Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan

1
Overview of HIPAA
Administrative Simplification and Privacy
Regulations Darrel J. Grinstead,
Partner Amy B. Kiesel, Associate Hogan
Hartson L.L.P.
2
Outline of Presentation

• HIPAA Overview
• Transactions and Code Set Rule
• Security Rule
• Privacy Rule

3
HIPAA Overview

• Health Insurance Portability and Accountability
  Act of 1996
• Regulations
• Facilitate electronic exchange of health
  information
• Protect the privacy and security of health
  information

4
HIPAA Regulations

• Final Form
• Transactions and Code Set Rule
• Security Rule
• Privacy Rule
• National Standard Employer Identifier Rule
• Remaining are unpublished or in proposed form.

5
Applicability

• The regulations apply to covered entities
• Health care providers that electronically bill
  for services (e.g., most ambulance suppliers,
  physicians, hospitals),
• Health plans, and
• Health care clearinghouses.

6
TRANSACTIONS AND CODE SET RULE
7
Transactions and Code Set Rule

• Purpose
• To encourage the use of electronic exchanges
• To reduce the administrative burden associated
  with using different formats
• Specifies the content and format standards for
  eight common types of health information
  transactions.

8
Standard Transactions

• Transactions are composed of
• Format data define and control the structure of
  the transaction (e.g., the data element is a
  dollar amount)
• Data content all data elements and code sets
  inherent to a transaction and not related to the
  format of the transaction (e.g., the actual
  dollar amount)

9
Transactions

• The eight standard transactions include
• Health care claims or equivalent encounter
  information,
• Health care payment and remittance advice,
• Coordination of benefits,
• Health care claim status,
• Enrollment and disenrollment in a health plan,
• Referral certification and authorization,
• Eligibility for a health plan, and
• Health plan premium payments.
• No standards promulgated for first report of
  injury and health claims attachments.

10
Compliance

• Compliance required by Oct. 16, 2002, unless a
  compliance plan was submitted to CMS by Oct. 15,
  2002, where upon the compliance deadline was
  extended to Oct. 16, 2003.

11
Implementation

• HIPAA Awareness understand the rule and educate
  workforce.
• Operational Assessment assess and identify
  internal implementation issues and develop a work
  plan to address issues.
• Development and Testing - finalize development
  of, install, and train staff on, applicable
  software and perform all software and systems
  testing.

12
SECURITY RULE
13
Security Rule

• Final rule published Feb. 20, 2003.
• Compliance required by April 21, 2005.
• Requires covered entities to
• Assess risks and vulnerabilities,
• Maintain appropriate security measures, and
• Document these methods.

14
Security Rule

• Requires covered ambulance suppliers to
• Apply administrative, physical, and technical
  safeguards
• That reasonably and appropriately protect the
  confidentiality, integrity and availability of
  electronic protected health information
• That they create, receive, maintain or transmit.

15
Examples Required Safeguards

• Administrative
• Sanction policy
• Business associate contracts
• Physical
• Disposal of device and media controls
• Workstation security
• Technical
• Person or entity authentication
• Unique user identification

16
PRIVACY RULE
17
Privacy Rule

• Applicability
• Uses and Disclosures
• Patient Rights
• Administrative Requirements
• Penalties
• Interaction with State Law

18
Compliance Date

• Covered ambulance suppliers must be in compliance
  with the Privacy Rule by April 14, 2003.

19
Applicability of the Privacy Rule

• Applies directly to covered entities.
• Regulates protected health information maintained
  by covered entities.

20
Protected Health Information

• Protected health information (PHI) is
  information in any form that
• Identifies or reasonably could be used to
  identify the patient,
• Relates to the past, present, or future health or
  condition of a patient, payment for care, or
  provision of care, and
• Is created or received by a covered entity,
  provider or employer.

21
Protected Health Information

• It includes
• Medical information
• Billing information
• Patient demographic information
• Information stored electronically
• Information you convey on the phone
• Information maintained on paper

22
Business Associates

• Requires covered entities to contractually bind
  their business associates to some of the
  requirements of the Privacy Rule.

23
Definition

• A business associate is an entity that
• creates or receives PHI
• to provide a service or function for or on behalf
  of a covered entity.

24
Examples - Business Associates

• Disclosures of PHI to
• An accreditation organization perform
  accreditation services.
• A billing and collection service to assist with
  reimbursement.
• A transcription service to transcribe notes.

25
Examples - No Business Associate

• Disclosure of PHI
• To a provider for treatment of a patient.
• Inadvertently to a janitorial agency that
  provides cleaning services.
• To researchers for research purposes.
• No business associate relationship with your
  employees.

26
Business Associate Agreements

• You must enter into written agreements with your
  business associates to
• Limit use and disclosure of PHI,
• Safeguard PHI, and
• Ensure certain patient rights (e.g., providing a
  patient with access to PHI).

27
USES AND DISCLOSURES
28
Overview of Uses and Disclosures

• Covered ambulance suppliers may use or disclose
  PHI only
• For purposes expressly required or permitted by
  the rule, or
• With patient authorization.

29
Examples When Authorization Required

• To provide a list of names of patients involved
  in automobile accidents to a company that offers
  automobile insurance.
• To provide a list of patient names to a national
  association for the associations fundraising
  purposes.

30
Examples When Authorization Not Required

• To use and disclose PHI for your own treatment,
  payment and health care operations (TPO).
• To disclose PHI for the treatment or payment
  activities of another covered entity.
• In limited situations, to disclose PHI for the
  health care operations of another covered entity.

31
Health Care Operations

• Generally, no authorization required if the
  disclosure is
• To a covered entity that also has a relationship
  with the patient and
• For quality assessment and improvement
  activities, case management and coordination,
  fraud and abuse detection or compliance, and
  other similar activities.

32
Disclosures to Family Members

• May disclose PHI to family members or others
  involved in the patients care or payment for
  care if
• The patient agrees (or agreement is inferred), or
  
• The patient is not present or is incapacitated
  and you believe that it is in the patients best
  interest.
• Also may notify of the patients location,
  general condition, or death.

33
Other Purposes

• May use and/or disclose PHI without authorization
  if certain criteria are met
• To avert a serious threat to health or safety
• As required by law
• For limited marketing activities
• For public health activities
• For health oversight activities
• For research

34
Other Uses and Disclosures Avert Serious Threat

• May use or disclose PHI based on your good faith
  belief that the use or disclosure is necessary
• To prevent/lessen a serious and imminent threat
  to the health or safety of a person or the
  public or
• Under limited circumstances, for law enforcement
  authorities to identify or apprehend an
  individual.

35
Written Authorization The Default Category

• May use and disclose PHI for any reason with the
  written authorization of the patient.
• Must be in writing and contain certain statements
  and information that ensures patient knows how
  his or her information will be used and disclosed.

36
MINIMUM NECESSARY STANDARD
37
Minimum Necessary Standard

• Covered entities may use, disclose and request
  only the minimum amount of PHI necessary to
  accomplish the purpose of the use, disclosure or
  request.

38
Minimum Necessary Exceptions

• Disclosures to and requests by providers for
  treatment (but it does apply to uses)
• Disclosures to the patient who is the subject of
  the PHI
• Uses and disclosures pursuant to authorization

39
INCIDENTAL USES AND DISCLOSURES
40
Incidental Uses and Disclosures

• An incidental use or disclosure is that which
  occurs as a result of another use or disclosure
  that is permitted (e.g., a conversation between
  EMTs treating a patient overheard by another
  patient).

41
Incidental Uses and Disclosures

• Incidental uses and disclosures are permitted as
  long as a covered entity has
• Applied reasonable safeguards, and
• Implemented the minimum necessary standard, where
  applicable, with respect to the primary use or
  disclosure.

42
PATIENT RIGHTS
43
Patient Rights

• Receive a notice of privacy practices
• Receive an accounting of certain disclosures of
  PHI
• Access their information
• Amend their information
• Request a restriction on the use or disclosure of
  information
• Request confidential communications

44
Content of Notice

• A header indicating the purpose of the notice
• A description the uses and disclosures that you
  may make
• A statement of patient rights and how to exercise
  them
• A statement of your duties
• Instructions for filing complaints
• Contact information

45
Provision of Notice - First Service Delivery

• General Rule
• Provide the patient with your notice no later
  than the first service delivery on or after April
  14, 2003 and
• Make a good faith effort to obtain a written
  acknowledgment of receipt of notice.
• If not obtained, document good faith efforts and
  reason why not obtained.

46
Obtaining Acknowledgment

• Sign a separate sheet, list, log book, or initial
  a cover sheet of the notice to be retained by the
  ambulance supplier
• Tear off sheet to mail back to the ambulance
  supplier
• Combine an acknowledgment with consent

47
Good Faith Effort Reason Not Obtained

• Patient refused
• Patient failed to mail back acknowledgment
• Patient unconscious or agitated

48
Provision of Notice - First Service Delivery

• EXCEPTION - Emergency Treatment Situations
• Notice Provide the notice as soon as reasonably
  practicable after the emergency situation.
• Acknowledgment NOT required to make a good
  faith effort to obtain the acknowledgment.

49
Provision of Notice

• You also must make the notice available by April
  14, 2003
• Upon request
• At the delivery site (notice must be posted and
  available for individuals to take with them) and
• If you maintain a web site about your services or
  benefits, prominently on your web site and make
  the notice available electronically through the
  site.

50
Accounting

• Dont need to track disclosures
• To carry out treatment, payment, or health care
  operations
• To patients who are the subject of the PHI
• Pursuant to an authorization

51
Accounting

• Must track disclosures
• For public health purposes
• For research
• For health oversight activities
• For administrative/judicial proceedings
• For abuse/neglect reporting

52
ADMINISTRATIVE REQUIREMENTS
53
Administrative Requirements

• Designate a privacy official
• Designate a contact person or office for
  complaints and questions
• Establish and implement policies and procedures
• Provide training to workforce members
• Apply administrative, technical and physical
  safeguards
• Establish a process for individuals to make
  complaints

54
Administrative RequirementTraining

• Must train workforce on privacy policies and
  procedures necessary and appropriate to their
  jobs.
• Training must occur
• For current employees no later than the
  compliance date,
• For new employees after the compliance date
  within a reasonable time after the person joins
  the workforce, and
• For employees whose functions change due to a
  subsequent change in privacy policies or
  procedures within a reasonable time after the
  change.

55
PENALTIES
56
Civil Penalties

• Any person who violates a provision is subject
  to
• A penalty of not more than 100 for each such
  violation and
• Total amount imposed on a person for all
  violations of an identical requirement or
  prohibition during a calendar year may not exceed
  25,000.

57
Criminal Penalties

• Criminal penalties vary depending on the offense.
• A person can be fined not more than 250,000,
  imprisoned not more than 10 years or both if
• the offense is committed with the intent to sell,
  transfer, or use PHI for commercial advantage,
  personal gain, or malicious harm.

58
INTERACTION WITH STATE LAW
59
Interaction with State Law

• Must comply with both the Privacy Rule and state
  laws.
• If impossible (rare), comply with provision that
  provides the patient with
• greater privacy rights,
• access to greater amounts of information, or
• greater privacy protections.
• State laws often have heightened protection for
  sensitive information (e.g., HIV/STDs).

60
The End.