HIPAA Privacy Regulations

1
HIPAA Privacy Regulations

• Mary H. (Monnie) Lindsay
• Assistant General Counsel
• Mlindsa_at_lumc.edu
• 708/216-3708
• 2/26/01

2
Why These New Regulations?

• Congress perceived
• Increased public concern about privacy
• Increased use of interconnected electronic
  information systems
• Advances in genetic sciences
• Estimated average 150 people have access to
  patients medical record

3
Major HIPAA Requirements

• Protected Health Information
• Consent
• Authorization
• Notice of Privacy
• Minimum Necessary Disclosure
• Patients Rights
• Business Associates

4
Protected Health Information (PHI)

• Information created or received by a health care
  provider, health plan, and others which relates
  to
• A persons physical or mental health and the
  provision of health care to them or
• Payment for health care and
• Identifies the person or could reasonably be used
  to identify the person
• Oral, written or electronic
• Applies to current as well as past information

5
Consent

• LUMC and LUPF must obtain patient consent prior
  to carrying out
• Treatment
• Payment
• Healthcare operations
• Does not replace informed consent for treatment

6
Consent - Exceptions

• Indirect treatment relationship
• Emergency
• Required by law
• Not possible to obtain consent due to substantial
  communication barriers

7
General Rule for Patient Consent

• In simple language and revocable
• Inform patient re use of information
• Reference Notice of Privacy practices
• Inform patient of right to request restrictions
• Be signed and dated

8
Additional Consent Issues

• Treatment may be conditioned on obtaining consent
• Privacy protections apply to deceased patients
• Personal representatives count as the patients
• LUMC and LUPF may do a joint consent

9
Authorizations

• Authorization required for any use or disclosure
  of PHI not covered by a consent, unless covered
  by an exception
• Primarily for release of PHI outside LUMC
• Cannot condition treatment on the receipt of an
  authorization

10
Requirements for Patient Authorizations

• Specific description in simple language
• Who is authorized to release the PHI
• Who may receive the PHI
• Patients right to revoke
• Inform patient that once released, the
  information may no longer be subject to the
  privacy rules
• Expiration date, signature, date, and copy

11
Uses and Disclosures Requiring Opportunity for
Individual to Agree or Object

• Patient must be given advance notice and be given
  an opportunity to agree or object
• Facility directories
• Name, location in LUMC, general condition,
  religious affiliation
• Emergency exception
• Family members or others involved with the
  patients care or treatment

12
Disclosures Where Patient Authorization Is Not
Required

• Required by law
• Public health activities
• Victims of abuse, neglect, domestic violence
• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Funeral directors, coroners, and medical examiners

13
Disclosures Where Patient Authorization Is Not
Required (Contd)

• Organ, eye, tissue donation
• Research if waiver of authorization approved by
  IRB
• Serious threat to health or safety
• Government functions Armed Forces, national
  security, correctional institutions
• Workers compensation

14
Marketing Communications

• LUMC/LUPF may use PHI for some marketing
• Authorization is not required if
• Face to face with the patient
• Nominal products/services
• Health-related products/services of LUMC/LUPF
• Must allow patient to opt-out of receiving
  future communications (unless marketing occurs
  through general newsletter)
• Special requirements for targeted marketing based
  on patients specific condition

15
Fundraising Communications

• Authorization is not required if
• Fundraising is for LUMC only
• Only demographic information and dates of care
  are used
• Plans for fundraising communications must be
  referenced in general Notice of Privacy Practices
• Allow individual to opt-out of receiving future
  communications and the opt-out is honored

16
Minimum Information Necessary

• Must reasonably ensure that we do not request,
  use or disclose more than the minimum amount of
  PHI necessary to accomplish the purpose of the
  disclosure
• Does not apply to providers for treatment
• Develop criteria to limit disclosures
• Review requests for disclosures on an individual
  basis
• For recurring requests, may develop standard
  protocols
• Identify which employees require which items of
  PHI. Limit access accordingly

17
Notice of Privacy Practices

• Describes uses and disclosures that LUMC/LUPF may
  make using examples
• Educates the patient as to his/her privacy rights
• Educates the patient regarding LUMCs and LUPFs
  duties with respect to PHI
• Reserves LUMC/LUPFS right to change the notice
• Describes complaint procedure

18
Notice of Privacy Practices (Contd)

• Additional Requirements
• LUMC/LUPF are required to follow the current
  notice
• Posted or on web
• Available with first appointment
• LUPF and LUMC joint notice

19
Patients Rights

• Request restrictions
• Inspect and copy their record
• Amend their record
• Accounting who has accessed record

20
Business Associates

• A business associate is a person or entity who
  performs a function or activity involving the use
  or disclosure of PHI on behalf of LUMC or LUPF
• With limited exceptions, LUMC/LUPF may not
  disclose PHI to a business associate without
  satisfactory assurance that the PHI will be
  appropriately safeguarded

21
Business Associates Contracts

• LUMC/LUPF must enter a written contract with each
  of our business associates
• Contract must extend LUMCs/LUPFs privacy
  obligations to the business associate
• LUMC, if aware of a violation by a business
  associate, must take reasonable steps to remedy
  the violation or terminate the contract
• All disclosures to business associates must be
  accounted for

22
Enforcement Liability

• Enforced by the DHHS Office of Civil Rights
• Patients may complain directly to the Office of
  Civil Rights
• Civil Liability
• Criminal Liability

23
What Does This Mean for Loyola?

• Appoint a privacy officer
• Need to assess where PHI is created/maintained
• Baseline assessment of technical, security and
  privacy measures
• Draft or revise policies and procedures to comply
  with the privacy regulations

24
What Does This Mean for Loyola? (Contd)

• Establish employee classes and categories with
  respect to and determine what information each
  class or category needs to perform their job
• Prepare Notice of Privacy Practices, Consent
  Forms and Authorization

25
What Does This Mean for Loyola? (Contd)

• Assess who business associates are and enter new
  contracts or amend old contracts
• Establish a method for tracking of all
  disclosures of PHI for purposes of accounting
• Implement a training program for employees