LeslieSchwab_HIPAA.pptx

(1)

Healthcare Privacy

Beyond the Breach

Access for Treatment, Payment and

Healthcare Operations

(2)

Regulations

• _{Health Information Portability and Accountability}

Act of 1996(HIPAA) regulations at 45 CFR Parts

160-164

–

_{The Omnibus Rule of 2013 – pulled in the}

Health Information Technology for Economic

and Clinical Health Act (HITECH) regulations

• _{WA State: Uniform Health Care Information}

(3)

Definitions

• _{Protected Health Information (PHI) – HIPAA}

–

Health care Information – UHCIA

• _{Treatment – HIPAA}

• _{Payment – HIPAA}

• _{Healthcare Operations – HIPAA}

• _{Covered Entity (CE) – HIPAA}

• _{Business Associate (BA) – HIPAA}

• _{Minimum Necessary – HIPAA}

• _{Need to Know – UHCIA}

(4)

Defining PHI

• _{HIPAA 160.103}

• _{Protected Health Information(PHI)}

– _{“means individually identifiable health information” that is transmitted}

or maintained in any form or medium

• _{Individually Identifiable Health Information}

– _{health information, including demographic information collected from}

an individual, created or received by a health care provider, health plan, or health care clearinghouse that relates to the past, present, or future physical or mental health of an individual; the provision of

health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies the

individual or there is a reasonable basis to believe the information can be used to identify the individual.

(5)

Defining PHI – De-Identified rule

• _{HIPAA 164.514}

• “Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health

information.”

• _{A covered entity may determine that health information is not}

individually identifiable health information only if:

– _{“A person with appropriate knowledge of and experience with generally}

accepted statistical and scientific principles and methods for rendering information not individually identifiable”

or

– “The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:”

(6)

Defining PHI - 18 identifiers

• Names

• Addresses (except State)

• Dates (except year) directly related to an individual, … and all ages over 89 and all elements of dates (including year) indicative of such age

• _{Phone numbers} • Fax numbers

• _{Email addresses}

• Social Security Numbers

• Medical Record Numbers

• Health plan beneficiary numbers

• _{Account numbers}

• Certificate/license numbers

• _{Vehicle identifiers and serial numbers, including license plates} • Device identifiers and serial numbers

• _{Website addresses}

• Internet Protocol (IP) address numbers

• _{Biometric identifiers, including finger and voice prints} • Full face photographic images and any comparable images

(7)

Defining PHI - Conclusion

• _{Consider any information that includes any of}

the 18 identifiers to be PHI under HIPAA

• _{Does not apply to:}

–

_{Education records}

–

_{Employment records}

–

_{Person deceased over 50 years}

• _{UHCIA – uses the term “Health care}

(8)

Treatment

• _{HIPAA 164.501 / UHCIA 70.02.010}

• _Treatment

_{means the provision, coordination, or}

management of health care and related services by

one or more health care providers, including the

coordination or management of health care by a

health care provider with a third party; consultation

between health care providers relating to a patient;

or the referral of a patient for health care from one

health care provider to another.

(9)

Payment

• _{HIPAA 164.501 / UHCIA 70.02.010}

• _{The activities undertaken by a health care}

provider or health plan to obtain or provide

reimbursement for the provision of health care

• _Includes:

–

_{Determining eligibility}

–

_{Utilization review}

–

_{Risk adjustment}

(10)

Healthcare Operations

• _{HIPAA 164.103 / UHCIA 70.02.010}

• _{Covered functions vary between regulations}

–

_{Ex. De-identified information}

• _Includes:

–

_{Quality Review}

–

_{Medical Staff Functions}

–

_{Compliance Auditing}

–

_{Business Development}

(11)

Additional Definitions

• _{Covered Entity(CE)}

–

_{Health care providers}

–

_{Health plans}

–

_{Health care clearinghouses}

• _{Business Associate(BA)}

–

_{Third party that assists CE with Healthcare}

Operations and “creates, receives, maintains, or

transmits” PHI

(12)

Minimum Necessary

• _{HIPAA – 164.502(b)}

• _{a CE or BA “must make reasonable efforts to}

limit PHI to the minimum necessary to

accomplish the intended purpose of the use,

disclosure, or request.”

• _{Applies when}

–

_{using or disclosing PHI}

–

_{requesting PHI from another covered entity or}

(13)

Minimum Necessary – does not apply

• _{Disclosures or requests by a}

_healthcare

provider

for treatment

–

_{Would apply to a third party for treatment}

• _{Disclosures requiring authorization by the}

patient

• _{Disclosures to the patient, or their}

representative

(14)

Need to Know

• _{WA State RCW 70.02.050}

• _{“A health care provider or health care facility may}

disclose health care information … about a patient

without the patient's authorization to the extent a

recipient

needs to know

the information”

• _{Applies to when}

_disclosing

_{PHI for}

_Treatment

_,

Payment and Healthcare Operations (TPO)

–

_{Facility required to “reasonably believe” the recipient}

will only use the information for the purpose it was

received and otherwise protect it

(15)

Need to Know - Does not apply

• _{Disclosures required by law}

(16)

State Law more Stringent

• _{Need to Know applies to Treatment, Minimum}

Necessary does not

• _{Need to Know more protective of patient}

privacy

• _{All disclosures for treatment should be limited}

–

_{Apply minimum necessary principles}

(17)

Minimum Necessary – Additional

Requirements

• _{A covered entity must identify:}

–

_{Those persons or classes of persons, as appropriate, in}

its workforce who need access to PHI to carry out their

duties; and

–

_{For each such person or class of persons, the category}

or categories of PHI to which access is needed and any

conditions appropriate to such access.

• _{“A covered entity must make reasonable efforts to}

limit the access of such persons or classes

identified”

(18)

Access for Treatment

• _{Facility Staff}

–

_role-based

• _{Other Healthcare Providers}

–

_{Limit access when technically possible}

• _{Third Party}

(19)

Treatment - Due Diligence Documents

• _{Not ‘Required’}

• _{Confidentiality & Security Agreement}

• _{Clinical Information Access Agreement}

• _{User Request Form}

(20)

Access for Payment

• _Insurance

–

_{Must be limited to encounters they are}

responsible for paying on

• _{Collection agencies}

(21)

Access for Healthcare Operations

• _{When Access involves PHI, a Business}

Associate Agreement (BAA) is required by

HIPAA.

• _{The BAA outlines significant privacy and}

security requirements to protect the PHI.

• _{Legal usually involved.}

(22)