Upload
addo
View
54
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Privacy Rule. HIPAA Week 2. Topics covered. Privacy Rule PHI/Authorizations NPP Disclosure of PHI Permitted Authorization required Minimum necessary Patient Rights Updates to rule. What does the Privacy Rule do?. Regulates the and disclosure of Protected Health Information( PHI) - PowerPoint PPT Presentation
Citation preview
Privacy RuleHIPAA
Week 2
Privacy Rule PHI/Authorizations NPP Disclosure of PHI
◦Permitted◦Authorization required
Minimum necessary Patient Rights Updates to rule
Topics covered
Regulates the and disclosure of Protected Health Information( PHI)
Established national standards for protecting the privacy of health information.
◦ imposed new restrictions on the use and disclosure of protected health information.
◦ gives patients greater access to and protection of their medical records and more control over how they are used (patient rights)
What does the Privacy Rule do?
Individually identifiable health information Transmitted or maintained in any
electronic, written, or spoken format. For example, e-mail, fax, on-line databases, voice mail,
video/audio recordings, or conversations.
Protected Health Information (PHI)
Examples of identifiers: Names Addresses Dates directly related to
an individual such as birth date, admission date, discharge date, and date of death
Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numb
Health plan beneficiary numbers
Account numbers Certificate/license numbers Vehicle identifiers and
serial numbers, including license plate numbers
Device identifiers and serial numbers
Biometric identifiers, including fingerprints and voice prints
Full face photographic images .
1. Right to receive Notice of Privacy Practices.2. Right to request restrictions on use and
disclosure of PHI3. Right to receive Confidential Communication.4. Right to Access, Inspect and Copy PHI.5. Right to Amend PHI.6. Right to receive an accounting of disclosures
of PHI.
Patient Rights under HIPAA
Notice of Privacy Practices
A. An individual receiving services from a covered entity on or after April 14, 2003 is entitled to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, the individual’s rights and the covered entity’s legal obligations.
Notice of Privacy Practice
B. The NPP must contain specific language and descriptions of allowable uses and disclosures regarding an individual’s medical information and how they may access their information.
C. Each covered entity must distribute its own specific NPP to an individual seeking treatment and must make a good faith effort to document that distribution
Notice of Privacy Practice
To permit patients to become informed about the uses and disclosures of their Protected Health Information (PHI)
Describes the permitted and/or required uses and disclosures of PHI by the healthcare provider for Treatment, Payment and healthcare Operations (TPO)
Purpose of Notice of Privacy Practice (NPP)
A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
Limit who has access to protected health information. Specify the conditions under which this information can be accessed.
Minimum Necessary Standard
The Privacy Rule prohibits use or disclosure of protected health information unless:
It is used to provide treatment, payment, or health care operations, or
It’s use is authorized by the client, or Not sharing the information would present a risk to
public health or safety. (example: Disease Reporting as required by statute, bioterrorism activities).
Protected Health Information (PHI) Use and Disclosure
May use protected health information without the client’s written authorization for the following reasons:◦ For treatment◦ To obtain payment◦ For department operation
Allowable uses of protected health information
Incidental uses and disclosures occur as a result of an initial use or disclosure that is permitted.
These are allowable as long as reasonable safeguards are taken and the sharing of protected health information is limited to the minimum necessary to do the job.
An incidental use is a re-disclosure of health information
Incidental Uses and Disclosures
can use or disclose protected health information without written authorization for the following reasons:◦ The law requires disclosure
For public health activities For health oversight activities To avert threats to health or safety
◦ For research purposes with IRB approval
Exceptions to the written authorization rule
Law enforcement Relating to decedents Investigation of a crime Medical examiners / funeral directors suspected child abuse Suspected neglect, suspected domestic violence
Exceptions to the written authorization rule
Public health activities - requirements to collect information about disease or other public health events
Health oversight activities - audits or inspections, regulatory related functions
To avert threats to health or safety
Other activities that occur for which written authorization is NOT required included
Reasonable Safeguards are the actions the Department takes to ensure that protected health information remains private.
When there is incidental use or disclosure of health information, use these reasonable safeguards:◦ Access is limited◦ Authorization is obtained prior to sharing (when
applicable)◦ Client information is physically secure
Use Reasonable Safeguards
A. A Covered Entity (CE) must permit an individual to request restrictions on the use and disclosure of PHI:
◦ To carry out Treatment, Payment and Operations
◦ To use in a facility directory◦ To relatives and friends◦ For disaster relief purposes
Right to Request Restrictions on Use and Disclosure of PHI
B. A covered entity (CE) is not required to agree to a restriction.
C. A covered entity may “override” its agreement to a restriction if the individual is in need of emergency treatment and the PHI is needed for that treatment. This PHI must not be disclosed to anyone other than those providing the emergency treatment
Right to Request Restrictions on Use and Disclosure of PHI
D. A covered entity may terminate a restriction:
◦ if the individual agrees to the termination. ◦ without an individual’s agreement. In this case
the termination of restriction applies only to PHI created or received after the termination date. PHI created or received prior to the termination date must continue to be restricted.
Right to Request Restrictions on Use and Disclosure of PHI
A. The CE must accommodate reasonable requests from individuals to receive communications of PHI by alternative means or at alternative locations.
B. The CE must accommodate all requests where the individual states that the disclosure could endanger the individual
C. The CE may require this request in writing.
Right to Receive Confidential Communication
A. Individuals have the right to access, inspect and receive copies of their own PHI except for:
◦ Psychotherapy notes◦ PHI compiled for civil, criminal or administrative
action or proceeding
Right to Access, Inspect and Copy PHI
A. An individual may request an amendment to PHI maintained by the CE.
B. The CE may deny the request if the PHI:◦ Was not created by the CE.◦ Is not part of the individual’s designated record
set.◦ Would not be available for inspection (Right #4
above).◦ Is accurate and complete
Right to Amend
C. The CE:◦ May require requests in writing◦ May require a reason to support the request◦ Must act on the request within 60 days (with 30
day extension in certain circumstances)
Right to amend
D. If denying the amendment the CE must:◦ Provide a timely denial in plain language◦ Include the basis for the denial◦ Allow for a statement of disagreement from the
individual◦ Allow for a statement reflecting the request
with subsequent disclosures of the PHI◦ Identify the complaint process
Right to amend
A. In general, an individual may request a listing of the disclosures of the PHI made within the previous six years.
B. Disclosures not requiring accounting include disclosures made:◦ For Treatment, Payment or Operations ◦ To the individual subjects of the PHI◦ Incident to an otherwise permitted disclosure◦ Based on the individual’s signed authorization◦ For a facility directory
Right to Receive an Accounting of Disclosures of PHI
Disclosures requiring accounting include:
◦ Required by law◦ For public health
activities◦ Victims of abuse,
neglect, violence.◦ Health oversight
activities◦ Judicial/Admin
proceedings◦ Law enforcement
purposes
◦ About decedents◦ Organ/eye/tissue
donations◦ Research Purposes◦ To avert threat to health
and safety◦ For specialized
government functions◦ Workers’ compensation
Breach Notification Rule-(9-23-09)◦ Concerns the UNAUTHORIZED acquisition, access,
use or disclosure of unsecured PHI as of result of a security breach.
◦ Brought about by American Recovery and Reinvestment Act of 2009
Updates to rule
AMA (2010). What you need to know about the new HIPAA Breach Notification Rule. Available from:◦ American Medical Association. http://www.ama-assn.org
Hartley, C. & Jones, E. (2011). HIPAA Plain & Simple: A Health Care Professionals Guide to Achieve HIPAA and HITECH Compliance, Ed. 2, American Medical Association, USA
Hartley, C. & Jones, E. (2004). HIPAA Plain & Simple: A Compliance Guide for Health Care Professionals, American Medical Association, USA
References