View
217
Download
1
Category
Tags:
Preview:
Citation preview
Health Insurance Portability and Accountability ActHIPAA Privacy Rule
April 14, 2003HIPAA Security Rule
April 21, 2005HITECH Act
February 17, 2009Final Rule – 2011
Accounting of DisclosuresNPRM June 2011
2
HIPAA - TermsCovered Entity (CE) Healthcare Organizations who conduct financial
and administrative transactions electronically *Health Plans (Anthem, Medicare, Medicaid, etc.)Healthcare Clearinghouses (Claims Processing)Healthcare Providers (Physicians, Dentists,
Optometrists, Chiropractors, Pharmacies)
• Not Pharmaceutical Companies• Not Physicians/Providers who bill all claims on paper
* Qualified electronic transactions – must meet the requirements of the electronic code sets established by HIPAA
3
HIPAA - TermsWorkforce HIPAA defines the workforce to include
"employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.“
Persons who do not fall in these categories, but nonetheless perform services on behalf of the covered entity, would be considered part of the workforce of a Business Associate
4
HIPAA - TermsBusiness Associate
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Not a member of the CE’s workforceNeed a Business Associate Agreement Another CE can be a Business Associate to a CEBusiness Associate requirements do not apply to
CEs who disclose PHI to providers for treatment purposes
5
HIPAA - TermsProtected Health Information (PHI)
Individually identifiable health informationTransmitted or maintained in any form or mediumInformation including demographic information
Is collected from an individual Includes demographics such as name, address, insurance
Is created or received by a covered entity Relates to past, present or future physical or mental health
conditions Relates to past, present or future payment Reasonable basis to believe information can be used to
identify an individual
6
HIPAA - TermsMinimum Necessary
HIPAA requires you take reasonable steps to limit the Use of Disclosure of Request for
PHI to the “Minimum Necessary” to accomplish the intended purpose
Reasonableness Standard calls for best practice
7
HIPAA – Indiana UniversityIU - Hybrid Covered Entity
Covered components include School of Dentistry School of Optometry IUB Health Center (soon IUPUI Health Center) Speech & Hearing Clinics Bloomington IU Health Plan (self-administered)
This means these areas conduct “Qualified” electronic transaction such as claims submissions using Indiana University’s Tax ID
8
HIPAA – Indiana UniversityHIPAA Applies directly to the Covered
Components:IU School of DentistryIU School of OptometryIU Speech & HearingIU Health Center Bloomington
HIPAA Applies to: Faculty associated with most Health Science
Schools*; Staff associated with most Health Science
Schools*; Researcher involved in Human Subject Research;
* Including those in the IU School of Medicine
9
HIPAA – Major ConceptsProvide Notice of Uses/Disclosures
How the organization might use the PHI Treatment Education Fundraising Research
Patient’s Rights Under HIPAA Inspect & Copy PHI Request an Accounting of Disclosures Notice of Privacy Practices Permission to Use PHI File a Complaint
Permission to access and use PHI for Research
10
HIPAA – Major ConceptsSafeguard PHI during use & disclosure
AdministrativePhysicalTechnical
HIPAA Awareness Training of WorkforceAll Forms of PHI
PaperElectronicOral Communication
11
HIPAA – Allowed UsesA Covered Entity or Covered Component
may use/disclose PHI to carry out certain Healthcare Functions without a written authorization from their patientsTreatment
Payment and
Healthcare Operations
aka TPO
12
HIPAA – Allowed UsesHealthcare Operations
Tasks necessary to run a businessQuality Assurance/AssessmentsAccountingConsulting ServicesTranscriptionAuditingEducation
*Research is not part of Healthcare Operations
13
HIPAA – Allowed UsesRequired NotificationsDisclosures required by law
Disclosures to public health authorities Registries Public Notification requirements
Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA
*Requires an Accounting of Disclosure
14
Access to PHI for ResearchSince Research is not part of:
TreatmentPayment orHealthcare Operations
Need HIPAA Authorization (patient’s permission) to use health information for research; or
IRB (Privacy Board) approved Waiver of Authorization
Must comply with the Minimum Necessary
15
HIPAA – ExceptionsDe-identified DataNamesGeographic designations
smaller than a StateDates relating to the
individualTelephone numbersFax numbersE-mail addressSocial Security numberMedical record numbersHealth plan beneficiary
numbersAccount numbers Certificate/license
numbers
Vehicle identifiers, including license plates
Device identifiers/Serial Numbers
Universal resource locators (URLs)
Internet protocol (IP) address numbers
Biometric identifiers – finger & voice prints
Full face photographic images & comparable images
Any other unique identifying number, characteristic, or code.
16
HIPAA – ExceptionsLimited Data SetLimited types of identifiers can be released for
research purposes (a Limited Data Set). Limited Data Sets can only be used and released
in accordance with a Data Use Agreement between the covered entity and the recipient.
The Limited Data Set can contain:Elements of Dates. City, town, state, and ZIP. Other unique identifiers, characteristics and codes not
previously listed as direct identifiers
17
HIPAA – Other ExceptionsReviews Preparatory to Research
Covered entity must obtain representation from the
researcher:The use or disclosure of PHI is sought
solely to prepare a protocol or for a similar preparatory purpose;
PHI will not be removed from the covered entity; and
PHI is necessary for research purposes
19
HIPAA – Other ExceptionsDecedent InformationResearcher must represent:Use or disclosure solely for research on
decedents' information. PHI is necessary for research, and Individual is a decedent, and provide
documentation upon covered entity's request.
* Even though an authorization is not required, this access requires an Accounting of Disclosure
20
AccountingPrivacy Rule grants to a patient a right to
request and receive an accounting for some “disclosures” of PHI, including disclosures made in connection with certain research projects.
An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI.
21
Definitions: Use & DisclosureUSE
With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information with an entity that maintains such information.
DISCLOSUREDisclosure means the release, transfer,
provision of, access to, or divulging in any other manner of information outside the entity holding the information
22
AccountingWhen a Covered Entity discloses PHI without
the permission of the individual, the CE must provide the individual with an accounting of disclosures upon request.
Accounting must include:Date of the DisclosureName of the entity or person who received the
PHIA brief description of the information disclosedA brief purpose of the disclosure (research study
xyz)23
AccountingIf more than 50 records accessed
(used/disclosed) for research purposes:Form sent to the appropriate Medical Records
Department to notify individuals their record may have been accessed.
All the information listed on the previous page
If less than 50 records accessed must indicate in each individual record the appropriate information.
24
HIPAA – Research UsesRecruitmentHIPAA - Recruitment is Research
Special Rules for Research apply to Recruitment
AuthorizationMay need an authorization to recruit or Waiver of authorization
25
HIPAA - AuthorizationMust contain "core elements" & "required
statements," Signed copy must be given to the individual. May need to obtain Authorization for the use or
disclosure of PHI to create/maintain an IRB approved repository or database
Must be for a specific research studyAuthorization for future, unspecified research is not
permittedMust have an Expiration date
Can be indefinite but must be identified as such Subject must have ability to “revoke”
Include exceptions and processMinimum Necessary Rule Applies
26
HITECH Act 2009Health Information Technology for Economic
and Clinical Health (HITECH) Act, Part of the American Recovery & Reinvention Act (ARRA) of 2009HITECH creates significant incentives for an
expanded use of electronic health recordsClarified Criminal & Civil PenaltiesIncreased Civil Monetary PenaltiesExpansion of Privacy & Security Provisions &
Penalties to Business AssociatesBreach Notification Requirement
27
HITECH Act 2009Increased Civil Monetary Penalties
Violations occurring after Feb. 18, 2009
Tier based on nature of violation: Unknowing (least severe) Willful Neglect (most severe)
Per Violation per Person: $100; $1,000; $10,000 and $50,000
Annual maximum: $25,000; $100,000; $250,000; and $1.5
million.
28
HITECH Act 2009Business Associates
Business Associates must comply with the HIPAA Privacy Rule
Business Associates must comply with the HIPAA Security Rule The administrative, physical and technical
safeguards of the HIPAA Regulations applies directly to Business Associate
Imposes additional obligations upon Business Associates & their subcontractors regarding policies, procedures and documentation
29
HITECH Act 2009Business AssociatesWill require Business Associate
Agreements to be revised Criminal and Civil Penalties applied to
Covered Entities for violations of security and privacy regulations now will apply directly to Business Associates
30
HITECH Act 2009Notification of Breach
Required to notify affected individual(s) of a breach of “unsecure” protected health information.
Applies to:Covered EntitiesBusiness AssociatesVendors of Personal Health Records
(PHR)31
HITECH Act 2009Definition of Unsecure
Unsecured protected health information is PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the guidance.
Secure PHI
PHI which is encrypted will be considered “Secure”
32
HITECH Act 2009Requirements of Notification Contact affected individuals in writing or
electronic (with individual’s permission)Posting on website (if 10 or more individuals
have outdated contact information and there is not a reasonable way to notify them)
If more than 500 people affectedNotice shall be provided to prominent media
outletsNotice must be immediately sent to HHS
33
Notice of Proposed Rule Making Hybrid Entities: The non-covered components of a
Hybrid Entity which provide services to covered components would be considered part of the covered components and HIPAA would apply directly.
Minimum Necessary: Rule requires the Office for Civil Rights (OCR) to provide guidance to help define minimum necessary (no longer would be the discretion of the CE)
Compound Authorization: Allow a single authorization to be used even when part of research might be conditioned and another part might be unconditioned.
34
Notice of Proposed Rule Making Authorization for Future Use: Allowing an
authorization for future use.Decedents: Information would not be covered by
HIPAA after an individual was deceased for 50 years.Required Restriction: If a patient pays out-of-
pocket for a medical service and request the covered entity not share this information with their insurer, the CE must accommodate this request. (no option)
Copy of Record: Electronic health record, the entity must be able to provide at the patient’s request an electronic version of their PHI
35
Notice of Proposed Rule Making Must account for disclosures related to
treatment, payment and operations; andMust provide an access report to an individual
that lists who accessed their designated record set – even within the covered entity.
36
Notice of Proposed Rule Making Accounting of Disclosures Under the HITECH
Act (June 30, 2011)HITECH Act changed the Accounting Requirement
by stating the exceptions of Treatment, Payment and Healthcare Operations no longer applies to an electronic health record (EHR).
Under section 13405(c), an individual has a right to receive an accounting of such disclosures made during the three (3) years prior to the request.
Must also provide disclosures by Business Associates or provide the names of the BA to the individuals to contact.
37
Notice of Proposed Rule Making Further indicates to apply this same
requirement to the entire Designated Record Set which will include Billing records.
38
Recommended