Title: THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT HIPAA PRIVACY RULE
1THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT (HIPAA) PRIVACY RULE
April Nelson Office of the Solicitor Department
of Labor
2THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996 (HIPAA)
- Congressional purposeEfficiency and simplicity
in health care system communications - Required the U.S. Department of Health and Human
Services (HHS) to adopt national standard formats
for transmitting health information
electronically
3THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996 (HIPAA) (continued)
- Recognized that transmitting health information
more easily and efficiently among various
computer systems could lead to loss of privacy - Required federal privacy protections for
individually identifiable health information
4PRIVACY RULE (THE RULE)
- Standards for privacy of individually
identifiable health information - Created by HHS under the authority of HIPAA
- Published in the Code of Federal Regulations
(CFR) at 45 CFR Part 160 and Part 164 A and E - The Rule's federal privacy standards do not
replace other federal, state, or local laws if
those laws provide more privacy - Most entities covered by the Rule must be in
compliance by April 14, 2003
5WHAT TYPE OF ENTITY IS COVERED UNDER THE RULE?
- 45 CFR 160.103
- Health plans
- Health care clearinghouses
- Health care providers who transmit any health
information in electronic form in connection with
a covered transaction
6WHAT IS A COVERED TRANSACTION?
- Any information transmitted electronically that
HHS requires to be formatted in a standardized
way - HIPAA requires HHS to adopt standards for the
following types of electronic information
transmissions - Health care claims or equivalent encounter
information - Health claim attachments
- Enrollment and disenrollment in a health plan
- Eligibility for a health plan
7WHAT IS A COVERED TRANSACTION? (continued)
- Health care payment and remittance advice
- Health plan premium payments
- First report of injury
- Health claim status
- Referral certification and authorization
8WHAT IS A COVERED TRANSACTION?(continued)
- HHS has published standards for most of these
transactions other standards will follow - If an entity sends any of these types of
information electronically, it is a covered
entity - Covered entities must comply with the Rule as to
all their individually identifiable health
information even if most of that information is
kept or transmitted on paper
9WHAT IS AN ENTITY?
- A single legal organization or person
- A single legal entity whose business activities
include both covered and non-covered functions
can choose to be a hybrid entity - A hybrid entity designates in writing the portion
of its business that conducts health care
functions as the health care component - When a hybrid entity designates a health care
component, only the health care component must
follow most aspects of the Rule
10WHAT IS AN ENTITY? (continued)
- The non-health care component of a hybrid entity
must ensure that the health care component
complies with the Privacy Rule and Security
Standards (45 CFR 164.105) -
- If the non-health care component transmits
electronic protected health information (PHI) on
behalf of the health care component, it must
comply with the Security Standards - If a center primary contractor has one or more
employees employed in the health and wellness
center (HWC) at least part-time, the center
contractor could choose to designate that portion
of the business as the health care component
11CAN A HWC BE ANY OTHER TYPE OF COVERED ENTITY?
- A HWC could be any of the following
- A designated health care componentoperated by
employees of the prime center contractor. Only
the designated component must comply with most
parts of the Rule. - A non-designated componentoperated by employees
of the primary contractor. The entire contractor
must comply with all parts of the Rule. - A separate legal entityoperated entirely by
subcontract. Only the HWC is covered by the
Rule however, if a larger entity staffs the HWC,
the entire larger entity is a covered entity.
12CAN A HWC BE ANY OTHER TYPE OF COVERED ENTITY?
(continued)
- A HWC could be a combination of these covered
organizational structures, in which case it is an
organized health care arrangement (45 CFR
160.103) - Everyone working for the HWC must comply with the
privacy procedures implemented for that HWC, even
if some of those people also perform other
functions on or off center (cannot use PHI in
those other functions unless it complies with the
HWC privacy policies) - However, if a HWC staff person works for an
entity that needs to use student PHI in a way not
covered in the HWC privacy policies, those uses
independently must comply with the Rule
13BUSINESS ASSOCIATES
- 45 CFR 106.103
- A person or entity that performs certain
functions involving PHI in service to a covered
entity - Examples of functions that may be performed by
business associates include data analysis, claims
processing, quality assurance, utilization
review, practice management, and legal assistance - A covered entity may share PHI with a business
associate with which it has a written agreement
that describes and protects the information to be
shared (see 45 CFR 164.504(e) for the required
contents of a written agreement)
14BUSINESS ASSOCIATES (continued)
- TestIs the entity performing a function or
activity on behalf of the covered entity? - Another part of the same legal entity is not a
business associate - Job Corps national and regional offices are not
business associates - Members of an organized health care arrangement
are not business associates of each other
15BUSINESS ASSOCIATES (continued)
- Another health care provider with whom PHI is
shared in order to treat a student is not a
business associate (Examples laboratories,
pharmacists, specialists, off-center hospitals)
16WHAT MUST COVERED ENTITIES DO TO COMPLY WITH THE
PRIVACY RULE?
- Not use or disclose PHI except the minimum
necessary as permitted or required by the Rule - Notify patients about their privacy rights and
how their information can be used - Ask patients to authorize any uses/disclosures
that are not otherwise permitted under the Rule - Adopt and implement privacy procedures
- Train employees on those privacy procedures
- Secure patient records so that they are not
readily available to persons who do not need them
17HOW DO COVERED ENTITIES NOTIFY PATIENTS?
- 45 CFR 164.520
- Written notice of privacy practices (Notice)
- Notice must be titled "This Notice Describes How
Medical Information About You May Be Used and
Disclosed and How You Can Get Access to This
Information. Please Review It Carefully."
18HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)
- Notice must contain
- A description, including one example, of the
types of uses and disclosures allowed for
treatment, payment, and health care operations
(TPO) - A description of all other purposes for which the
Rule does not require a written authorization
(see 45 CFR 164.510 and 164.512) - A statement that other uses and disclosures will
be made only with the patient's written
authorization, which may be revoked at any time - Separate statements about appointment reminders
and certain other uses (45 CFR
164.520(b)(1)(iii))
19HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)
- A statement of the patient's rights to
- Request certain restrictions
- Have communications confidential
- Inspect and copy PHI
- Amend PHI
- Receive an accounting of disclosures
- Obtain a paper copy of the Notice
20HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)
- A statement of the covered entitys duties
- Maintain PHI
- Maintain privacy and provide notice of its duties
and privacy practices - Abide by the terms of the Notice currently in
effect - Can reserve the right to change the Notice
- A statement that the individual may complain to
the entity and to the Secretary of HHS without
retaliation - A description of how to file a complaint
- A contact name or title, with phone number, for
more information - An effective date of the Notice (cannot be
retroactive)
21HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)
- Covered providers with a direct treatment
relationship must provide the Notice to the
patient at the first service delivery after April
14, 2003, and obtain written acknowledgement of
receipt (or document good-faith effort) - Covered providers must have the Notice available
at the service delivery site for distribution
upon request - Covered providers must post the Notice on-site in
a prominent location
22HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)
- Revisionsproviders must make a revised Notice
available upon request and post the revised
Notice (not necessary to ask each patient to sign
another Notice) - Covered entities must document compliance with
these notice requirements by retaining, for 6
years, copies of each Notice issued, written
acknowledgements of receipt, and documentation of
good-faith efforts to obtain acknowledgements
23HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)
- The National Office of Job Corps created a
prototype Notice to help the HWCs comply with the
notice requirements. This prototype Notice may
be insufficient to meet the legal requirements of
any given covered entity, and centers should
revise it ASAP if necessary.
24HOW DO COVERED ENTITIES OBTAIN AUTHORIZATION FOR
OTHER USES OF PHI?
- 45 CFR 164.508
- A covered entity may use PHI in ways not
otherwise permitted by the Rule if the patient
has signed an authorization - The authorization must be written in plain
language - The patient gets a copy of the signed
authorization
25HOW DO COVERED ENTITIES OBTAIN AUTHORIZATION FOR
OTHER USES OF PHI? (continued)
- A valid authorization must contain the following
elements - A description of the information to be used or
disclosed - The name or other specific identification of the
person or class of persons authorized to make the
disclosure - The name or other specific identification of the
person or class of persons to whom the disclosure
may be made - A description of each purpose of the requested
disclosure - An expiration date or expiration event
- Signature of patient (or personal representative)
and date - Statement of the right to revoke, with exceptions
- Statement of the consequences, if any, of
refusing to sign - Statement of the potential for information to be
redisclosed
26HOW DO COVERED ENTITIES OBTAIN AUTHORIZATION FOR
OTHER USES OF PHI? (continued)
- Covered entities generally may not condition
treatment on whether a patient signs an
authorization. However, the Job Corps National
Office is not a covered entity and may require an
Authorization as a condition of enrollment in the
Job Corps program. - Because certain uses of student health
information are needed for Job Corps programmatic
functioning nationwide, the Job Corps National
Office created a standard Authorization that
applicants are required to sign as a condition of
enrollment.
27HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES?
- 45 CFR 164.530
- Designate the following personnel
- Privacy official responsible for developing and
implementing privacy policies and procedures - Contact person or office for receiving complaints
and providing more information
28HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)
- Document and comply with policies, procedures,
and designations. The rule contains requirements
for subjects such as the following - Hybrid entity, health care component, and/or
organized health care arrangement designations - How the entity will establish administrative,
technical, and physical safeguards to protect the
privacy of PHI including the minimum necessary
protocols for - Internal use
- Routine, recurring, non-routine, and
non-recurring disclosures - Handling request for disclosure
- Requesting information from other entities
29HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)
- How the entity will train all members of its
workforce - How the entity will manage complaints
- How the entity will sanction employees who
violate policy - How the entity will mitigate unlawful uses of PHI
- A statement of the entity's non-retaliation
policy - How the entity will obtain verbal agreement or
objection for directory listings and other uses
under 45 CFR 164.510 - How the entity will document policies/procedures,
personnel selections, training, complaints,
sanctions applied, Notices (including revisions),
Authorizations, etc., and how the entity will
ensure documents are retained for 6 years
30HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)
- How the entity will document disclosures and
provide accountings (45 CFR 164.528) - An individual has a right to receive a written
accounting of disclosures of PHI made in the 6
years prior to the date of the request - For each disclosure, the accounting must include
- The date of the disclosure
- The name (and address if known) of the
entity/person receiving the PHI - A brief description of the PHI
- A brief statement of the purpose for disclosure
- The accounting must be provided within 60 days of
the request (a 30-day extension is possible)
31HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)
- The entity must retain for 6 years
- Its disclosure documentation policy
- All written accountings provided
- Documentation of the titles of the persons or
offices responsible for receiving and processing
requests for an accounting - The following types of disclosures do not need to
be included in an accounting or documented - For TPO
- To individuals about themselves
- Incident to" an allowed disclosure
- Under an Authorization
- For a facility's directory or for certain care or
notification purposes (45 CFR 164.510) - For national security/intelligence purposes
32HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)
- To correctional institutions/other custodial
situations - As part of a "limited data set" (excludes
identifiers) for research, public health, or
health care operations - That occurred prior to April 14, 2003
- Some examples of disclosures (oral or written)
that should be documented and included in an
accounting include the following - Notifying CDC or a state/local health authority
about a condition - Sharing information with law enforcement
personnel - Disclosing information in response to a subpoena
33THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT (HIPAA)(known as the PRIVACY
RULE)
Barbara Grove, National Nurse Consultant
34PRIVACY RULE REQUIREMENTS
- Students or parents/legal guardians sign an
Authorization that describes, in writing, the
uses and disclosures of their protected health
information except for uses related to treatment,
payment, and health care operations, and other
uses permitted or required by law
35PRIVACY RULE REQUIREMENTS (continued)
- Students must be provided with a written Notice
about how their medical information may be used
and disclosed without their written consent - A Supplemental Authorization must be completed
for disclosure of protected health information
not covered in the Authorization
36PRIVACY RULE REQUIREMENTS (continued)
- All disclosures must be maintained for 6 years
- Students and separated students may request, at
any time, an accounting of disclosures going back
6 years
37THE AUTHORIZATION ALLOWS SHARING
- Information about students physical and mental
health, including any diagnosis and any
recommended accommodations or modifications with
the center director - Information about certain health conditions with
the academic, vocational, and career counseling
staffconditions that may be aggravated by the
activities being supervised or conducted
38THE AUTHORIZATION ALLOWS SHARING(continued)
- Information with career transition staff to meet
health needs after Job Corps - Information with residential living staff
(including counselors), TEAP specialist, and
mental health staff for the purposes of meeting
students health needs - Information with food service about dietary
needs, including food allergies
39THE AUTHORIZATION ALLOWS SHARING(continued)
- Information with residential living staff about
medications, allergies, and medical (including
mental) conditions that may warrant emergency or
other immediate care - Information with safety and security staff,
including federal safety officers, about illegal
drug use or alcohol abuse - Information with recreational staff about
allergies, asthma, or other health conditions
40THE AUTHORIZATION ALLOWS SHARING (continued)
- Information with student records and data
management staff regarding leaves or medical
separations - Information about illegal use of drugs to staff
that need to know - Information at the students or parent/legal
guardians request
41THE AUTHORIZATION ALLOWS SHARING(continued)
- Information with Job Corps center or DOL
personnel or contractors for the purposes of
resolving grievances - Information for other routine uses, such as with
social services to provide Medicaid coverage
42NOTICE
- Describes how medical information may be used and
disclosed without consent, and how to obtain
access to this information - Is given to students on their first visit to the
health and wellness center - Is sent to the parent or legal guardian of those
students under the age of majority
43NOTICE (continued)
- Must be posted in the Health and Wellness areas
and in off-center offices of center health
providers, such as doctors, mental health
consultants, and dentists
44OTHER INFORMATION THAT MAY BE SHARED WITHOUT
CONSENT
- Required by law for certain public health
activities - To government authorities about individuals that
may be victims of abuse, neglect, or domestic
violence - For health oversight activities, including audits
- In certain court proceedings
- For law enforcement purposes
- With coroners, medical examiners
45OTHER INFORMATION THAT MAY BE SHARED WITHOUT
CONSENT (continued)
- To allow authorized organ or tissue donations
- For certain approved limited research
- To avert serious threats to health and safety
- For workers compensation purposes
- For certain government functions including
national security
46AC RESPONSIBILITIES
- Read the prepared script to the student/
parent/guardian - Provide a copy of the Privacy Rule Information
pamphlet to the student or parent/legal guardian - Explain the Authorization (available on OASIS)
- Refer the applicant to the health and wellness
manager of the receiving center if the applicant
has questions if a center has not been
identified, refer to the national nurse consultant
47AC RESPONSIBILITIES (continued)
- Have the applicant or parent/legal guardian sign
the Authorization - Provide the applicant a copy of the signed
Authorization - Forward the Authorization to the receiving center
prior to the applicants arrival (if the center
does not have the Authorization, departure must
be delayed)
48HEALTH AND WELLNESS STAFF RESPONSIBILITIES
- Post the Notice in the health and wellness center
- Have the center physician, center mental health
consultant, and center dentist post the Notice,
if services are provided off center - Develop center procedures (COPs) regarding the
Privacy Rule
49HEALTH AND WELLNESS STAFF RESPONSIBILITIES
(continued)
- Ensure that ALL students on center have a signed
Authorization and Notice in their medical folders
or an explanation why the Notice was not signed - Ensure that there is a signed Authorization for
each applicant BEFORE the student arrives - Notify the center director and AC if an
Authorization is not available request delay of
departure if the Authorization cannot be
forwarded to the center prior to the students
arrival
50HEALTH AND WELLNESS STAFF RESPONSIBILITIES
(continued)
- Give and explain the Notice to the student during
the students first visit to the health and
wellness center make additional copies of the
Notice available for student requests - Send a copy to the parent/legal guardian for
students under the age of majority and request
that the Notice be returned signed. However, a
signature is not mandatory. If a signed Notice is
not received, document in the medical folder that
the Notice was sent to the parent/legal guardian.
51HEALTH AND WELLNESS STAFF RESPONSIBILITIES
(continued)
- If 18 or older, have the student sign the Notice
signing is not mandatory, but document that the
Notice was given and the student declined to sign - File both the signed Authorization and Notice in
the students medical folder - Conduct training on the Privacy Rule with all new
health and wellness staff within 90 days of
hiring and annually to all health and wellness
staff
52STUDENTS MAY
- Revoke the Authorization at anytime by submitting
a request, in writing, to the center director
however, revocation may be grounds for dismissal - Review information in their medical folders
- Request that information be changed if it is
incorrect or incomplete - Request restrictions on disclosing protected
health information - Submit complaints to the privacy officer or to
the Office of Civil Rights, Department of Health
and Human Services
53PARENTS/LEGAL GUARDIANS MAY
- Submit a written request to revoke the
Authorization however, a revocation may result
in dismissal - Have access to records unless prohibited by state
laws
54CENTER DIRECTOR RESPONSIBILITIES
- Ensure that the Privacy Rule policy and
procedures are enforced (legal counsel is
advised) - Ensure that ALL students on center have a Notice
and signed Authorization in their medical folder - Designate a privacy officer to develop and
implement Privacy Rule policies and procedures
55CENTER DIRECTOR RESPONSIBILITIES (continued)
- Designate a contact person (can be the same
person as the privacy officer) responsible for
receiving complaints and providing further
information to students - Review and grant written requests to revoke the
Authorization
56CONTRACTOR AND SUBCONTRACTOR RESPONSIBILITIES
- Ensure that the centers are compliant with the
Privacy Rule legal counsel is advised - Implement employee disciplinary policies for
violations - Keep an accounting of disclosures
57CONTRACTOR AND SUBCONTRACTOR RESPONSIBILITIES
(continued)
- Determine whether the Authorization and Notice
are sufficient coverage for the centers actual
information practices - Modify the Authorization and Notice or change
center practices, if needed
58SUPPLEMENTAL AUTHORIZATION
- If additional health information is required
regarding an applicant, ACs MUST use a
Supplemental Authorization that contains the
elements of 45 CFR (example available at
www.jobcorpshealth.com) - The Supplemental Authorization must be written in
plain language and a copy of the signed
Authorization must be given to the student
59SUPPLEMENTAL AUTHORIZATION (continued)
- Elements required in 45 CFR 164.508 include
- Description of the information to be shared
- Identification of the person(s) authorized to
make the requested use or disclosure - Identification of the person(s) with whom the
information may be shared - Description of each purpose for sharing the
information - Expiration date
60SUPPLEMENTAL AUTHORIZATION (continued)
- Must be signed by student or parent/legal
guardian - Must describe how an individual can revoke the
Supplemental Authorization - Must state that the health and wellness center
may not condition treatment on whether the
student signs the Authorization - Must identify potential for redisclosure of
shared information
61DISCLOSURE DOCUMENTATION
- All disclosures other than outlined in the
Authorization must be documented and maintained
for 6 years - Disclosure documentation should include
- Date of disclosure
- Name and address of the person or entity
receiving the disclosure - Brief statement of purpose
- Brief description of the information disclosed
- Copies (paper or electronic) of the complete
disclosure must be kept for 6 years - Students and former students may request an
accounting of disclosures for a period covering 6
years
62DISCLOSURE DOCUMENTATION (continued)
- Centers must respond to requests for an
accounting within 60 days - One 30-day extension can be obtained if it is
stated, in writing, to the requester, including
the reasons for the delay and the date the
information will be sent - The first disclosure accounting in any given
12-month period is free the center may impose a
reasonable cost-based fee for additional
disclosure information with the 12-month period
63EXCLUDED FROM AN ACCOUNTING
- Treatment, payment, and health care operations
- Made to an individual about themselves
- Incident to another disclosure permitted by the
Privacy Rule (as when someone accidentally
overhears a permitted conversation)
64EXCLUDED FROM AN ACCOUNTING (continued)
- For national security or intelligence purposes
- To correctional institutions or other law
enforcement in custodial situations - Occurred prior to April 14, 2003
- Covered in the Authorization signed at the ACs
office or covered by another situation
65Penalties for Non-Compliance
- HHS can impose
- Civil money penalties on a covered entity of
100/violation not to exceed 25K/year for
multiple violations of the same Privacy Rule
requirement in a calendar year - Criminal penalties for knowingly
obtaining/disclosing protected health information
with a fine of 50K and up to 1 year imprisonment - 100K and 5 years imprisonment for collecting
protected health information under false
pretenses - 250K and 10 years imprisonment for the sale,
transfer, or use of protected health information
for commercial advantage, personal gain, or
malicious use
66RESOURCES
- Health and Human Services HIPAA Website
- http//www.hhs.gov/ocr/hipaa/
- Health and Human Services HIPAA Administrative
Simplification Site - http//www.cms.hhs.gov/hipaa/hipaa2/defa
- ult.asp
- National Archives and Records Administration
Electronic Code of Federal Regulations
http//www.access.gpo.gov/nara/cfr/cfrhtml_00/Titl
e_45/45cfrv1_00.html
67RESOURCES (continued)
- Job Corps Health Website
- http//www.jobcorpshealth.com/
- Barbara Grove, National Nurse Consultant,
- (202) 693-3116, bgrove_at_doleta.gov