HIPAA - WordPress.com · 3 What is HIPAA? (1 of 2) Sets privacy standards Limits the use and release of individually identifiable health information Gives patients the right to access

1

HIPAA

2

HIPAA

On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996

Has been update throughout; with the newest update (Final Rule) going into effect on September 23, 2013

3

What is HIPAA? (1 of 2)

Sets privacy standards

Limits the use and release of individually identifiable health information

Gives patients the right to access their medical records

Restricts most disclosure of health information to the minimum needed for the intended purpose

4

What is HIPAA? (2 of 2)

Improper uses or disclosures under the rule are subject to criminal and civil sanctions prescribed in HIPAA.

5

Who is covered?

It’s a federal law and it covers all patients and all health care providers, including administrative and accounting personnel in all 50 states. It pre-empts state law.

All employees, associates, volunteers, anyone who comes in contact with patient records must be trained in HIPAA

6

What Does HIPAA Do?

It holds violators accountable, with civil and criminal penalties for violations

Enables patients to find out how their information may be used

Limits release of information to the minimum reasonably needed for the purpose of the disclosure

7

What does it require?

The law can be summarized as follows:

Sharing of patient health information is on a need to know basis.

Reasonable precautions must be taken to prevent the casual disclosure of the patient information in your custody.

8

HIPAA and State Laws

If State rules are more stringent, the State rules must be followed

HIPAA sets the minimum standards

Texas Medical Records Privacy Act is the Texas law

TDSHS may enforce this rule against EMS providers and individuals

Updates and Revisions

Final Omnibus Rule

Compliance date of September 23, 2013

Includes the HITECH (Health Information Technology for Economic and Clinical Health) Act

Interim rule adopted in 2009

Compliance Date of September 23, 2013

9

Omnibus Rule (1 of 2)

Creates 4 categories of violations that reflect culpability with 4 tiers of penalty amounts for each violation

Sets a maximum penalty amount of $1.5 million for all violations of an identical provision

10

Omnibus Rule (2 of 2)

Increased civil monetary penalties ($100-$50K per violation) based on the category of violation (intent)

Allows enforcement by state Attorneys General

Requires breach notification by service or business associates to affected patients, HHS, and the media

11

Increased Federal Civil Penalties(Categories of Culpability)

Violations after reasonable precautions

Minimum of $100, maximum of $25,000

Violations resulted from reasonable cause

Minimum of $1,000, maximum of $100,000

Willful Neglect-Corrected within 30 days

Minimum of $10,000, maximum of $250,000

Willful Neglect-Uncorrected

Minimum of $50,000, maximum of $1.5 million

12

Willful Neglect

Means conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision violated

Disclosure does not have to be on purpose; just that an entity shows indifference

13

14

Federal Criminal Penalties

For Fraud and Abuse (ex. Disclosure for money)

$50,000 and 1 year minimum

$250,000 and 10 years maximum

Average sentence for 1st time offender at highest level: $87,000 plus 67 months, according to federal sentencing guide

15

Texas Medical Records Privacy Act

Provides for a $3,000 fine (per offense) for civil violation

Provides $250,000 fine for criminal violation and up to 10 years in prison

Allows Attorney General to seek injunctive relief

Breach Notification Under the Final Rule

16

Current Breach Rules

Effective as of September 23, 2009

With a breach, the covered entity must provide notice to all affected individuals, HHS, and the media for breaches involving more than 500 individuals

Business associates must notify the covered entity

17

Current Breach Rules

Under the current breach rules, a breach only occurs if the breach “poses a significant risk of financial, reputational, or other harm to the individual”

This is known as the “Harm Standard”

18

The New Standard

Impermissible use or disclosure of PHI is “presumed” to be a breach unless the entity or business associate demonstrates that there is a low probability that the PHI has been compromised

The burden of proof is now on the entity

19

The New Standard

The federal government has taken a stronger enforcement posture and is investigating more complaints

All breaches must be reported

Big breaches are posted online

Violations Posting Page

20

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Investigation

HHS “will” (not “may”) investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect

HHS has discretion to proceed to directly to fines in all cases

21

Business Associates-New Definition

A business associate is a person/entity who, on behalf of a covered entity:

Creates PHI

Receives PHI

Maintains PHI, or

Transmits PHI

Excluding mail, some delivery companies, phone, and internet services

22

Business Associate Agreement

If an organization transmits data on your behalf and needs access to PHI, there should be a BAA

Billing Companies

ePCR vendors (Zoll and UMC)

Consulting firms

Clearinghouses

23


Business Associate now include subcontractors

Collection agencies

Billing company consultants that access PHI

Subcontractors must enter into a BAA with the business associate NOT the covered entity

24


BAA may continue to operate under existing BAAs entered into before January 25, 2013 for up to one year beyond compliance date (September 23, 2014)

All other BAAs must be updated by September 23, 2013

25

New Restriction Rule

Gives patients the right to pay out of pocket for a service and require the entity to NOT submit a claim to their insurance for that service

26

New Access Rule

Grants patients the right to get an electronic copy of their PHI in a form and format requested, if it is readily producible in that form and format

Word, Excel, Text, HTML, PDF

Requires an entity to transmit PHI to a 3rd party if requested by the patient

27

Notice of Privacy Practices

ALL patients MUST be informed of the Privacy practices for your entity

New rule will require changing of NPP

Must include: a statement that patient authorization is required

for:

Sale of PHI

Disclosures of psychotherapy notes

Marketing 28


Must also include:

The patient’s right to pay out of pocket

Breach notice: the entity has a duty to inform the patient following a breach of their PHI

Fundraising opt out. If an entity intends to contact individuals to conduct fundraising activities that fall under HIPAA

29


All NPPs (HIPAA forms) must be updated by September 23, 2013

It is even more important now to obtain a signature on the HIPAA form for ALL patients

30

New Deceased Patient Rule

PHI is protected for 50 years after the date of death

Entity may disclose decedent’s information to family members and other who were involved in patient’s care or payment for care prior to death of patient; unless doing so is inconsistent with the patient’s preference

31

Review

32

33

HIPAA Disclosure –

okay to release examples

Anyone in the chain of treatment, who has a medical need for the sharing of the patient information is permitted to receive the information.

Ambulance to hospital to nursing home to specialists – all involved in the direct

care of the patient may share the information

34

HIPAA Disclosure – okay to

release examples

Billing companies, insurance companies, and any one the patient directs may receive the patient information Can get “Cover Sheet”

A parent may have a copy of a minors medical records Refer to Privacy Officer

The nursing home asks for a copy of the transport for a returning patient you are dropping off OK to give

The destination hospital asks for patient vital signs over the radio OK to give

35

Disclosures Required by Law

Infectious diseases

Child Abuse

Elder Abuse

MVC

Homicide

Assault

Other violent acts

36

Other Permitted Disclosures

If Patient is Deceased:

JPs

Coroners

Funeral Directors

Family (unless against patient’s wishes)

Serious Threat to Health or Safety

National security and intelligence activities (CIA, Homeland Security, FBI)

37

Examples (1 of 5)

A member of the city council asks you what was the matter with his neighbor when the city ambulance responded

-Decline Comment

The EMS billing company contacts you and asks specific questions about care you provided

-OK to discuss

38

Examples (2 of 5)

A fellow EMT who did not respond to a certain call asks about the patient particulars

-Decline Comment

The nursing home calls you the day after you transported one of their residents to ask if you gave the patient aspirin

-OK to discuss

39

Examples (3 of 5)

The local newspaper is doing a story on an accident and they request an interview about the patient treatment

-Decline Comment

Another EMT, who did not make the run, calls you at home and asks about the run you just made

-Decline Comment

40

Examples (4 of 5)

Your EMS Director asks you about a call due to concerns with patient treatment

-OK to discuss

A police officer drops by the station (or scene) and asks for a copy of a transport report

-Decline

41

Examples (5 of 5)

Your partner calls you 2 hours after an EMS call because she is not feeling good about how the call went

-OK to discuss

During a CE class, the instructor asks for a copy of a run to use for an example

-Decline or remove all patient identifiers

42

Best Policy

To be safe, do NOT release any information

to anyone, without contacting the Privacy Officer beforehand!!!

43

Corrections on Run Reports

It should be the policy of the EMS service that unless there is a mistake on a medical record it will not be changed

This includes only mistakes on patient information such as age, DOB, SS#, etc

Should not include mistakes or misdiagnosis relating to medical care, regardless of what you find out later

44

Privacy Rule

What you say here……….

What you see here………..

What you hear here………..

When you leave here…………

Let it STAY here

45

HIPAA – How to Comply

Appoint a Privacy Officer who oversees the training and compliance of the act

Train all employees, volunteers, anyone who comes in contact with patient medical records

Enforce your Policies and Procedures

Provide Patients with a copy of their privacy rights

Establish Policies and Procedures

46

Policies Must Cover: (1 of 2)


Privacy Policies

User of Computer equipment

Privacy Training

Medical Records of Employees

47

Policies Must Cover: (2 of 2)

Patient Care Reports Handling

Access, Security and Disclosure

Patient Request for Protected Health Information

E N F O R C E M E N T

48

Training, Testing, etc

Every employee, associate, paid or volunteer must be trained and tested and attendance certified

Every new hire/affiliate must be trained and tested within 30 days

Yearly, a refresher must be conducted

49

HIPAA Safeguards (1 of 3)

Keep voices down when at ER or other places where there could be inadvertent disclosure of PHI

Ask patients permission to release information to family members present.

If unable to give permission, limit information given

Tell them only where you are transporting to

But…….get what info you can from them

50


Do NOT release ANY information to people who do NOT have a need to know

Police officers (except only as required)

Your Family members

“Coffee shop” talk

Business associates

Other EMS personnel not on the call

51


Protect Documents

Place run reports behind locked doors

Keep run reports inside clipboard while in the Unit

Password or otherwise protect computers

Shred unneeded documentation

52

Summary

Use common sense

Reasonableness is used throughout the Standard

People treating the patient are entitled to the information

When in doubt in an administrative situation don’t release the information

When in doubt, keep your mouth shut!