psychotherapy notes

information compiled for use in a civil, criminal or information compiled for use in a civil, criminal or administrative actionadministrative action

PHI subject to the CLIA – PHI subject to the CLIA – Clinical Laboratory Improvements Clinical Laboratory Improvements Amendments of 1988 – 42 U.S.C 263aAmendments of 1988 – 42 U.S.C 263a



4242

Exceptions to an Individual’s Exceptions to an Individual’s Access to PHIAccess to PHI

Covered entities are not required to provide access if:Covered entities are not required to provide access if:

Covered entity is a correctional institutionCovered entity is a correctional institution

If restrictions were agreed to in the course of If restrictions were agreed to in the course of treatment during on-going research (ex. Blind treatment during on-going research (ex. Blind clinical trial)clinical trial)



4343

Amendment of PHIAmendment of PHI

An individual has a right to have a covered entity amend An individual has a right to have a covered entity amend protected health information or a record about the protected health information or a record about the individual in a designated record set for as long as the individual in a designated record set for as long as the PHI is maintainedPHI is maintained

45 CFR 45 CFR §164.526 (a)(i)§164.526 (a)(i)



4444

Denial to AmendDenial to Amend

A covered entity can deny a request for amendment in A covered entity can deny a request for amendment in the following situations where PHI:the following situations where PHI:

Was not created by the covered entityWas not created by the covered entity Is not part of the designated record setIs not part of the designated record set Would not be available for inspection (such as Would not be available for inspection (such as

psychotherapy notes)psychotherapy notes) Is accurate and completeIs accurate and complete

45 CFR 45 CFR §164.526 (a)(2)§164.526 (a)(2)



4545

Accounting of Disclosures Accounting of Disclosures of PHIof PHI

An individual has a right to receive an accounting An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in of disclosures of PHI made by a covered entity in the 6 years prior to the date on which the the 6 years prior to the date on which the accounting is requestedaccounting is requested

45 CFR 45 CFR §164.528 et seq.§164.528 et seq.



4646

Exceptions to Disclosure AccountingExceptions to Disclosure Accounting Include the following:Include the following:

To carry out treatment, payment and health care To carry out treatment, payment and health care operationsoperations

For national security or intelligence purposesFor national security or intelligence purposes

To correctional institutions or law enforcement To correctional institutions or law enforcement officialsofficials

That occurred prior to the compliance date for the That occurred prior to the compliance date for the covered entitycovered entity




4747

ProcessProcess

Handing out Privacy notices to patientsHanding out Privacy notices to patients New Signature on File (SOF) formNew Signature on File (SOF) form Registration face sheetRegistration face sheet Names excluded from most reportsNames excluded from most reports Standard fax cover sheetsStandard fax cover sheets Increased general awareness of patient confidentialityIncreased general awareness of patient confidentiality Update Research Consent and Authorization formsUpdate Research Consent and Authorization forms



4848

Incidental DisclosuresIncidental Disclosures

Use that cannot reasonably be preventedUse that cannot reasonably be prevented Occurs in relation to a permitted use or disclosureOccurs in relation to a permitted use or disclosure Covered entity has implemented reasonable safeguards Covered entity has implemented reasonable safeguards

and applies minimum necessary standardand applies minimum necessary standard Determining factors depend on whether or not covered Determining factors depend on whether or not covered

entity had entity had reasonable policiesreasonable policies to protect against disclosure to protect against disclosure Procedures in place to manage against potential for Procedures in place to manage against potential for

disclosure and lossdisclosure and loss



4949

Incidental DisclosuresIncidental Disclosures

Examples:Examples: OK to leave messages on answering machinesOK to leave messages on answering machines OK to have patient sign-in sheetOK to have patient sign-in sheet OK to call names in waiting roomsOK to call names in waiting rooms OK to keep charts on doorsOK to keep charts on doors OK to discuss patients condition during training roundOK to discuss patients condition during training round

In all instances, only the minimum necessary information In all instances, only the minimum necessary information should be disclosedshould be disclosed



5050

Security RuleSecurity Rule

PurposePurpose

Set standardsSet standards Implement specifications and requirements with Implement specifications and requirements with

respect to electronic protected health information.respect to electronic protected health information.

45 C.F.R. 45 C.F.R. §§164.302 et seq.164.302 et seq.



5151


Requires:Requires:

1.1. Administrative safeguardsAdministrative safeguards

2.2. Technical safeguardsTechnical safeguards

3.3. Physical safeguardsPhysical safeguards




5252


Types of access control to PHITypes of access control to PHI User basedUser based

Context basedContext based

Role basedRole based

EncryptionEncryption

45 CFR 45 CFR §302 et seq.§302 et seq.



5353

Security RuleSecurity Rule Requires:Requires: 1. 1. Contingency plan for protection of PHI in a Contingency plan for protection of PHI in a

disasterdisaster

2. 2. Audits of systems to insure that information is Audits of systems to insure that information is being used properlybeing used properly

3.3. Polices regarding alteration and destruction of Polices regarding alteration and destruction of PHIPHI

4. 4. Formal process for employee termination for Formal process for employee termination for inappropriate access to PHIinappropriate access to PHI




5454


5. 5. Media control to ensure protection from unauthorized use or Media control to ensure protection from unauthorized use or disclosure of PHIdisclosure of PHI

6. 6. Policies related to physical access to PHIPolicies related to physical access to PHI

7. 7. Workstation logisticsWorkstation logistics

8. 8. Control over system changes to prevent inappropriate use or Control over system changes to prevent inappropriate use or disclosuredisclosure

9. 9. Response procedures for security incidentsResponse procedures for security incidents

10. 10. Protection of PHI sent across the InternetProtection of PHI sent across the Internet




5555

Illinois Statutory Law: Illinois Statutory Law: Medical Patient Rights ActMedical Patient Rights Act

Every patient has a right to privacy and confidentiality in Every patient has a right to privacy and confidentiality in health carehealth care

Physicians may not disclose the nature or details of Physicians may not disclose the nature or details of services provided to patients without a written waiver services provided to patients without a written waiver signed by the patient or the patient’s guardian.signed by the patient or the patient’s guardian.

• Examples: Diagnosis and treatment information, Examples: Diagnosis and treatment information, photographs taken during treatment processphotographs taken during treatment process

The Law of Medical Practice in Illinois 3d ed. 2007The Law of Medical Practice in Illinois 3d ed. 2007



5656

Medical Patient Rights ActMedical Patient Rights Act

Exceptions:Exceptions: Disclosure to patientDisclosure to patient Disclosure to patient’s authorized designeeDisclosure to patient’s authorized designee Persons directly involved in patient’s treatment, Persons directly involved in patient’s treatment,

payment processing for treatment or quality payment processing for treatment or quality assurance, peer review or utilization reviewassurance, peer review or utilization review




5757


Other disclosures pursuant to law:Other disclosures pursuant to law: Sexually transmission of diseases informationSexually transmission of diseases information Information reporting criminally inflicted injuriesInformation reporting criminally inflicted injuries Suspected child abuseSuspected child abuse Public Health registry informationPublic Health registry information Vital StatisticsVital Statistics Compelling social considerations, e.g. threats of bodily Compelling social considerations, e.g. threats of bodily

harm to self or othersharm to self or others




5858


Possible causes of action associated with disclosure:Possible causes of action associated with disclosure: Invasion of Privacy issue Invasion of Privacy issue

• Must be identifiable to the patientMust be identifiable to the patient• Unreasonable intrusionUnreasonable intrusion• Public disclosure of private facts about an Public disclosure of private facts about an

individualindividual• Appropriation of the name or likenessAppropriation of the name or likeness• Publication of information that places one in a false Publication of information that places one in a false

light.light.




5959

HIV/AIDS Confidentiality HIV/AIDS Confidentiality & &

Testing CodeTesting Code

Information can only be revealed to:Information can only be revealed to: Subject of the testingSubject of the testing Legally authorized individualLegally authorized individual Spouse under specific circumstances (not required)Spouse under specific circumstances (not required) Parents of child under 18 years under specific Parents of child under 18 years under specific

circumstances (not required)circumstances (not required) Workforce authorized to have informationWorkforce authorized to have information



6060

HIV/AIDS Confidentiality HIV/AIDS Confidentiality & &

Testing CodeTesting Code Examples:Examples:

Direct patient careDirect patient care Accidental exposureAccidental exposure Department of Public Health RegistryDepartment of Public Health Registry Procurement/Processing of donor organs and Procurement/Processing of donor organs and

seminal fluid for artificial inseminationseminal fluid for artificial insemination Agencies authorized to monitor and evaluate programs and Agencies authorized to monitor and evaluate programs and

provide service reviewsprovide service reviews EMT, firefighters and law enforcement in direct contact with blood EMT, firefighters and law enforcement in direct contact with blood

or bodily fluidsor bodily fluids Temporary caretakers of children in protective services Temporary caretakers of children in protective services




6161

QuestionsQuestions

Date post:	27-Dec-2015
Category:	Documents
Upload:	cameron-barber
View:	215 times
Download:	1 times

Version 1.0, July 8, 2002 Copyright © 2002, NCHICA, All Rights Reserved1 Health Insurance...

Documents