Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
HIPAA
2
HIPAA
On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996
Has been update throughout; with the newest update (Final Rule) going into effect on September 23, 2013
3
What is HIPAA? (1 of 2)
Sets privacy standards
Limits the use and release of individually identifiable health information
Gives patients the right to access their medical records
Restricts most disclosure of health information to the minimum needed for the intended purpose
4
What is HIPAA? (2 of 2)
Improper uses or disclosures under the rule are subject to criminal and civil sanctions prescribed in HIPAA.
5
Who is covered?
It’s a federal law and it covers all patients and all health care providers, including administrative and accounting personnel in all 50 states. It pre-empts state law.
All employees, associates, volunteers, anyone who comes in contact with patient records must be trained in HIPAA
6
What Does HIPAA Do?
It holds violators accountable, with civil and criminal penalties for violations
Enables patients to find out how their information may be used
Limits release of information to the minimum reasonably needed for the purpose of the disclosure
7
What does it require?
The law can be summarized as follows:
Sharing of patient health information is on a need to know basis.
Reasonable precautions must be taken to prevent the casual disclosure of the patient information in your custody.
8
HIPAA and State Laws
If State rules are more stringent, the State rules must be followed
HIPAA sets the minimum standards
Texas Medical Records Privacy Act is the Texas law
TDSHS may enforce this rule against EMS providers and individuals
Updates and Revisions
Final Omnibus Rule
Compliance date of September 23, 2013
Includes the HITECH (Health Information Technology for Economic and Clinical Health) Act
Interim rule adopted in 2009
Compliance Date of September 23, 2013
9
Omnibus Rule (1 of 2)
Creates 4 categories of violations that reflect culpability with 4 tiers of penalty amounts for each violation
Sets a maximum penalty amount of $1.5 million for all violations of an identical provision
10
Omnibus Rule (2 of 2)
Increased civil monetary penalties ($100-$50K per violation) based on the category of violation (intent)
Allows enforcement by state Attorneys General
Requires breach notification by service or business associates to affected patients, HHS, and the media
11
Increased Federal Civil Penalties(Categories of Culpability)
Violations after reasonable precautions
Minimum of $100, maximum of $25,000
Violations resulted from reasonable cause
Minimum of $1,000, maximum of $100,000
Willful Neglect-Corrected within 30 days
Minimum of $10,000, maximum of $250,000
Willful Neglect-Uncorrected
Minimum of $50,000, maximum of $1.5 million
12
Willful Neglect
Means conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision violated
Disclosure does not have to be on purpose; just that an entity shows indifference
13
14
Federal Criminal Penalties
For Fraud and Abuse (ex. Disclosure for money)
$50,000 and 1 year minimum
$250,000 and 10 years maximum
Average sentence for 1st time offender at highest level: $87,000 plus 67 months, according to federal sentencing guide
15
Texas Medical Records Privacy Act
Provides for a $3,000 fine (per offense) for civil violation
Provides $250,000 fine for criminal violation and up to 10 years in prison
Allows Attorney General to seek injunctive relief
Breach Notification Under the Final Rule
16
Current Breach Rules
Effective as of September 23, 2009
With a breach, the covered entity must provide notice to all affected individuals, HHS, and the media for breaches involving more than 500 individuals
Business associates must notify the covered entity
17
Current Breach Rules
Under the current breach rules, a breach only occurs if the breach “poses a significant risk of financial, reputational, or other harm to the individual”
This is known as the “Harm Standard”
18
The New Standard
Impermissible use or disclosure of PHI is “presumed” to be a breach unless the entity or business associate demonstrates that there is a low probability that the PHI has been compromised
The burden of proof is now on the entity
19
The New Standard
The federal government has taken a stronger enforcement posture and is investigating more complaints
All breaches must be reported
Big breaches are posted online
Violations Posting Page
20
Investigation
HHS “will” (not “may”) investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect
HHS has discretion to proceed to directly to fines in all cases
21
Business Associates-New Definition
A business associate is a person/entity who, on behalf of a covered entity:
Creates PHI
Receives PHI
Maintains PHI, or
Transmits PHI
Excluding mail, some delivery companies, phone, and internet services
22
Business Associate Agreement
If an organization transmits data on your behalf and needs access to PHI, there should be a BAA
Billing Companies
ePCR vendors (Zoll and UMC)
Consulting firms
Clearinghouses
23
Business Associate Agreement
Business Associate now include subcontractors
Collection agencies
Billing company consultants that access PHI
Subcontractors must enter into a BAA with the business associate NOT the covered entity
24
Business Associate Agreement
BAA may continue to operate under existing BAAs entered into before January 25, 2013 for up to one year beyond compliance date (September 23, 2014)
All other BAAs must be updated by September 23, 2013
25
New Restriction Rule
Gives patients the right to pay out of pocket for a service and require the entity to NOT submit a claim to their insurance for that service
26
New Access Rule
Grants patients the right to get an electronic copy of their PHI in a form and format requested, if it is readily producible in that form and format
Word, Excel, Text, HTML, PDF
Requires an entity to transmit PHI to a 3rd party if requested by the patient
27
Notice of Privacy Practices
ALL patients MUST be informed of the Privacy practices for your entity
New rule will require changing of NPP
Must include: a statement that patient authorization is required
for:
Sale of PHI
Disclosures of psychotherapy notes
Marketing 28
Notice of Privacy Practices
Must also include:
The patient’s right to pay out of pocket
Breach notice: the entity has a duty to inform the patient following a breach of their PHI
Fundraising opt out. If an entity intends to contact individuals to conduct fundraising activities that fall under HIPAA
29
Notice of Privacy Practices
All NPPs (HIPAA forms) must be updated by September 23, 2013
It is even more important now to obtain a signature on the HIPAA form for ALL patients
30
New Deceased Patient Rule
PHI is protected for 50 years after the date of death
Entity may disclose decedent’s information to family members and other who were involved in patient’s care or payment for care prior to death of patient; unless doing so is inconsistent with the patient’s preference
31
Review
32
33
HIPAA Disclosure –
okay to release examples
Anyone in the chain of treatment, who has a medical need for the sharing of the patient information is permitted to receive the information.
Ambulance to hospital to nursing home to specialists – all involved in the direct
care of the patient may share the information
34
HIPAA Disclosure – okay to
release examples
Billing companies, insurance companies, and any one the patient directs may receive the patient information Can get “Cover Sheet”
A parent may have a copy of a minors medical records Refer to Privacy Officer
The nursing home asks for a copy of the transport for a returning patient you are dropping off OK to give
The destination hospital asks for patient vital signs over the radio OK to give
35
Disclosures Required by Law
Infectious diseases
Child Abuse
Elder Abuse
MVC
Homicide
Assault
Other violent acts
36
Other Permitted Disclosures
If Patient is Deceased:
JPs
Coroners
Funeral Directors
Family (unless against patient’s wishes)
Serious Threat to Health or Safety
National security and intelligence activities (CIA, Homeland Security, FBI)
37
Examples (1 of 5)
A member of the city council asks you what was the matter with his neighbor when the city ambulance responded
-Decline Comment
The EMS billing company contacts you and asks specific questions about care you provided
-OK to discuss
38
Examples (2 of 5)
A fellow EMT who did not respond to a certain call asks about the patient particulars
-Decline Comment
The nursing home calls you the day after you transported one of their residents to ask if you gave the patient aspirin
-OK to discuss
39
Examples (3 of 5)
The local newspaper is doing a story on an accident and they request an interview about the patient treatment
-Decline Comment
Another EMT, who did not make the run, calls you at home and asks about the run you just made
-Decline Comment
40
Examples (4 of 5)
Your EMS Director asks you about a call due to concerns with patient treatment
-OK to discuss
A police officer drops by the station (or scene) and asks for a copy of a transport report
-Decline
41
Examples (5 of 5)
Your partner calls you 2 hours after an EMS call because she is not feeling good about how the call went
-OK to discuss
During a CE class, the instructor asks for a copy of a run to use for an example
-Decline or remove all patient identifiers
42
Best Policy
To be safe, do NOT release any information
to anyone, without contacting the Privacy Officer beforehand!!!
43
Corrections on Run Reports
It should be the policy of the EMS service that unless there is a mistake on a medical record it will not be changed
This includes only mistakes on patient information such as age, DOB, SS#, etc
Should not include mistakes or misdiagnosis relating to medical care, regardless of what you find out later
44
Privacy Rule
What you say here……….
What you see here………..
What you hear here………..
When you leave here…………
Let it STAY here
45
HIPAA – How to Comply
Appoint a Privacy Officer who oversees the training and compliance of the act
Train all employees, volunteers, anyone who comes in contact with patient medical records
Enforce your Policies and Procedures
Provide Patients with a copy of their privacy rights
Establish Policies and Procedures
46
Policies Must Cover: (1 of 2)
Notice of Privacy Practices
Privacy Policies
User of Computer equipment
Privacy Training
Medical Records of Employees
47
Policies Must Cover: (2 of 2)
Patient Care Reports Handling
Access, Security and Disclosure
Patient Request for Protected Health Information
E N F O R C E M E N T
48
Training, Testing, etc
Every employee, associate, paid or volunteer must be trained and tested and attendance certified
Every new hire/affiliate must be trained and tested within 30 days
Yearly, a refresher must be conducted
49
HIPAA Safeguards (1 of 3)
Keep voices down when at ER or other places where there could be inadvertent disclosure of PHI
Ask patients permission to release information to family members present.
If unable to give permission, limit information given
Tell them only where you are transporting to
But…….get what info you can from them
50
HIPAA Safeguards (2 of 3)
Do NOT release ANY information to people who do NOT have a need to know
Police officers (except only as required)
Your Family members
“Coffee shop” talk
Business associates
Other EMS personnel not on the call
51
HIPAA Safeguards (3 of 3)
Protect Documents
Place run reports behind locked doors
Keep run reports inside clipboard while in the Unit
Password or otherwise protect computers
Shred unneeded documentation
52
Summary
Use common sense
Reasonableness is used throughout the Standard
People treating the patient are entitled to the information
When in doubt in an administrative situation don’t release the information
When in doubt, keep your mouth shut!