Title: Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan
1 Overview of HIPAA
Administrative Simplification and Privacy
Regulations Darrel J. Grinstead,
Partner Amy B. Kiesel, Associate Hogan
Hartson L.L.P.
2Outline of Presentation
- HIPAA Overview
- Transactions and Code Set Rule
- Security Rule
- Privacy Rule
3HIPAA Overview
- Health Insurance Portability and Accountability
Act of 1996 - Regulations
- Facilitate electronic exchange of health
information - Protect the privacy and security of health
information
4HIPAA Regulations
- Final Form
- Transactions and Code Set Rule
- Security Rule
- Privacy Rule
- National Standard Employer Identifier Rule
- Remaining are unpublished or in proposed form.
5Applicability
- The regulations apply to covered entities
- Health care providers that electronically bill
for services (e.g., most ambulance suppliers,
physicians, hospitals), - Health plans, and
- Health care clearinghouses.
6TRANSACTIONS AND CODE SET RULE
7Transactions and Code Set Rule
- Purpose
- To encourage the use of electronic exchanges
- To reduce the administrative burden associated
with using different formats - Specifies the content and format standards for
eight common types of health information
transactions.
8Standard Transactions
- Transactions are composed of
- Format data define and control the structure of
the transaction (e.g., the data element is a
dollar amount) - Data content all data elements and code sets
inherent to a transaction and not related to the
format of the transaction (e.g., the actual
dollar amount)
9Transactions
- The eight standard transactions include
- Health care claims or equivalent encounter
information, - Health care payment and remittance advice,
- Coordination of benefits,
- Health care claim status,
- Enrollment and disenrollment in a health plan,
- Referral certification and authorization,
- Eligibility for a health plan, and
- Health plan premium payments.
- No standards promulgated for first report of
injury and health claims attachments.
10Compliance
- Compliance required by Oct. 16, 2002, unless a
compliance plan was submitted to CMS by Oct. 15,
2002, where upon the compliance deadline was
extended to Oct. 16, 2003.
11Implementation
- HIPAA Awareness understand the rule and educate
workforce. - Operational Assessment assess and identify
internal implementation issues and develop a work
plan to address issues. - Development and Testing - finalize development
of, install, and train staff on, applicable
software and perform all software and systems
testing.
12SECURITY RULE
13Security Rule
- Final rule published Feb. 20, 2003.
- Compliance required by April 21, 2005.
- Requires covered entities to
- Assess risks and vulnerabilities,
- Maintain appropriate security measures, and
- Document these methods.
14Security Rule
- Requires covered ambulance suppliers to
- Apply administrative, physical, and technical
safeguards - That reasonably and appropriately protect the
confidentiality, integrity and availability of
electronic protected health information - That they create, receive, maintain or transmit.
15Examples Required Safeguards
- Administrative
- Sanction policy
- Business associate contracts
- Physical
- Disposal of device and media controls
- Workstation security
- Technical
- Person or entity authentication
- Unique user identification
16PRIVACY RULE
17Privacy Rule
- Applicability
- Uses and Disclosures
- Patient Rights
- Administrative Requirements
- Penalties
- Interaction with State Law
18Compliance Date
- Covered ambulance suppliers must be in compliance
with the Privacy Rule by April 14, 2003.
19Applicability of the Privacy Rule
- Applies directly to covered entities.
- Regulates protected health information maintained
by covered entities.
20Protected Health Information
- Protected health information (PHI) is
information in any form that - Identifies or reasonably could be used to
identify the patient, - Relates to the past, present, or future health or
condition of a patient, payment for care, or
provision of care, and - Is created or received by a covered entity,
provider or employer.
21Protected Health Information
- It includes
- Medical information
- Billing information
- Patient demographic information
- Information stored electronically
- Information you convey on the phone
- Information maintained on paper
22Business Associates
- Requires covered entities to contractually bind
their business associates to some of the
requirements of the Privacy Rule.
23Definition
- A business associate is an entity that
- creates or receives PHI
- to provide a service or function for or on behalf
of a covered entity.
24Examples - Business Associates
- Disclosures of PHI to
- An accreditation organization perform
accreditation services. - A billing and collection service to assist with
reimbursement. - A transcription service to transcribe notes.
25Examples - No Business Associate
- Disclosure of PHI
- To a provider for treatment of a patient.
- Inadvertently to a janitorial agency that
provides cleaning services. - To researchers for research purposes.
- No business associate relationship with your
employees.
26Business Associate Agreements
- You must enter into written agreements with your
business associates to - Limit use and disclosure of PHI,
- Safeguard PHI, and
- Ensure certain patient rights (e.g., providing a
patient with access to PHI).
27USES AND DISCLOSURES
28Overview of Uses and Disclosures
- Covered ambulance suppliers may use or disclose
PHI only - For purposes expressly required or permitted by
the rule, or - With patient authorization.
29Examples When Authorization Required
- To provide a list of names of patients involved
in automobile accidents to a company that offers
automobile insurance. - To provide a list of patient names to a national
association for the associations fundraising
purposes.
30Examples When Authorization Not Required
- To use and disclose PHI for your own treatment,
payment and health care operations (TPO). - To disclose PHI for the treatment or payment
activities of another covered entity. - In limited situations, to disclose PHI for the
health care operations of another covered entity.
31Health Care Operations
- Generally, no authorization required if the
disclosure is - To a covered entity that also has a relationship
with the patient and - For quality assessment and improvement
activities, case management and coordination,
fraud and abuse detection or compliance, and
other similar activities.
32Disclosures to Family Members
- May disclose PHI to family members or others
involved in the patients care or payment for
care if - The patient agrees (or agreement is inferred), or
- The patient is not present or is incapacitated
and you believe that it is in the patients best
interest. - Also may notify of the patients location,
general condition, or death.
33Other Purposes
- May use and/or disclose PHI without authorization
if certain criteria are met - To avert a serious threat to health or safety
- As required by law
- For limited marketing activities
- For public health activities
- For health oversight activities
- For research
34Other Uses and Disclosures Avert Serious Threat
- May use or disclose PHI based on your good faith
belief that the use or disclosure is necessary - To prevent/lessen a serious and imminent threat
to the health or safety of a person or the
public or - Under limited circumstances, for law enforcement
authorities to identify or apprehend an
individual.
35Written Authorization The Default Category
- May use and disclose PHI for any reason with the
written authorization of the patient. - Must be in writing and contain certain statements
and information that ensures patient knows how
his or her information will be used and disclosed.
36MINIMUM NECESSARY STANDARD
37Minimum Necessary Standard
- Covered entities may use, disclose and request
only the minimum amount of PHI necessary to
accomplish the purpose of the use, disclosure or
request.
38Minimum Necessary Exceptions
- Disclosures to and requests by providers for
treatment (but it does apply to uses) - Disclosures to the patient who is the subject of
the PHI - Uses and disclosures pursuant to authorization
39INCIDENTAL USES AND DISCLOSURES
40Incidental Uses and Disclosures
- An incidental use or disclosure is that which
occurs as a result of another use or disclosure
that is permitted (e.g., a conversation between
EMTs treating a patient overheard by another
patient).
41Incidental Uses and Disclosures
- Incidental uses and disclosures are permitted as
long as a covered entity has - Applied reasonable safeguards, and
- Implemented the minimum necessary standard, where
applicable, with respect to the primary use or
disclosure.
42PATIENT RIGHTS
43Patient Rights
- Receive a notice of privacy practices
- Receive an accounting of certain disclosures of
PHI - Access their information
- Amend their information
- Request a restriction on the use or disclosure of
information - Request confidential communications
44Content of Notice
- A header indicating the purpose of the notice
- A description the uses and disclosures that you
may make - A statement of patient rights and how to exercise
them - A statement of your duties
- Instructions for filing complaints
- Contact information
45Provision of Notice - First Service Delivery
- General Rule
- Provide the patient with your notice no later
than the first service delivery on or after April
14, 2003 and - Make a good faith effort to obtain a written
acknowledgment of receipt of notice. - If not obtained, document good faith efforts and
reason why not obtained.
46Obtaining Acknowledgment
- Sign a separate sheet, list, log book, or initial
a cover sheet of the notice to be retained by the
ambulance supplier - Tear off sheet to mail back to the ambulance
supplier - Combine an acknowledgment with consent
47Good Faith Effort Reason Not Obtained
- Patient refused
- Patient failed to mail back acknowledgment
- Patient unconscious or agitated
48Provision of Notice - First Service Delivery
- EXCEPTION - Emergency Treatment Situations
- Notice Provide the notice as soon as reasonably
practicable after the emergency situation. - Acknowledgment NOT required to make a good
faith effort to obtain the acknowledgment.
49Provision of Notice
- You also must make the notice available by April
14, 2003 - Upon request
- At the delivery site (notice must be posted and
available for individuals to take with them) and - If you maintain a web site about your services or
benefits, prominently on your web site and make
the notice available electronically through the
site.
50Accounting
- Dont need to track disclosures
- To carry out treatment, payment, or health care
operations - To patients who are the subject of the PHI
- Pursuant to an authorization
51Accounting
- Must track disclosures
- For public health purposes
- For research
- For health oversight activities
- For administrative/judicial proceedings
- For abuse/neglect reporting
52ADMINISTRATIVE REQUIREMENTS
53Administrative Requirements
- Designate a privacy official
- Designate a contact person or office for
complaints and questions - Establish and implement policies and procedures
- Provide training to workforce members
- Apply administrative, technical and physical
safeguards - Establish a process for individuals to make
complaints
54Administrative RequirementTraining
- Must train workforce on privacy policies and
procedures necessary and appropriate to their
jobs. - Training must occur
- For current employees no later than the
compliance date, - For new employees after the compliance date
within a reasonable time after the person joins
the workforce, and - For employees whose functions change due to a
subsequent change in privacy policies or
procedures within a reasonable time after the
change.
55PENALTIES
56Civil Penalties
- Any person who violates a provision is subject
to - A penalty of not more than 100 for each such
violation and - Total amount imposed on a person for all
violations of an identical requirement or
prohibition during a calendar year may not exceed
25,000.
57Criminal Penalties
- Criminal penalties vary depending on the offense.
- A person can be fined not more than 250,000,
imprisoned not more than 10 years or both if - the offense is committed with the intent to sell,
transfer, or use PHI for commercial advantage,
personal gain, or malicious harm.
58INTERACTION WITH STATE LAW
59Interaction with State Law
- Must comply with both the Privacy Rule and state
laws. - If impossible (rare), comply with provision that
provides the patient with - greater privacy rights,
- access to greater amounts of information, or
- greater privacy protections.
- State laws often have heightened protection for
sensitive information (e.g., HIV/STDs).
60The End.