Chapter07

7-1

Chapter 7-Privacy Laws and HIPAA

McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved

7-2

Learning Outcomes Discuss federal privacy laws that pertain to health

care. Discuss four standards of HIPAA. Summarize the provisions of the Privacy Rule and

how they apply to your profession. Recognize and dispel some of the more prevalent

myths concerning HIPAA.


7-3

Privacy Laws are based on amendments to the U.S. Constitution: First Amendment

Freedom of Speech.

Third Amendment No soldier quartered in private citizen’s home without

permission.

Fourth Amendment Unreasonable search and seizure prohibited.


7-4

Fifth Amendment Cannot testify against yourself.

Ninth Amendment Constitutional rights shall not be used to deny other rights

retained by the people.

Fourteenth Amendment Equal protection under the law.


7-5

Common points in all federal privacy laws are: Information collected and stored about individuals shall be

limited to what is necessary. Access to personal information should be limited to those

employees who need to know. Personal information may not be released outside the

organization without authorization. When information is being collected about a person, that person

should know and have opportunity to check. See Table 7-1 for a list of major federal privacy law.


7-6

Health care billing has become more complex. Managed care added layer of administrative

duties. Rising cost of medical malpractice and the cost

of doing business. Rising cost of health care and health insurance.


7-7

Covered entities Covered transactions Designated record set Notice of Privacy Practices (NPP) Protected Health Information (PHI) State preemption Treatment, payment, and health care operations

(TPO)


7-8

People, businesses or agencies that must comply with HIPAA Standards and Privacy Rule:Hospitals Nursing homes

Hospices Pharmacies

Physician practices Dental practices

Other providers of care Health plans (payers)

Health care clearing houses


7-9

A transaction is an electronic exchange of information between two covered entities.

Includes claims, patient identifiable information, referrals, authorizations.


7-10

Records maintained by or for a covered entity including: Medical records. Billing records. Health plans enrollment, payment, claims

adjudication, case management records. Any record used by a covered entity to make

decisions about an individual.


7-11

Every health care provider must provide each patient with a written notice of the provider’s privacy policies.

The patient is asked to sign an acknowledgment form.


7-12

Any information that contains one or more patient identifiers that could be used to identify an individual.

PHI must be protected whether written, spoken or electronically transmitted.


7-13

If a state’s privacy laws are stricter than HIPAA, state law takes precedence.


7-14

TPO allows providers to provide treatment, disclose PHI for payment, and conduct the necessary business operations within and among other covered entities.


7-15

Business associates of covered entities must have contracts/agreements with covered entities guaranteeing that PHI will be safeguarded.

Business associates include accountants, legal consultants, transcription services, and other similar type services provided to covered entities.


7-16

There are four HIPAA standards. A standard is a general requirement. Standard 1—Transactions and Code Sets Standard 2—Privacy Rule Standard 3—Security Rule Standard 4—National Identifier Standards


7-17

Transaction Requirements Established standards for Electronic Data

Interchange (EDI) for transmittal of information.

Must be used by all covered entities.


7-18

Code Sets Local code sets eliminated. Four categories of codes:

Coding systems for diseases (ICD-9) Coding systems for causes of injury, diseases (ICD-9) Actions taken to prevent, diagnose, treat or manage

diseases (CPT-4) Substances, equipment, supplies (HCPCS)


7-19

Patient Health Information (PHI) may be disclosed with permission.

The permission is a reason for each use and disclosure.

There are eleven HIPAA defined permissions.


7-20

Disclosure to HHS representative (required)

Disclosure to patient (required)

Disclosure for treatment, payment or health care operations (TPO)

Others’ treatment Personal representative

Disaster Relief Organizations

Incidental disclosures Public purposes Authorization from patient De-identified information Limited data set


7-21

Verification of identification of requestor. Only the minimum necessary data should be

disclosed. Patient lists may not be provided to

pharmaceutical & survey companies that are marketing services.


7-22

Psychotherapy notes must have specific written approval from patient. Check for specific exceptions to this requirement.

Covered entities must have Policies and Procedures consistent with Notice of Privacy Practices (NPP).

If state law conflicts with HIPAA, you must follow the law that offers most protection.


7-23

Patient has right to access and right to copy records.

Patient has right to request amendments to his/her PHI. Unless provider has grounds to deny, amendments must be made.

Patient has right to request for an accounting of disclosures of PHI.


7-24

Patient has right to be contacted at places other than work or home.

Patient has right to request further restriction on who has access. Covered entity may deny request for valid reasons.

Patient has right to file a complaint.


7-25

Covered entities and business associates must have security plan in place.

Appropriate measures such as a security officer, passwords, firewalls, encryption, and anti-virus software necessary.


7-26

Standard is meant to provide a unique number for each provider of care.

Implementation completed in May 2008.


7-27

In some physician offices, the privacy/security officer is a member of the staff and has other duties. This person is sometimes referred to as the “HIPAA Police.” You personally observe the security officer violate basic HIPAA Standards—especially Standard 2. What are you going to do?


Sports

Chapter07