HIPAA Privacy Rule
HIPAA Privacy Rule
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Transactions Standards
Transactions Standards
1. Health claims
2. Health claim attachments
3. Healthcare payment and remittance advice
4. First report of injury
5. Health claim status
6. Referral certification and authorization
Code Sets
Code Sets
ICD-9-10 – International classification of diseases 9thedition
HCPCS – Healthcare Financing
Administrative Common Procedure Coding System
CPT- Current Procedure Terminology
PHI, What is It?
PHI, What is It?
Protected Health Information (PHI)
Protected Health Information (PHI)
- Individually identifiable health information
- Transmitted or maintained in any form or medium by a Covered Entity or its Business Associate
Permitted Uses Of PHI
Permitted Uses Of PHI
Individual
Treatment, Payment and Health Care
Public Policy
“Incident to”
Limited data set Operations (TPO)
Opportunity to Agree or Object
Authorized
Individuals
Individuals
Besides required disclosures, Covered Entities may also disclose PHI to their patients/health plan enrollees
p p
- Health plans can contact their enrollees
- Providers can talk to their patients
Treatment, Payment and
Treatment, Payment and
Health Care Operations(TPO)
Health Care Operations(TPO)
Covered Entities may use/disclose PHI to carry out essential health care functions carry out essential health care functions
- Treatment
- Payment
- Health care operations
Treatment
Treatment
Treatment means the provision,
coordination, or management of health care by one or more health care providers; y p ; including consultation between health care providers or patient referrals
Payment
Payment
Payment means activities of:
Health care providers to obtain payment or be reimbursed for their services
be reimbursed for their services
Health plans to obtain premium, fulfill coverage responsibilities, or provide reimbursement for the provision of health care
Health Care Operations
Health Care Operations
Health Care Operations are administrative, financial, legal, and quality improvement activities
Necessary to run business and to support core functions of treatment and payment
Health Care Operations
Health Care Operations
Quality assessment and improvement activities
Training accreditation certification
Training, accreditation, certification, credentialing, licensing, reviewing competence, and evaluating performance
Fraud and abuse detection
Individual’s right to Agree or
Individual’s right to Agree or
Object
Object
Must give individual opportunity to restrict or prohibit the use or disclosure of name, location, general condition, and religious , g , g affiliation
May disclose PHI relevant to person’s involvement in care or payment to family, friends, or others identified by individual
May notify of individual’s location, condition, or death to family, personal representatives, or another responsible for care
Applies to disaster relief
May disclose is individual is not present or incapacitated
Public Policy
Public Policy
As required by law
For public health
About victims of abuse or neglect
About victims of abuse or neglect
For health oversight activities
For judicial & administrative proceedings
For law enforcement purposes
Public Policy
Public Policy
For research purposes
To avert a serious threat to health or safety
For worker’s compensation
For worker s compensation
About decedents (coroners, ME, Funeral directors)
For organ, eye, or tissue donations
“Incident to”
“Incident to”
Rule permits uses/disclosures incident to an otherwise permitted use or disclosure, provided minimum necessary & safeguards
p y g
standards are met
Allows for common practices if reasonably performed
Limited Data Set
Limited Data Set
For research,public health, health care operations purposes
Direct identifiers must be removed
Direct identifiers must be removed
Allows for zip codes, dates
Requires Data Use Agreement: recipient cannot use for other purposes or identify or contact individuals
Minimum Necessary
Minimum Necessary
Covered Entities must make reasonable efforts to limit the use or disclosure of and efforts to limit the use or disclosure of, and requests for, PHI to minimum amount necessary to accomplish intended purpose
Minimum Necessary
Minimum Necessary
Covered Entities may reasonably rely upon requester’s determination as to minimum amount necessary if:y
- Public Official
- Another Covered Entity
- Business Associate for provision of professional service
- Researcher with IRB/Privacy Board documentation or other appropriate representations
Minimum Necessary
Minimum Necessary
Exceptions
Exceptions
Disclosures to or request by Providers for treatment
Disclosures to individual
Uses/disclosures with an authorization
Uses/disclosures required for HIPAA standard transactions
Disclosures to HHS/OCR for enforcement
Uses/disclosures required by law
Business Associates
Business Associates
Who Is A Business Associate?
Who Is A Business Associate?
A person who performs a function or activity on behalf of, or provides services to, a Covered Entity that involves , y
Individually Identifiable Health Information
Is not a workforce member
Covered entity can be a Business Associate
Who IS Not A Business
Who IS Not A Business
Associate
Associate
Two entities – each performing functions on its own behalf
-Provider gives PHI to payer for payment
-Hospital and physician treating patients at hospital
Persons or organizations where access to protected health information is not necessary to do their job
Janitors, electricians, copy machine repair persons
Are you responsible for
Are you responsible for
Business Associate
Business Associate
Obtain “satisfactory assurance” that Business Associate will appropriately pp p y safeguard PHI
- Written contract or other written arrangement or agreement
No monitoring
Cure or terminate contract if known violation
Contract Must Include
Contract Must Include
Permitted uses and disclosures
Requirement to use appropriate safeguards
Requirement to use appropriate safeguards
Requirement to report of non-permitted uses and disclosures to Covered Entity
Requirement to extend same terms to subcontractors
Authorizations
Authorizations
Authorizations are required for uses and
Authorizations are required for uses and disclosures not otherwise permitted or required by the Rule
Authorizations
Authorizations
Generally, cannot condition treatment, payment, eligibility, or enrollment on an authorization
There are special rules for psychotherapy notes and marketing
Authorization must contain core elements &
required statements, including:
Expiration date or event
Statement of authorization is revocable
Individual Rights
Individual Rights
Notice of Privacy Practices
Access
Request restrictions
Confidential communications
Amendment
Accounting
Complain to Covered Entity
Complain to Secretary (HHS/OCR)
Notice of Privacy Practices
Notice of Privacy Practices
An individual has a right to adequate written notice of:
- Uses and disclosures of PHI that may be madeUses and disclosures of PHI that may be made by the Covered Entity
- Individual’s rights and Covered Entity’s legal duties with respect to PHI
Notice content
Notice content
Header – specific language in Rule
Description of uses and disclosures
Individual rights and how to exercise them
Individual rights and how to exercise them
Covered Entity duties and contact name or title and telephone number to receive complaints
Effective date
Access
Access
Individual has a right of access to inspect and obtain a copy of PHI about the individual in a designated record setg
Timely action by Covered Entity
- Providing Access: Inspection and copy, or
- Written denial
- Review of certain denials by licensed health care professional
Amendment to PHI
Amendment to PHI
Individual has the right to have Covered Entity amend PHI in a Designated Record Set
Covered Entity may deny request in certain cases
Example: if record is accurate and complete
Timely action by Covered Entity
Accepting amendment or written denial of the amendment
Denial
Denial
Individuals may submit written disagreement
Covered Entity may rebut the statement of
Covered Entity may rebut the statement of denial in writing
Covered Entity must include request, denial, disagreement and rebuttal in Designated Record Set
Accounting
Accounting
An individual has a right to receive an accounting of disclosures of PHI made by accounting of disclosures of PHI made by Covered Entity in the 6 years prior to date requested
Confidential Communication
Confidential Communication
A covered health care provider must permit and accommodate reasonable requests to receive communications of PHI by y
alternative means and at alternative location
The requirement applies to a health plan if individual clearly states disclosure could endanger individual
Disclosure Restrictions
Disclosure Restrictions
A Covered Entity must permit an individual to request restrictions on uses and
disclosures of PHI to carry out TPO and to i l d i i di id l’
persons involved in individual’s care
The Covered Entity is not required to agree to such request
If they do agree they may not violate the restriction except in emergency
Complaints
Complaints
Any person who believes a Covered Entity is not complying with applicable
is not complying with applicable
requirements of the Privacy Rule may file a written complaint with the Secretary/OCR
Office for Civil Rights (OCR)
Office for Civil Rights (OCR)
Enforces Civil Rights laws and the Privacy Rule
Investigation and Resolution of complaints
Investigation and Resolution of complaints
Exception determinations
OCR may investigate complaints
OCR may conduct compliance reviews
Complaints to OCR
Complaints to OCR
Any person or organization may file complaint with OCR by mail or electronicallyy
- Only for possible violations occurring after compliance date
- Complaints should be filed within 180 days of the time the incident occurred
Individuals may also file complaints with Covered Entity
Complaints
Complaints
Provide a process for individuals to make complaints to Covered Entity
Do not require individuals to waive their
Do not require individuals to waive their rights to file a complaint with the Secretary or their other rights under Privacy Rule
Refrain from intimidating or retaliatory acts
Complaint Process
Complaint Process
Informal review may resolve issue fully without formal investigation
without formal investigation
- many complaints will resolve in this manner
If not, begin investigation
Civil Monetary Penalties
Civil Monetary Penalties
None will occur if:
Person did not know – and by exercising reasonable diligence would not have known g of the violation
If failure to comply is due to reasonable cause and not willful neglect and entity corrects within 30 day cure period
Offense is punishable by criminal sanction
Exceptions
Exceptions
Potential extension of the 30 day cure period
Technical Assistance if Covered Entity is
Technical Assistance if Covered Entity is
“unable to comply”
CMP reduction possible if:
- Amount excessive relative to the violation
- Due to reasonable cause and not willful neglect
HIPAA Penalties
HIPAA Penalties
General Penalty for Failure to Comply:
Each Violation: $100.
– Maximum penalty for all violations of an identical requirement: May not exceed $25,000
Wrongful Disclosure of Individually Identifiable Health Information:
Wrongful disclosure: $50,000; one year imprisonment, or both
False Pretenses: $100,000; five years imprisonment, or both
Intent to sell: $250,000; ten years imprisonment, or both
What Do I do First?
What Do I do First?
First get the appropriate forms together
Train your personnel
Work on physical security issues
Don’t panic
Forms
Forms
1.HIPAA Notice of Privacy Practices
2.Authorization of Use and Disclosure of Protected Health Information
Protected Health Information
3.Revocation of Authorization For Use And Disclosure of Protected Health Information
4.Request For Confidential Communication of Protected Health Information
FORMS
FORMS
5.Business Associate Agreement
6.Request to Inspect or Copy Protected Health Information
Health Information
7.Approval of Request to Inspect or Copy Protected Health Information
8.Denial of Request to Inspect or Copy Protected Health Information
FORMS
FORMS
9.Request to Amend Protected Health Information
10.Request for Accounting of Protected Health q g Information Disclosures
11. Log for Disclosure of Protected Health Information
12.HIPAA(Privacy Rule) Complaint and Resolution Form
FORMS
FORMS
13.Audit Form
14. Employee HIPAA Compliance Signature Form
Signature Form
15. Employee Compliance Training Log
16. Marketing Authorization Form
17. Appointment Reminder Authorization
Authorizations
Authorizations
You must have an authorization if:
1.You need help from your state association to obtain reimbursement for the patient’s to obtain reimbursement for the patient s care
2.You use the patient’s name in any type of advertising of any kind
Authorizations
Authorizations
4. You use the patient’s name in any type of testimonial
5 You use the patient’s name on internal
5. You use the patient s name on internal
“thank you” “welcome” boards
6.If you use a picture of a child for a “kids wall”
Authorizations
Authorizations
You may not threaten to withhold treatment because a patient will
i not sign an authorization
Notice of Privacy Practices
Notice of Privacy Practices
You must have a Notice of Privacy Practices
It must be given to every patient after April 14, 2003 the first time you see the patient, and the first time you see the patient after any material time you see the patient after any material amendment to the Notice
You must provide the patient with a full copy upon request
It must be posted in a prominent location at your site
Training of Personnel
Training of Personnel
The Security Regulations require you to provide your workforce, agents, and contractors with training regarding security issues, policies, and procedures necessary for them to carry out their function
Training of Personnel
Training of Personnel
Awareness training for all personnel
Periodic security reminders reminders
Education regarding virus protection
Education in importance of monitoring log
Education in password management
Administrative Requirements
Administrative Requirements
Designate a privacy official
- Responsible for privacy policies and procedures
Designate a contact person or office responsible
Designate a contact person or office responsible for receiving complaints
This can be the same person
Develop a system of sanctions for employees who violate the Entities policies or the requirements of the Privacy Rule
Compliance Official Issues
Compliance Official Issues
1.Determine if you are a Covered Entity
2.Decide on organizational structure
3.Identify Business Associates and enter3.Identify Business Associates and enter into agreements
4.Develop and provide a Notice and, if necessary, an Acknowledgement form
5. Develop a valid authorization form for future use
Compliance Official Issues
Compliance Official Issues
6.Compare current PHI use and disclosures practices with Privacy Rule requirements practices with Privacy Rule requirements, and identify where practices need to change.
Identify “TPO” uses and disclosures of PHI, all other uses and disclosures and develop Minimum Necessary policies and protocols
Compliance Official Issues
Compliance Official Issues
7.Develop a system to track and account for disclosures
8.Designate a Privacy Official and contact person or office
or office
9.Design and implement Policies and Procedures
10.Develop and implement systems to safeguard PHI
11.Train workforce
12.Check the Rule for particular requirements
Security
Security
Employees may only have access to the portion of the patient’s
d i d b
records required by their job
responsibilities
You must make reasonable effort to limit access
Security
Security
Security measures may include:
- Computer firewallsp
- Locked file drawers
- Limited access work area
- Procedures to protect confidentiality when discussing payment matters
- Private areas for discussion of patient health information
Security
Security
- Secure carriers if files left on door or wall
- Proper backup and storage of data files
- Secure storage for backups
- Secure “off-site” records storage
- Policies/procedures to insure patient records are properly stored during lunch hours, breaks, or time away from station
Place stickers on the front of the files that say
“Confidential”
Security
Security
What if I have open-shelved filing?
- Make sure that the area is secure at all times
- Do not allow anyone other authorized personnel in the area
- Place stickers on the shelves that say “Confidential”
- As you work with the files on a daily basis, check for either a confidential stamp or sticker. If absent, mark it confidential as you go
HIPAA
HIPAA
QUICK TIPS
1. Never walk away from an open file drawer. Lock after each use.
2 Keep all files away from easy view Do not keep files laying around
2. Keep all files away from easy view. Do not keep files laying around with visible PHI.
3. Mark all filing cabinets, files, etc. “confidential”.
Phone messages on patient’s answering machines. HIPAA is concerned with protecting your patient’s privacy. One of the easiest ways to violate a patient’s privacy is by exposing PHI on answering machines.
HIPAA
HIPAA
QUICK TIPS
WHAT ARE THE RISKS?
1. The risk is that a family member, friend, or other could overhear or receive the message.
2. The risk that the message could be left at the wrong number is also very crucial.
3. The receiver might hear information that the patient does not want to be exposed.
HIPAA
HIPAA
QUICK TIPS
INFORMATION TO AVOID
1 Laboratory and test results
1. Laboratory and test results
2. Any information that links the patient’s name to the medical condition.
3. The type of clinic or specialist the patient is seeing.
4. Personal information (ex: HIV, psychotherapy, substance abuse, pregnancy, etc.)
HIPAA
HIPAA
QUICK TIPS
1. Reminders of appointments are OK.
2 Train your employees on a set policy
2. Train your employees on a set policy
3. Ask the patient if they would prefer a separate phone line(cell phone, etc.) for follow-up calls. Get it in writing
4. Always use good judgment on the type of messages that you leave.
HOW AND WHEN TO EXECUTE HIPAA HOW AND WHEN TO EXECUTE HIPAA
AUDITS AND TRAINING AUDITS AND TRAINING
SIMPLE GUIDELINES
AUDITS AND TRAINING
AUDITS AND TRAINING
1. Complete an audit at least twice a year. Pull at least five files for your audits.
2. Follow the easy questions on your audit sheet, under the
“audit” label in your manual and compare to the file youaudit label in your manual, and compare to the file you are working with.
3. Assign a responsible employee to complete this task. It does not have to be a member of your compliance committee.
4. When finished, document your audit by filing it in your HIPAA Compliance Plan and Manual
AUDITS AND TRAINING
AUDITS AND TRAINING
5. Even though there is no set training guidelines I would recommend that your training sessions should be held at least twice a year. Please have every employee sign an employee compliance training log for these training sessions and place it in the signed training section of your HIPAA Compliance Plan and Manual
your HIPAA Compliance Plan and Manual.
REMEMBER, YOUR HIPAA MANUAL IS INSUFFICIENT IF YOU DO NOT CONTINOUSLY UPDATE, TRAIN, AND AUDIT.
IT IS UP TO YOU TO STAY IN COMPLIANCE WITH HIPAA.
Simple Rules
Simple Rules
1. Except for the patient’s name, confidential patient information is not called out into the waiting room
2. Release of confidential patient information is done ONLY by staff specifically authorized to do so.
3. Confidential patient information is not left on an unattended printer, photocopier, or fax machine unless these devices are in a secure area. Physical access to fax machines and printers is limited to authorized staff.
4. Staff does not discuss confidential patient information among themselves in public areas.
Simple Rules
Simple Rules
5. Conversations with the patient/family regarding confidential patient information are not held in public areas.
6. Overhead and intercom announcements do not include confidential patient information.
7. Phone conversations and dictation are in areas where confidential patient information cannot be overheard.
8. Computer monitors are positioned away from public view, to avoid observation by visitors.
9. Confidential patient information is discarded in the appropriate secure container or shredded.
Simple Rules
Simple Rules
10. Screens of unattended computers are returned to the logon screen or have a password enabled screen saver. Staff understands their ID and password are confidential and never shares them, or the use of their workstation while logged in.
11 O d k i bli h t h ld ’ t ti
11. On desks in public areas, chart holders or nurse’s stations, documents with confidential patient information are face down or concealed, avoiding observation by patient’s or visitors.
12. Paper records and medical charts are stored or filed in such a way as to avoid observation by patient’s or visitors, or casual access by unauthorized staff.
Simple Rules
Simple Rules
13. Answering machines volume is turned down so information being left cannot be overheard by other staff or visitors. Voice mail passwords are not the default settings, or the last four digits of your phone number.
14 P ti t li t i l di h d l d d ith i f ti
14. Patient lists, including scheduled procedures, with information beyond room assignments are not readily visible by patients or visitors.
15. Staff feel comfortable, and obligated, to report misuse of confidential patient information to their supervisor, knowing there will be no retaliation.
16. All supervisors regularly review institutional policies that are applicable for their work assignments with their staff, to insure that current practices and procedures protect patient privacy.
Simple Rules
Simple Rules
17. Only authorized staff has access to confidential patient information, and they access and use only the minimum amount necessary to accomplish their duties. All staff wear the appropriate nametag at all times.
18 F it th t t t ff d 24 h ti t d fil d i
18. For units that are not staffed 24 hours, patient records are filed in locking storage cabinets or rooms that are locked.
19. Visitors and patients are appropriately escorted to ensure they do not access staff areas, dictating rooms, chart storage, etc. Those persons not recognized in restricted areas, are challenged for identification.