Health Insurance Portability and Accountability Act of 1996 (HIPAA)

(1)

HIPAA Privacy Rule

Transactions Standards

 1. Health claims

 2. Health claim attachments

 3. Healthcare payment and remittance advice

 4. First report of injury

 5. Health claim status

 6. Referral certification and authorization

Code Sets

ICD-9-10 – International classification of diseases 9^thedition

HCPCS – Healthcare Financing

Administrative Common Procedure Coding System

 CPT- Current Procedure Terminology

(2)

PHI, What is It?

Protected Health Information (PHI)

 - Individually identifiable health information

 - Transmitted or maintained in any form or medium by a Covered Entity or its Business Associate

Permitted Uses Of PHI

Individual

Treatment, Payment and Health Care

Public Policy

“Incident to”

Limited data set Operations (TPO)

Opportunity to Agree or Object

Authorized

Individuals

Besides required disclosures, Covered Entities may also disclose PHI to their patients/health plan enrollees

p p

 - Health plans can contact their enrollees

 - Providers can talk to their patients

(3)

Treatment, Payment and

Health Care Operations(TPO)

Covered Entities may use/disclose PHI to carry out essential health care functions carry out essential health care functions

 - Treatment

 - Payment

 - Health care operations

Treatment

Treatment means the provision,

coordination, or management of health care by one or more health care providers; y p ; including consultation between health care providers or patient referrals

Payment

Payment means activities of:

Health care providers to obtain payment or be reimbursed for their services

be reimbursed for their services

Health plans to obtain premium, fulfill coverage responsibilities, or provide reimbursement for the provision of health care

(4)

Health Care Operations

Health Care Operations are administrative, financial, legal, and quality improvement activities

Necessary to run business and to support core functions of treatment and payment

Health Care Operations

Quality assessment and improvement activities

Training accreditation certification

Training, accreditation, certification, credentialing, licensing, reviewing competence, and evaluating performance

Fraud and abuse detection

Individual’s right to Agree or

Object

Must give individual opportunity to restrict or prohibit the use or disclosure of name, location, general condition, and religious , g , g affiliation

 May disclose PHI relevant to person’s involvement in care or payment to family, friends, or others identified by individual

 May notify of individual’s location, condition, or death to family, personal representatives, or another responsible for care

 Applies to disaster relief

 May disclose is individual is not present or incapacitated

(5)

Public Policy

As required by law

For public health

About victims of abuse or neglect

For health oversight activities

For judicial & administrative proceedings

For law enforcement purposes

Public Policy

For research purposes

To avert a serious threat to health or safety

For worker’s compensation

For worker s compensation

About decedents (coroners, ME, Funeral directors)

For organ, eye, or tissue donations

“Incident to”

Rule permits uses/disclosures incident to an otherwise permitted use or disclosure, provided minimum necessary & safeguards

p y g

standards are met

Allows for common practices if reasonably performed

(6)

Limited Data Set

For research,public health, health care operations purposes

Direct identifiers must be removed

Allows for zip codes, dates

Requires Data Use Agreement: recipient cannot use for other purposes or identify or contact individuals

Minimum Necessary

Covered Entities must make reasonable efforts to limit the use or disclosure of and efforts to limit the use or disclosure of, and requests for, PHI to minimum amount necessary to accomplish intended purpose

Minimum Necessary

Covered Entities may reasonably rely upon requester’s determination as to minimum amount necessary if:y

 - Public Official

 - Another Covered Entity

 - Business Associate for provision of professional service

 - Researcher with IRB/Privacy Board documentation or other appropriate representations

(7)

Minimum Necessary

Exceptions

Disclosures to or request by Providers for treatment

Disclosures to individual

Uses/disclosures with an authorization

Uses/disclosures required for HIPAA standard transactions

Disclosures to HHS/OCR for enforcement

Uses/disclosures required by law

Business Associates

Who Is A Business Associate?

A person who performs a function or activity on behalf of, or provides services to, a Covered Entity that involves , y

Individually Identifiable Health Information

Is not a workforce member

Covered entity can be a Business Associate

(8)

Who IS Not A Business

Associate

Two entities – each performing functions on its own behalf

 -Provider gives PHI to payer for payment

 -Hospital and physician treating patients at hospital

 Persons or organizations where access to protected health information is not necessary to do their job

 Janitors, electricians, copy machine repair persons

Are you responsible for

Business Associate

 Obtain “satisfactory assurance” that Business Associate will appropriately pp p y safeguard PHI

- Written contract or other written arrangement or agreement

 No monitoring

 Cure or terminate contract if known violation

Contract Must Include

Permitted uses and disclosures

Requirement to use appropriate safeguards

Requirement to report of non-permitted uses and disclosures to Covered Entity

Requirement to extend same terms to subcontractors

(9)

Authorizations

Authorizations are required for uses and

Authorizations are required for uses and disclosures not otherwise permitted or required by the Rule

Authorizations

Generally, cannot condition treatment, payment, eligibility, or enrollment on an authorization

There are special rules for psychotherapy notes and marketing

Authorization must contain core elements &

required statements, including:

 Expiration date or event

 Statement of authorization is revocable

Individual Rights

Notice of Privacy Practices

Access

Request restrictions

Confidential communications

Amendment

Accounting

Complain to Covered Entity

Complain to Secretary (HHS/OCR)

(10)

Notice of Privacy Practices

An individual has a right to adequate written notice of:

- Uses and disclosures of PHI that may be madeUses and disclosures of PHI that may be made by the Covered Entity

- Individual’s rights and Covered Entity’s legal duties with respect to PHI

Notice content

Header – specific language in Rule

Description of uses and disclosures

Individual rights and how to exercise them

Covered Entity duties and contact name or title and telephone number to receive complaints

Effective date

Access

Individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record setg

Timely action by Covered Entity

- Providing Access: Inspection and copy, or

- Written denial

- Review of certain denials by licensed health care professional

(11)

Amendment to PHI

Individual has the right to have Covered Entity amend PHI in a Designated Record Set

Covered Entity may deny request in certain cases

 Example: if record is accurate and complete

Timely action by Covered Entity

 Accepting amendment or written denial of the amendment

Denial

Individuals may submit written disagreement

Covered Entity may rebut the statement of

Covered Entity may rebut the statement of denial in writing

Covered Entity must include request, denial, disagreement and rebuttal in Designated Record Set

Accounting

An individual has a right to receive an accounting of disclosures of PHI made by accounting of disclosures of PHI made by Covered Entity in the 6 years prior to date requested

(12)

Confidential Communication

A covered health care provider must permit and accommodate reasonable requests to receive communications of PHI by y

alternative means and at alternative location

The requirement applies to a health plan if individual clearly states disclosure could endanger individual

Disclosure Restrictions

A Covered Entity must permit an individual to request restrictions on uses and

disclosures of PHI to carry out TPO and to i l d i i di id l’

persons involved in individual’s care

The Covered Entity is not required to agree to such request

If they do agree they may not violate the restriction except in emergency

Complaints

Any person who believes a Covered Entity is not complying with applicable

is not complying with applicable

requirements of the Privacy Rule may file a written complaint with the Secretary/OCR

(13)

Office for Civil Rights (OCR)

Enforces Civil Rights laws and the Privacy Rule

Investigation and Resolution of complaints

Exception determinations

OCR may investigate complaints

OCR may conduct compliance reviews

Complaints to OCR

Any person or organization may file complaint with OCR by mail or electronicallyy

 - Only for possible violations occurring after compliance date

 - Complaints should be filed within 180 days of the time the incident occurred

Individuals may also file complaints with Covered Entity

Complaints

Provide a process for individuals to make complaints to Covered Entity

Do not require individuals to waive their

Do not require individuals to waive their rights to file a complaint with the Secretary or their other rights under Privacy Rule

Refrain from intimidating or retaliatory acts

(14)

Complaint Process

Informal review may resolve issue fully without formal investigation

without formal investigation

 - many complaints will resolve in this manner

If not, begin investigation

Civil Monetary Penalties

None will occur if:

Person did not know – and by exercising reasonable diligence would not have known g of the violation

If failure to comply is due to reasonable cause and not willful neglect and entity corrects within 30 day cure period

Offense is punishable by criminal sanction

Exceptions

Potential extension of the 30 day cure period

Technical Assistance if Covered Entity is

“unable to comply”

CMP reduction possible if:

 - Amount excessive relative to the violation

 - Due to reasonable cause and not willful neglect

(15)

HIPAA Penalties

General Penalty for Failure to Comply:

 Each Violation: $100.

– Maximum penalty for all violations of an identical requirement: May not exceed $25,000

Wrongful Disclosure of Individually Identifiable Health Information:

 Wrongful disclosure: $50,000; one year imprisonment, or both

 False Pretenses: $100,000; five years imprisonment, or both

 Intent to sell: $250,000; ten years imprisonment, or both

What Do I do First?

First get the appropriate forms together

Train your personnel

Work on physical security issues

Don’t panic

Forms

1.HIPAA Notice of Privacy Practices

2.Authorization of Use and Disclosure of Protected Health Information

Protected Health Information

3.Revocation of Authorization For Use And Disclosure of Protected Health Information

4.Request For Confidential Communication of Protected Health Information

(16)

FORMS

5.Business Associate Agreement

6.Request to Inspect or Copy Protected Health Information

Health Information

7.Approval of Request to Inspect or Copy Protected Health Information

8.Denial of Request to Inspect or Copy Protected Health Information

FORMS

9.Request to Amend Protected Health Information

10.Request for Accounting of Protected Health q g Information Disclosures

11. Log for Disclosure of Protected Health Information

12.HIPAA(Privacy Rule) Complaint and Resolution Form

FORMS

13.Audit Form

14. Employee HIPAA Compliance Signature Form

Signature Form

15. Employee Compliance Training Log

16. Marketing Authorization Form

17. Appointment Reminder Authorization

(17)

Authorizations

You must have an authorization if:

1.You need help from your state association to obtain reimbursement for the patient’s to obtain reimbursement for the patient s care

2.You use the patient’s name in any type of advertising of any kind

Authorizations

4. You use the patient’s name in any type of testimonial

5 You use the patient’s name on internal

5. You use the patient s name on internal

“thank you” “welcome” boards

6.If you use a picture of a child for a “kids wall”

Authorizations

You may not threaten to withhold treatment because a patient will

i not sign an authorization

(18)

Notice of Privacy Practices

You must have a Notice of Privacy Practices

It must be given to every patient after April 14, 2003 the first time you see the patient, and the first time you see the patient after any material time you see the patient after any material amendment to the Notice

You must provide the patient with a full copy upon request

It must be posted in a prominent location at your site

Training of Personnel

The Security Regulations require you to provide your workforce, agents, and contractors with training regarding security issues, policies, and procedures necessary for them to carry out their function

Training of Personnel

Awareness training for all personnel

Periodic security reminders reminders

Education regarding virus protection

Education in importance of monitoring log

Education in password management

(19)

Administrative Requirements

Designate a privacy official

 - Responsible for privacy policies and procedures

Designate a contact person or office responsible

Designate a contact person or office responsible for receiving complaints

This can be the same person

Develop a system of sanctions for employees who violate the Entities policies or the requirements of the Privacy Rule

Compliance Official Issues

1.Determine if you are a Covered Entity

2.Decide on organizational structure

3.Identify Business Associates and enter3.Identify Business Associates and enter into agreements

4.Develop and provide a Notice and, if necessary, an Acknowledgement form

5. Develop a valid authorization form for future use

Compliance Official Issues

6.Compare current PHI use and disclosures practices with Privacy Rule requirements practices with Privacy Rule requirements, and identify where practices need to change.

Identify “TPO” uses and disclosures of PHI, all other uses and disclosures and develop Minimum Necessary policies and protocols

(20)

Compliance Official Issues

7.Develop a system to track and account for disclosures

8.Designate a Privacy Official and contact person or office

or office

9.Design and implement Policies and Procedures

10.Develop and implement systems to safeguard PHI

11.Train workforce

12.Check the Rule for particular requirements

Security

Employees may only have access to the portion of the patient’s

d i d b

records required by their job

responsibilities

You must make reasonable effort to limit access

Security

Security measures may include:

 - Computer firewallsp

 - Locked file drawers

 - Limited access work area

 - Procedures to protect confidentiality when discussing payment matters

 - Private areas for discussion of patient health information

(21)

Security

- Secure carriers if files left on door or wall

- Proper backup and storage of data files

- Secure storage for backups

- Secure “off-site” records storage

- Policies/procedures to insure patient records are properly stored during lunch hours, breaks, or time away from station

Place stickers on the front of the files that say

“Confidential”

Security

What if I have open-shelved filing?

 - Make sure that the area is secure at all times

 - Do not allow anyone other authorized personnel in the area

 - Place stickers on the shelves that say “Confidential”

 - As you work with the files on a daily basis, check for either a confidential stamp or sticker. If absent, mark it confidential as you go

HIPAA

QUICK TIPS

 1. Never walk away from an open file drawer. Lock after each use.

 2 Keep all files away from easy view Do not keep files laying around

 2. Keep all files away from easy view. Do not keep files laying around with visible PHI.

 3. Mark all filing cabinets, files, etc. “confidential”.

 Phone messages on patient’s answering machines. HIPAA is concerned with protecting your patient’s privacy. One of the easiest ways to violate a patient’s privacy is by exposing PHI on answering machines.

(22)

HIPAA

QUICK TIPS

 WHAT ARE THE RISKS?

 1. The risk is that a family member, friend, or other could overhear or receive the message.

 2. The risk that the message could be left at the wrong number is also very crucial.

 3. The receiver might hear information that the patient does not want to be exposed.

HIPAA

QUICK TIPS

 INFORMATION TO AVOID

 1 Laboratory and test results

 1. Laboratory and test results

 2. Any information that links the patient’s name to the medical condition.

 3. The type of clinic or specialist the patient is seeing.

 4. Personal information (ex: HIV, psychotherapy, substance abuse, pregnancy, etc.)

HIPAA

QUICK TIPS

 1. Reminders of appointments are OK.

 2 Train your employees on a set policy

 2. Train your employees on a set policy

 3. Ask the patient if they would prefer a separate phone line(cell phone, etc.) for follow-up calls. Get it in writing

 4. Always use good judgment on the type of messages that you leave.

(23)

HOW AND WHEN TO EXECUTE HIPAA HOW AND WHEN TO EXECUTE HIPAA

AUDITS AND TRAINING AUDITS AND TRAINING

SIMPLE GUIDELINES

AUDITS AND TRAINING

1. Complete an audit at least twice a year. Pull at least five files for your audits.

2. Follow the easy questions on your audit sheet, under the

“audit” label in your manual and compare to the file youaudit label in your manual, and compare to the file you are working with.

3. Assign a responsible employee to complete this task. It does not have to be a member of your compliance committee.

4. When finished, document your audit by filing it in your HIPAA Compliance Plan and Manual

AUDITS AND TRAINING

 5. Even though there is no set training guidelines I would recommend that your training sessions should be held at least twice a year. Please have every employee sign an employee compliance training log for these training sessions and place it in the signed training section of your HIPAA Compliance Plan and Manual

your HIPAA Compliance Plan and Manual.

 REMEMBER, YOUR HIPAA MANUAL IS INSUFFICIENT IF YOU DO NOT CONTINOUSLY UPDATE, TRAIN, AND AUDIT.

 IT IS UP TO YOU TO STAY IN COMPLIANCE WITH HIPAA.

(24)

Simple Rules

 1. Except for the patient’s name, confidential patient information is not called out into the waiting room

 2. Release of confidential patient information is done ONLY by staff specifically authorized to do so.

 3. Confidential patient information is not left on an unattended printer, photocopier, or fax machine unless these devices are in a secure area. Physical access to fax machines and printers is limited to authorized staff.

 4. Staff does not discuss confidential patient information among themselves in public areas.

Simple Rules

 5. Conversations with the patient/family regarding confidential patient information are not held in public areas.

 6. Overhead and intercom announcements do not include confidential patient information.

 7. Phone conversations and dictation are in areas where confidential patient information cannot be overheard.

 8. Computer monitors are positioned away from public view, to avoid observation by visitors.

 9. Confidential patient information is discarded in the appropriate secure container or shredded.

Simple Rules

 10. Screens of unattended computers are returned to the logon screen or have a password enabled screen saver. Staff understands their ID and password are confidential and never shares them, or the use of their workstation while logged in.

 11 O d k i bli h t h ld ’ t ti

 11. On desks in public areas, chart holders or nurse’s stations, documents with confidential patient information are face down or concealed, avoiding observation by patient’s or visitors.

 12. Paper records and medical charts are stored or filed in such a way as to avoid observation by patient’s or visitors, or casual access by unauthorized staff.

(25)

Simple Rules

 13. Answering machines volume is turned down so information being left cannot be overheard by other staff or visitors. Voice mail passwords are not the default settings, or the last four digits of your phone number.

 14 P ti t li t i l di h d l d d ith i f ti

 14. Patient lists, including scheduled procedures, with information beyond room assignments are not readily visible by patients or visitors.

 15. Staff feel comfortable, and obligated, to report misuse of confidential patient information to their supervisor, knowing there will be no retaliation.

 16. All supervisors regularly review institutional policies that are applicable for their work assignments with their staff, to insure that current practices and procedures protect patient privacy.

Simple Rules

 17. Only authorized staff has access to confidential patient information, and they access and use only the minimum amount necessary to accomplish their duties. All staff wear the appropriate nametag at all times.

 18 F it th t t t ff d 24 h ti t d fil d i

 18. For units that are not staffed 24 hours, patient records are filed in locking storage cabinets or rooms that are locked.

 19. Visitors and patients are appropriately escorted to ensure they do not access staff areas, dictating rooms, chart storage, etc. Those persons not recognized in restricted areas, are challenged for identification.