THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT HIPAA PRIVACY RULE

1
THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT (HIPAA) PRIVACY RULE
April Nelson Office of the Solicitor Department
of Labor
2
THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996 (HIPAA)

• Congressional purposeEfficiency and simplicity
  in health care system communications
• Required the U.S. Department of Health and Human
  Services (HHS) to adopt national standard formats
  for transmitting health information
  electronically

3
THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996 (HIPAA) (continued)

• Recognized that transmitting health information
  more easily and efficiently among various
  computer systems could lead to loss of privacy
• Required federal privacy protections for
  individually identifiable health information

4
PRIVACY RULE (THE RULE)

• Standards for privacy of individually
  identifiable health information
• Created by HHS under the authority of HIPAA
• Published in the Code of Federal Regulations
  (CFR) at 45 CFR Part 160 and Part 164 A and E
• The Rule's federal privacy standards do not
  replace other federal, state, or local laws if
  those laws provide more privacy
• Most entities covered by the Rule must be in
  compliance by April 14, 2003

5
WHAT TYPE OF ENTITY IS COVERED UNDER THE RULE?

• 45 CFR 160.103
• Health plans
• Health care clearinghouses
• Health care providers who transmit any health
  information in electronic form in connection with
  a covered transaction

6
WHAT IS A COVERED TRANSACTION?

• Any information transmitted electronically that
  HHS requires to be formatted in a standardized
  way
• HIPAA requires HHS to adopt standards for the
  following types of electronic information
  transmissions
• Health care claims or equivalent encounter
  information
• Health claim attachments
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan

7
WHAT IS A COVERED TRANSACTION? (continued)

• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization

8
WHAT IS A COVERED TRANSACTION?(continued)

• HHS has published standards for most of these
  transactions other standards will follow
• If an entity sends any of these types of
  information electronically, it is a covered
  entity
• Covered entities must comply with the Rule as to
  all their individually identifiable health
  information even if most of that information is
  kept or transmitted on paper

9
WHAT IS AN ENTITY?

• A single legal organization or person
• A single legal entity whose business activities
  include both covered and non-covered functions
  can choose to be a hybrid entity
• A hybrid entity designates in writing the portion
  of its business that conducts health care
  functions as the health care component
• When a hybrid entity designates a health care
  component, only the health care component must
  follow most aspects of the Rule

10
WHAT IS AN ENTITY? (continued)

• The non-health care component of a hybrid entity
  must ensure that the health care component
  complies with the Privacy Rule and Security
  Standards (45 CFR 164.105)
•  
• If the non-health care component transmits
  electronic protected health information (PHI) on
  behalf of the health care component, it must
  comply with the Security Standards
• If a center primary contractor has one or more
  employees employed in the health and wellness
  center (HWC) at least part-time, the center
  contractor could choose to designate that portion
  of the business as the health care component

11
CAN A HWC BE ANY OTHER TYPE OF COVERED ENTITY?

• A HWC could be any of the following
• A designated health care componentoperated by
  employees of the prime center contractor. Only
  the designated component must comply with most
  parts of the Rule.
• A non-designated componentoperated by employees
  of the primary contractor. The entire contractor
  must comply with all parts of the Rule.
• A separate legal entityoperated entirely by
  subcontract. Only the HWC is covered by the
  Rule however, if a larger entity staffs the HWC,
  the entire larger entity is a covered entity.

12
CAN A HWC BE ANY OTHER TYPE OF COVERED ENTITY?
(continued)

• A HWC could be a combination of these covered
  organizational structures, in which case it is an
  organized health care arrangement (45 CFR
  160.103)
• Everyone working for the HWC must comply with the
  privacy procedures implemented for that HWC, even
  if some of those people also perform other
  functions on or off center (cannot use PHI in
  those other functions unless it complies with the
  HWC privacy policies)
• However, if a HWC staff person works for an
  entity that needs to use student PHI in a way not
  covered in the HWC privacy policies, those uses
  independently must comply with the Rule

13
BUSINESS ASSOCIATES

• 45 CFR 106.103
• A person or entity that performs certain
  functions involving PHI in service to a covered
  entity
• Examples of functions that may be performed by
  business associates include data analysis, claims
  processing, quality assurance, utilization
  review, practice management, and legal assistance
• A covered entity may share PHI with a business
  associate with which it has a written agreement
  that describes and protects the information to be
  shared (see 45 CFR 164.504(e) for the required
  contents of a written agreement)

14
BUSINESS ASSOCIATES (continued)

• TestIs the entity performing a function or
  activity on behalf of the covered entity?
• Another part of the same legal entity is not a
  business associate
• Job Corps national and regional offices are not
  business associates
• Members of an organized health care arrangement
  are not business associates of each other

15
BUSINESS ASSOCIATES (continued)

• Another health care provider with whom PHI is
  shared in order to treat a student is not a
  business associate (Examples laboratories,
  pharmacists, specialists, off-center hospitals)

16
WHAT MUST COVERED ENTITIES DO TO COMPLY WITH THE
PRIVACY RULE?

• Not use or disclose PHI except the minimum
  necessary as permitted or required by the Rule
• Notify patients about their privacy rights and
  how their information can be used
• Ask patients to authorize any uses/disclosures
  that are not otherwise permitted under the Rule
• Adopt and implement privacy procedures
• Train employees on those privacy procedures
• Secure patient records so that they are not
  readily available to persons who do not need them

17
HOW DO COVERED ENTITIES NOTIFY PATIENTS?

• 45 CFR 164.520
• Written notice of privacy practices (Notice)
• Notice must be titled "This Notice Describes How
  Medical Information About You May Be Used and
  Disclosed and How You Can Get Access to This
  Information. Please Review It Carefully."

18
HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)

• Notice must contain
• A description, including one example, of the
  types of uses and disclosures allowed for
  treatment, payment, and health care operations
  (TPO)
• A description of all other purposes for which the
  Rule does not require a written authorization
  (see 45 CFR 164.510 and 164.512)
• A statement that other uses and disclosures will
  be made only with the patient's written
  authorization, which may be revoked at any time
• Separate statements about appointment reminders
  and certain other uses (45 CFR
  164.520(b)(1)(iii))

19
HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)

• A statement of the patient's rights to
• Request certain restrictions
• Have communications confidential
• Inspect and copy PHI
• Amend PHI
• Receive an accounting of disclosures
• Obtain a paper copy of the Notice

20
HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)

• A statement of the covered entitys duties
• Maintain PHI
• Maintain privacy and provide notice of its duties
  and privacy practices
• Abide by the terms of the Notice currently in
  effect
• Can reserve the right to change the Notice
• A statement that the individual may complain to
  the entity and to the Secretary of HHS without
  retaliation
• A description of how to file a complaint
• A contact name or title, with phone number, for
  more information
• An effective date of the Notice (cannot be
  retroactive)

21
HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)

• Covered providers with a direct treatment
  relationship must provide the Notice to the
  patient at the first service delivery after April
  14, 2003, and obtain written acknowledgement of
  receipt (or document good-faith effort)
• Covered providers must have the Notice available
  at the service delivery site for distribution
  upon request
• Covered providers must post the Notice on-site in
  a prominent location

22
HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)

• Revisionsproviders must make a revised Notice
  available upon request and post the revised
  Notice (not necessary to ask each patient to sign
  another Notice)
• Covered entities must document compliance with
  these notice requirements by retaining, for 6
  years, copies of each Notice issued, written
  acknowledgements of receipt, and documentation of
  good-faith efforts to obtain acknowledgements

23
HOW DO COVERED ENTITIES NOTIFY PATIENTS?
(continued)

• The National Office of Job Corps created a
  prototype Notice to help the HWCs comply with the
  notice requirements. This prototype Notice may
  be insufficient to meet the legal requirements of
  any given covered entity, and centers should
  revise it ASAP if necessary.

24
HOW DO COVERED ENTITIES OBTAIN AUTHORIZATION FOR
OTHER USES OF PHI?

• 45 CFR 164.508
• A covered entity may use PHI in ways not
  otherwise permitted by the Rule if the patient
  has signed an authorization
• The authorization must be written in plain
  language
• The patient gets a copy of the signed
  authorization

25
HOW DO COVERED ENTITIES OBTAIN AUTHORIZATION FOR
OTHER USES OF PHI? (continued)

• A valid authorization must contain the following
  elements
• A description of the information to be used or
  disclosed
• The name or other specific identification of the
  person or class of persons authorized to make the
  disclosure
• The name or other specific identification of the
  person or class of persons to whom the disclosure
  may be made
• A description of each purpose of the requested
  disclosure
• An expiration date or expiration event
• Signature of patient (or personal representative)
  and date
• Statement of the right to revoke, with exceptions
• Statement of the consequences, if any, of
  refusing to sign
• Statement of the potential for information to be
  redisclosed

26
HOW DO COVERED ENTITIES OBTAIN AUTHORIZATION FOR
OTHER USES OF PHI? (continued)

• Covered entities generally may not condition
  treatment on whether a patient signs an
  authorization. However, the Job Corps National
  Office is not a covered entity and may require an
  Authorization as a condition of enrollment in the
  Job Corps program.
• Because certain uses of student health
  information are needed for Job Corps programmatic
  functioning nationwide, the Job Corps National
  Office created a standard Authorization that
  applicants are required to sign as a condition of
  enrollment.

27
HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES?

• 45 CFR 164.530
• Designate the following personnel
• Privacy official responsible for developing and
  implementing privacy policies and procedures
• Contact person or office for receiving complaints
  and providing more information

28
HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)

• Document and comply with policies, procedures,
  and designations. The rule contains requirements
  for subjects such as the following
• Hybrid entity, health care component, and/or
  organized health care arrangement designations
• How the entity will establish administrative,
  technical, and physical safeguards to protect the
  privacy of PHI including the minimum necessary
  protocols for
• Internal use
• Routine, recurring, non-routine, and
  non-recurring disclosures
• Handling request for disclosure
• Requesting information from other entities

29
HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)

• How the entity will train all members of its
  workforce
• How the entity will manage complaints
• How the entity will sanction employees who
  violate policy
• How the entity will mitigate unlawful uses of PHI
• A statement of the entity's non-retaliation
  policy
• How the entity will obtain verbal agreement or
  objection for directory listings and other uses
  under 45 CFR 164.510
• How the entity will document policies/procedures,
  personnel selections, training, complaints,
  sanctions applied, Notices (including revisions),
  Authorizations, etc., and how the entity will
  ensure documents are retained for 6 years

30
HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)

• How the entity will document disclosures and
  provide accountings (45 CFR 164.528)
• An individual has a right to receive a written
  accounting of disclosures of PHI made in the 6
  years prior to the date of the request
• For each disclosure, the accounting must include
• The date of the disclosure
• The name (and address if known) of the
  entity/person receiving the PHI
• A brief description of the PHI
• A brief statement of the purpose for disclosure
• The accounting must be provided within 60 days of
  the request (a 30-day extension is possible)

31
HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)

• The entity must retain for 6 years
• Its disclosure documentation policy
• All written accountings provided
• Documentation of the titles of the persons or
  offices responsible for receiving and processing
  requests for an accounting
• The following types of disclosures do not need to
  be included in an accounting or documented
• For TPO
• To individuals about themselves
• Incident to" an allowed disclosure
• Under an Authorization
• For a facility's directory or for certain care or
  notification purposes (45 CFR 164.510)
• For national security/intelligence purposes

32
HOW DO COVERED ENTITIES ADOPT AND IMPLEMENT
PRIVACY PROCEDURES? (continued)

• To correctional institutions/other custodial
  situations
• As part of a "limited data set" (excludes
  identifiers) for research, public health, or
  health care operations
• That occurred prior to April 14, 2003
• Some examples of disclosures (oral or written)
  that should be documented and included in an
  accounting include the following
• Notifying CDC or a state/local health authority
  about a condition
• Sharing information with law enforcement
  personnel
• Disclosing information in response to a subpoena

33
THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT (HIPAA)(known as the PRIVACY
RULE)
Barbara Grove, National Nurse Consultant
34
PRIVACY RULE REQUIREMENTS

• Students or parents/legal guardians sign an
  Authorization that describes, in writing, the
  uses and disclosures of their protected health
  information except for uses related to treatment,
  payment, and health care operations, and other
  uses permitted or required by law

35
PRIVACY RULE REQUIREMENTS (continued)

• Students must be provided with a written Notice
  about how their medical information may be used
  and disclosed without their written consent
• A Supplemental Authorization must be completed
  for disclosure of protected health information
  not covered in the Authorization

36
PRIVACY RULE REQUIREMENTS (continued)

• All disclosures must be maintained for 6 years
• Students and separated students may request, at
  any time, an accounting of disclosures going back
  6 years

37
THE AUTHORIZATION ALLOWS SHARING

• Information about students physical and mental
  health, including any diagnosis and any
  recommended accommodations or modifications with
  the center director
• Information about certain health conditions with
  the academic, vocational, and career counseling
  staffconditions that may be aggravated by the
  activities being supervised or conducted

38
THE AUTHORIZATION ALLOWS SHARING(continued)

• Information with career transition staff to meet
  health needs after Job Corps
• Information with residential living staff
  (including counselors), TEAP specialist, and
  mental health staff for the purposes of meeting
  students health needs
• Information with food service about dietary
  needs, including food allergies

39
THE AUTHORIZATION ALLOWS SHARING(continued)

• Information with residential living staff about
  medications, allergies, and medical (including
  mental) conditions that may warrant emergency or
  other immediate care
• Information with safety and security staff,
  including federal safety officers, about illegal
  drug use or alcohol abuse
• Information with recreational staff about
  allergies, asthma, or other health conditions

40
THE AUTHORIZATION ALLOWS SHARING (continued)

• Information with student records and data
  management staff regarding leaves or medical
  separations
• Information about illegal use of drugs to staff
  that need to know
• Information at the students or parent/legal
  guardians request

41
THE AUTHORIZATION ALLOWS SHARING(continued)

• Information with Job Corps center or DOL
  personnel or contractors for the purposes of
  resolving grievances
• Information for other routine uses, such as with
  social services to provide Medicaid coverage

42
NOTICE

• Describes how medical information may be used and
  disclosed without consent, and how to obtain
  access to this information
• Is given to students on their first visit to the
  health and wellness center
• Is sent to the parent or legal guardian of those
  students under the age of majority

43
NOTICE (continued)

• Must be posted in the Health and Wellness areas
  and in off-center offices of center health
  providers, such as doctors, mental health
  consultants, and dentists

44
OTHER INFORMATION THAT MAY BE SHARED WITHOUT
CONSENT

• Required by law for certain public health
  activities
• To government authorities about individuals that
  may be victims of abuse, neglect, or domestic
  violence
• For health oversight activities, including audits
• In certain court proceedings
• For law enforcement purposes
• With coroners, medical examiners

45
OTHER INFORMATION THAT MAY BE SHARED WITHOUT
CONSENT (continued)

• To allow authorized organ or tissue donations
• For certain approved limited research
• To avert serious threats to health and safety
• For workers compensation purposes
• For certain government functions including
  national security

46
AC RESPONSIBILITIES

• Read the prepared script to the student/
  parent/guardian
• Provide a copy of the Privacy Rule Information
  pamphlet to the student or parent/legal guardian
• Explain the Authorization (available on OASIS)
• Refer the applicant to the health and wellness
  manager of the receiving center if the applicant
  has questions if a center has not been
  identified, refer to the national nurse consultant

47
AC RESPONSIBILITIES (continued)

• Have the applicant or parent/legal guardian sign
  the Authorization
• Provide the applicant a copy of the signed
  Authorization
• Forward the Authorization to the receiving center
  prior to the applicants arrival (if the center
  does not have the Authorization, departure must
  be delayed)

48
HEALTH AND WELLNESS STAFF RESPONSIBILITIES

• Post the Notice in the health and wellness center
• Have the center physician, center mental health
  consultant, and center dentist post the Notice,
  if services are provided off center
• Develop center procedures (COPs) regarding the
  Privacy Rule

49
HEALTH AND WELLNESS STAFF RESPONSIBILITIES
(continued)

• Ensure that ALL students on center have a signed
  Authorization and Notice in their medical folders
  or an explanation why the Notice was not signed
• Ensure that there is a signed Authorization for
  each applicant BEFORE the student arrives
• Notify the center director and AC if an
  Authorization is not available request delay of
  departure if the Authorization cannot be
  forwarded to the center prior to the students
  arrival

50
HEALTH AND WELLNESS STAFF RESPONSIBILITIES
(continued)

• Give and explain the Notice to the student during
  the students first visit to the health and
  wellness center make additional copies of the
  Notice available for student requests
• Send a copy to the parent/legal guardian for
  students under the age of majority and request
  that the Notice be returned signed. However, a
  signature is not mandatory. If a signed Notice is
  not received, document in the medical folder that
  the Notice was sent to the parent/legal guardian.

51
HEALTH AND WELLNESS STAFF RESPONSIBILITIES
(continued)

• If 18 or older, have the student sign the Notice
  signing is not mandatory, but document that the
  Notice was given and the student declined to sign
• File both the signed Authorization and Notice in
  the students medical folder
• Conduct training on the Privacy Rule with all new
  health and wellness staff within 90 days of
  hiring and annually to all health and wellness
  staff

52
STUDENTS MAY

• Revoke the Authorization at anytime by submitting
  a request, in writing, to the center director
  however, revocation may be grounds for dismissal
• Review information in their medical folders
• Request that information be changed if it is
  incorrect or incomplete
• Request restrictions on disclosing protected
  health information
• Submit complaints to the privacy officer or to
  the Office of Civil Rights, Department of Health
  and Human Services

53
PARENTS/LEGAL GUARDIANS MAY

• Submit a written request to revoke the
  Authorization however, a revocation may result
  in dismissal
• Have access to records unless prohibited by state
  laws

54
CENTER DIRECTOR RESPONSIBILITIES

• Ensure that the Privacy Rule policy and
  procedures are enforced (legal counsel is
  advised)
• Ensure that ALL students on center have a Notice
  and signed Authorization in their medical folder
• Designate a privacy officer to develop and
  implement Privacy Rule policies and procedures

55
CENTER DIRECTOR RESPONSIBILITIES (continued)

• Designate a contact person (can be the same
  person as the privacy officer) responsible for
  receiving complaints and providing further
  information to students
• Review and grant written requests to revoke the
  Authorization

56
CONTRACTOR AND SUBCONTRACTOR RESPONSIBILITIES

• Ensure that the centers are compliant with the
  Privacy Rule legal counsel is advised
• Implement employee disciplinary policies for
  violations
• Keep an accounting of disclosures

57
CONTRACTOR AND SUBCONTRACTOR RESPONSIBILITIES
(continued)

• Determine whether the Authorization and Notice
  are sufficient coverage for the centers actual
  information practices
• Modify the Authorization and Notice or change
  center practices, if needed

58
SUPPLEMENTAL AUTHORIZATION

• If additional health information is required
  regarding an applicant, ACs MUST use a
  Supplemental Authorization that contains the
  elements of 45 CFR (example available at
  www.jobcorpshealth.com)
• The Supplemental Authorization must be written in
  plain language and a copy of the signed
  Authorization must be given to the student

59
SUPPLEMENTAL AUTHORIZATION (continued)

• Elements required in 45 CFR 164.508 include
• Description of the information to be shared
• Identification of the person(s) authorized to
  make the requested use or disclosure
• Identification of the person(s) with whom the
  information may be shared
• Description of each purpose for sharing the
  information
• Expiration date

60
SUPPLEMENTAL AUTHORIZATION (continued)

• Must be signed by student or parent/legal
  guardian
• Must describe how an individual can revoke the
  Supplemental Authorization
• Must state that the health and wellness center
  may not condition treatment on whether the
  student signs the Authorization
• Must identify potential for redisclosure of
  shared information

61
DISCLOSURE DOCUMENTATION

• All disclosures other than outlined in the
  Authorization must be documented and maintained
  for 6 years
• Disclosure documentation should include
• Date of disclosure
• Name and address of the person or entity
  receiving the disclosure
• Brief statement of purpose
• Brief description of the information disclosed
• Copies (paper or electronic) of the complete
  disclosure must be kept for 6 years
• Students and former students may request an
  accounting of disclosures for a period covering 6
  years

62
DISCLOSURE DOCUMENTATION (continued)

• Centers must respond to requests for an
  accounting within 60 days
• One 30-day extension can be obtained if it is
  stated, in writing, to the requester, including
  the reasons for the delay and the date the
  information will be sent
• The first disclosure accounting in any given
  12-month period is free the center may impose a
  reasonable cost-based fee for additional
  disclosure information with the 12-month period

63
EXCLUDED FROM AN ACCOUNTING

• Treatment, payment, and health care operations
• Made to an individual about themselves
• Incident to another disclosure permitted by the
  Privacy Rule (as when someone accidentally
  overhears a permitted conversation)

64
EXCLUDED FROM AN ACCOUNTING (continued)

• For national security or intelligence purposes
• To correctional institutions or other law
  enforcement in custodial situations
• Occurred prior to April 14, 2003
• Covered in the Authorization signed at the ACs
  office or covered by another situation

65
Penalties for Non-Compliance

• HHS can impose
• Civil money penalties on a covered entity of
  100/violation not to exceed 25K/year for
  multiple violations of the same Privacy Rule
  requirement in a calendar year
• Criminal penalties for knowingly
  obtaining/disclosing protected health information
  with a fine of 50K and up to 1 year imprisonment
• 100K and 5 years imprisonment for collecting
  protected health information under false
  pretenses
• 250K and 10 years imprisonment for the sale,
  transfer, or use of protected health information
  for commercial advantage, personal gain, or
  malicious use

66
RESOURCES

• Health and Human Services HIPAA Website
• http//www.hhs.gov/ocr/hipaa/
• Health and Human Services HIPAA Administrative
  Simplification Site
• http//www.cms.hhs.gov/hipaa/hipaa2/defa
• ult.asp
• National Archives and Records Administration
  Electronic Code of Federal Regulations
  http//www.access.gpo.gov/nara/cfr/cfrhtml_00/Titl
  e_45/45cfrv1_00.html

67
RESOURCES (continued)

• Job Corps Health Website
• http//www.jobcorpshealth.com/
• Barbara Grove, National Nurse Consultant,
• (202) 693-3116, bgrove_at_doleta.gov