HIPAA: A Case Study - PowerPoint PPT Presentation

1 / 28
About This Presentation

HIPAA: A Case Study


Names (individual, employer, relatives, etc. ... Objective: Organize policy work teams and write draft policies for review and comment ... – PowerPoint PPT presentation

Number of Views:311
Avg rating:3.0/5.0
Slides: 29
Provided by: omn3
Tags: hipaa | case | creative | for | names | study | teams


Transcript and Presenter's Notes

Title: HIPAA: A Case Study

HIPAA A Case Study
HIPAA Implementation and Remediation at the
University of Texas Medical Branch
  • July 25, 2002

What Is HIPAA?
What is Electric Data Interchange (EDI)?
  • Harnessing technology
  • Standardization of code sets and transactions
  • Efficiencies within the healthcare industry

What Is Security?
  • Structure
  • The HIPAA security standards are organized into
    four categories Some examples of each are
  • Administrative physical technical network
  • Policies and physical application level
    internet procedures safeguards controls
  • Business media controls access
    control intranet/contingency LAN
  • Personnel security awareness audit
    controls remote management training access
  • Standards are also proposed for electronic

What does privacy mean under HIPAA?
  • HIPAA Regulates Uses and Disclosures of Patient
    Health Information (PHI)
  • Defines who may access and use health information
  • Defines how and when PHI is disclosed, requires
    patient authorization
  • Provides patient rights
  • Establishes individual penalties for individuals
    who violate the HIPAA standards

Protected Health Information (PHI)
  • PHI is individually identifiable health
    information maintained or transmitted either
    electronically, written, or orally.
  • Electronic transmission may include
  • The internet (wide-open)
  • Extranet (using internet technology to link a
    business with information only accessible to
    collaborating parties)
  • Leased lines
  • Dial-up lines
  • Private networks and
  • Those transmissions that are physically moved
    from one location to another using magnetic tape,
    disk, or compact disk media.

  • The sharing, employment, application,
    utilization, examination, or analysis of such
    information within an entity that maintains such

The release, transfer, provision of access to, or
divulging in any other manner of information
outside the entity holding the information.
HIPAA allows uses and disclosures of PHI for
  • Treatment
  • The provision, coordination, or management of
    health care and related services by one or more
    health care providers, including
  • The coordination or management of health care by
    a health care providers with a third party
  • Consultation between health care providers
    relating to a patient or
  • The referral of a patient for health care from
    one health care provider to another.
  • Payment
  • The activities undertaken by
  • A health plan to obtain premiums or to determine
    or fulfill its responsibility for coverage and
    provision of benefits under the health plan or
  • A covered health care provider or health plan to
    provide reimbursement for the provision of health
  • Health Care Operations
  • Activities as they relate to covered functions,
    and any of the activities of an organized health
    care arrangement in which the covered entity
    participates.(e.g. quality assurance activities,
    risk management or audits)

Authorizations to Disclose PHI are required if
  • The disclosure is for any purpose other than TPO.
  • The disclosure is for research, fundraising or
    marketing and
  • A previous authorization has been revoked or is
    otherwise no longer valid.

Opportunity for an Individual to Agree or Object
  • In some instances HIPAA allows for UTMB to
  • disclose certain information without the
  • authorization if
  • The patient provides a verbal agreement, and
  • The disclosure is for
  • A facility directory
  • Notification of the clergy
  • Individuals involved with the patients care

Use/Disclosure for Research
  • PHI may be used for research with
  • The human subjects consent/authorization
  • OR
  • an IRB waiver of authorization
  • Reviews preparatory to research are allowed
    without a patient authorization
  • De-identified PHI or a limited data set may be
    used in research without the patients

De-identification requires the following to be
  • Email Addresses/URLs/IP Addresses
  • Medical Record Numbers
  • Health Plan Beneficiary Numbers
  • Account Numbers
  • Certificate/License Numbers
  • Vehicle Identifiers and Serial Numbers (e.g.
    VINs, License Plate Numbers)
  • Device Identifiers and Serial Numbers
  • Biometric Identifiers (e.g. finger or voice
    prints) or Photographs
  • Any other unique identifying number,
    characteristic, or code
  • Names (individual, employer, relatives, etc.)
  • Address (street, city, county, zip code more
    than 3 digits, or any other geographical codes)
  • Telephone/fax numbers
  • Social security numbers
  • Dates (except for years)
  • Birth date
  • Admission date
  • Discharge date
  • Date of death
  • All ages gt 89 and all elements of dates
    indicative of such age

Individual Rights
  • The following rights are provided to all UTMB
  • Right to inspect and copy PHI
  • Right to an accounting of disclosures
  • Right to have reasonable requests for
    confidential communications accommodated
  • Right to file a complaint with UTMBs Privacy
    Office or the Office of Civil Rights
  • Right to written notice of information practices
    from providers and health plans

Why is HIPAA Compliance Important?
  • It is federal law.
  • Compliance is required by
  • April 14, 2003 for the Privacy Standards
  • October 12, 2003 for the EDI Standards
  • Security regulations are not yet final
  • Civil fines and criminal penalties exist.
  • Individual employees can be fined for their

Impact of HIPAA Violations
  • HIPAA calls for several civil and criminal
    penalties for noncompliance. These fines
  • General penalty for failure to comply
  • Each violation 100
  • Maximum penalty for all violations of an
    identical requirement, not to exceed 25,000.00
  • Wrongful Disclosure of Identifiable Health
  • Fines up to 250,000.00 and/or imprisonment up to
    10 years for knowingly misusing individually
    identifiable health information.

Implementation and Remediation
Implementation InitiativesPrivacy
  • Initial Organization and Assessment
  • HIPAA Taskforce, Chief Privacy Officer,
    Consultant for Gap Assessment.
  • Project Development
  • Implementation planning, EDI, security, privacy
    charters and work plans.
  • Institution Wide Solutions
  • Policy development and institutional level
  • Departmental Remediation
  • Departmental remediation of known gaps and
    physical walk through
  • Institution Wide Training
  • Training, on-line and stand up training courses

Phase One AssessmentObjective Determine where
PHI is located within the organization
  • Developed an Institutional HIPAA taskforce
  • Include legal, audit, security, clinicians, admin
    staff, IT/IS
  • Determined project scope and costs
  • Consultant costs v. In house costs (employee
  • Determined institutional needs
  • Developed a list of all depart. w/ PHI (must be
    creative, morgue childcare, field house, Ronald
    McDonald House, Etc.)
  • Prioritized compliance solutions based on the
    departmental need
  • Relied on Employees w/ inst. knowledge of how the
    entity really works

General Out-patient PHI Flow Chart
Phase Two Develop ProjectsObjective Roll gaps
and compliance solutions into projects
  • Wrote 3 independent Charters (Privacy, EDI,
    Security) and developed workplans
  • Prioritized and defined projects
  • Developed an issue log for institutional
  • Decided to focus on policy development, created 7
  • Consents/Notices Research
  • Authorizations Employment
  • Patient Rights Students
  • Business Associates

Phase Three - Global Solutions Objective
Organize policy work teams and write draft
policies for review and comment
  • Wrote over 40 new privacy policies with forms.
  • All policies were reviewed by a work group and
    the HIPAA Taskforce.
  • Most policies have been sent to the Institutional
    Handbook of Operating Procedures committee for
    formal approval.
  • 5 policies remain active and require
    institutional decisions.

Policy Workgroups
Draft Policies
Policies Requiring Institutional Decisions
  • Email of PHI
  • A written document and required in medical
  • HIPAA and general malpractice concerns.
  • Disposal of PHI
  • Medical Record Maintenance Policy
  • Shadow Record
  • Student Conduct and Discipline Policy
  • (Faculty Conduct and Disciplinary Policy)

Phase Four Departmental FocusObjective Review
all departmental operations and remediate gaps,
includes physical inspections
  • Developed remediation tracking tool for every
  • Designed to track compliance with recognized gaps
    and gaps discovered during physical inspection.
  • Scheduled to meet with department 4 times to
    track compliance before compliance deadline.

Phase Five TrainingObjective To provide both
general and specific HIPAA training to all
13,000 employee workforce
  • Develop On-line training courses required for all
    employees, including Students and Volunteers.
  • Provide specific training for staff who
  • Release medical records, and
  • Are front line patient registration personnel.

Additional HIPAA Compliance Projects
  • Cross referencing medical records
  • Tracking/accounting for disclosures
  • Business associates data mart and contract
    amendment process
  • Consent/acknowledgement tracking
  • E-commerce solution for physician-patient
  • Shadow record management database

Conclusion Questions
Write a Comment
User Comments (0)
About PowerShow.com