Upload
dhlwilson
View
882
Download
0
Tags:
Embed Size (px)
DESCRIPTION
for study
Citation preview
7-1
Chapter 7-Privacy Laws and HIPAA
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-2
Learning Outcomes Discuss federal privacy laws that pertain to health
care. Discuss four standards of HIPAA. Summarize the provisions of the Privacy Rule and
how they apply to your profession. Recognize and dispel some of the more prevalent
myths concerning HIPAA.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-3
Privacy Laws are based on amendments to the U.S. Constitution: First Amendment
Freedom of Speech.
Third Amendment No soldier quartered in private citizen’s home without
permission.
Fourth Amendment Unreasonable search and seizure prohibited.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-4
Fifth Amendment Cannot testify against yourself.
Ninth Amendment Constitutional rights shall not be used to deny other rights
retained by the people.
Fourteenth Amendment Equal protection under the law.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-5
Common points in all federal privacy laws are: Information collected and stored about individuals shall be
limited to what is necessary. Access to personal information should be limited to those
employees who need to know. Personal information may not be released outside the
organization without authorization. When information is being collected about a person, that person
should know and have opportunity to check. See Table 7-1 for a list of major federal privacy law.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-6
Health care billing has become more complex. Managed care added layer of administrative
duties. Rising cost of medical malpractice and the cost
of doing business. Rising cost of health care and health insurance.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-7
Covered entities Covered transactions Designated record set Notice of Privacy Practices (NPP) Protected Health Information (PHI) State preemption Treatment, payment, and health care operations
(TPO)
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-8
People, businesses or agencies that must comply with HIPAA Standards and Privacy Rule:Hospitals Nursing homes
Hospices Pharmacies
Physician practices Dental practices
Other providers of care Health plans (payers)
Health care clearing houses
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-9
A transaction is an electronic exchange of information between two covered entities.
Includes claims, patient identifiable information, referrals, authorizations.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-10
Records maintained by or for a covered entity including: Medical records. Billing records. Health plans enrollment, payment, claims
adjudication, case management records. Any record used by a covered entity to make
decisions about an individual.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-11
Every health care provider must provide each patient with a written notice of the provider’s privacy policies.
The patient is asked to sign an acknowledgment form.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-12
Any information that contains one or more patient identifiers that could be used to identify an individual.
PHI must be protected whether written, spoken or electronically transmitted.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-13
If a state’s privacy laws are stricter than HIPAA, state law takes precedence.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-14
TPO allows providers to provide treatment, disclose PHI for payment, and conduct the necessary business operations within and among other covered entities.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-15
Business associates of covered entities must have contracts/agreements with covered entities guaranteeing that PHI will be safeguarded.
Business associates include accountants, legal consultants, transcription services, and other similar type services provided to covered entities.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-16
There are four HIPAA standards. A standard is a general requirement. Standard 1—Transactions and Code Sets Standard 2—Privacy Rule Standard 3—Security Rule Standard 4—National Identifier Standards
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-17
Transaction Requirements Established standards for Electronic Data
Interchange (EDI) for transmittal of information.
Must be used by all covered entities.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-18
Code Sets Local code sets eliminated. Four categories of codes:
Coding systems for diseases (ICD-9) Coding systems for causes of injury, diseases (ICD-9) Actions taken to prevent, diagnose, treat or manage
diseases (CPT-4) Substances, equipment, supplies (HCPCS)
McGraw-Hill © 2100 by The McGraw-Hill Companies, Inc. All rights reserved
7-19
Patient Health Information (PHI) may be disclosed with permission.
The permission is a reason for each use and disclosure.
There are eleven HIPAA defined permissions.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-20
Disclosure to HHS representative (required)
Disclosure to patient (required)
Disclosure for treatment, payment or health care operations (TPO)
Others’ treatment Personal representative
Disaster Relief Organizations
Incidental disclosures Public purposes Authorization from patient De-identified information Limited data set
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-21
Verification of identification of requestor. Only the minimum necessary data should be
disclosed. Patient lists may not be provided to
pharmaceutical & survey companies that are marketing services.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-22
Psychotherapy notes must have specific written approval from patient. Check for specific exceptions to this requirement.
Covered entities must have Policies and Procedures consistent with Notice of Privacy Practices (NPP).
If state law conflicts with HIPAA, you must follow the law that offers most protection.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-23
Patient has right to access and right to copy records.
Patient has right to request amendments to his/her PHI. Unless provider has grounds to deny, amendments must be made.
Patient has right to request for an accounting of disclosures of PHI.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-24
Patient has right to be contacted at places other than work or home.
Patient has right to request further restriction on who has access. Covered entity may deny request for valid reasons.
Patient has right to file a complaint.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-25
Covered entities and business associates must have security plan in place.
Appropriate measures such as a security officer, passwords, firewalls, encryption, and anti-virus software necessary.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-26
Standard is meant to provide a unique number for each provider of care.
Implementation completed in May 2008.
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved
7-27
In some physician offices, the privacy/security officer is a member of the staff and has other duties. This person is sometimes referred to as the “HIPAA Police.” You personally observe the security officer violate basic HIPAA Standards—especially Standard 2. What are you going to do?
McGraw-Hill © 2010 by The McGraw-Hill Companies, Inc. All rights reserved