HIPAA

1
HIPAA

• ...and Patient Confidentiality

Health Information Portability and
Accountability Act
2
Is There a Problem With Unauthorized / Unlawful
Release of Personal Health Information?

• Here are just a few of the incidents leading up
  to the establishment of HIPAA
• After news of actress Nicole Kidmans surgery was
  leaked to the press, photos of her leaving the
  UCLA Medical Center appeared in papers with
  commentary about her health status. (Parade
  Magazine, May 10, 1998)
• In a 1996 survey, 206 respondents reported
  discrimination as a result of access to genetic
  information, culminating in loss of employment
  and insurance coverage, or ineligibility for
  benefits. (Science and Engineering Ethics, 1996)
  
• In Tampa, Florida, a public health worker walked
  away with a computer disk containing the names of
  4,000 people who tested positive for HIV. The
  disks were sent to two newspapers. (USA Today,
  October 10, 1996)

3
Problem?....

• A survey found that 35 of Fortune 500 Companies
  look at peoples medical records before making
  hiring and promotion decisions. (Unpublished
  study, University of Illinois at
  Urbana-Champaign, 1996)
• The Harvard Community Health Plan, a Boston-based
  HMO, admitted to maintaining detailed notes of
  psychotherapy sessions in computer records that
  were accessible by all clinical employees.
  Following a series of press reports describing
  the system, the HMO revamped its computer
  security practices.
• A banker who also served on his countys health
  board cross referenced customer accounts with
  patient information. He called due the mortgages
  of anyone suffering from cancer. (The National
  Law Journal, May 30, 1994)

4
Problem?...

• New York Congresswoman Nydia Velasquez
  confidential medical records including details
  of a bout with depression and a suicide attempt
  were faxed from a New York hospital to a local
  newspaper and television station on the eve of
  her 1992 primary. After overcoming the fallout
  from this disclosure and winning the election,
  Rep. Velasquez testified about her experiences
  before the Senate Judiciary Committee as it was
  considering a health privacy proposal.
• In Maryland, eight Medicaid clerks were
  prosecuted for selling computerized record
  printouts of recipients and dependents
  financial resources to sales representatives of
  managed care companies.

5
Problem?...

• The 13-year-old daughter of a hospital employee
  took a list of patients names and phone numbers
  from the hospital when visiting her mother at
  work. As a joke, she contacted patients and told
  them that they were diagnosed with HIV. (The
  Washington Post, March 1, 1995)
• The director of a work site health clinic
  operated by a large manufacturing company
  testified that he was frequently pressured to
  provide personal information about his patients
  to his supervisors.
• The late tennis star Arthur Ashes positive HIV
  status was disclosed by a health care worker and
  published by a newspaper without his permission.

6
Background

• HIPAA is an acronym for Health Insurance
  Portability and Accountability Act of 1996
• Also known as Public Law 104-91
• Title II of this Act provided for
• Improved efficiency in healthcare delivery by
  standardizing electronic data interchange
• Protection of confidentiality and security of
  health data through setting and enforcing
  standards
• (Phoenix Health Systems, 2006)

7

• HIPAA Called upon the Department of Health
  Human Services (HHS) to publish rules to insure
• Standardization of electronic patient health,
  administrative, and financial data
• Unique health identifiers for individuals,
  employers, health plans, and health care
  providers
• Security standards protecting the confidentiality
  and integrity of individually identifiable
  health informationpast, present, and future

8

• HIPAA calls for severe civil and criminal
  penalties for noncompliance
• Fines up to 25,000 for multiple violations
  within the same calendar year
• Fines up to 250,000 and / or imprisonment of up
  to 10 years for knowingly misusing individually
  identifiable health information

9

• Compliance requirements include
• Building initial organizational awareness of
  HIPAA
• Comprehensive assessment of the organizations
  privacy practices, information security systems
  and procedures, and use of electronic
  transactions
• Developing an action plan for compliance with
  each rule
• Developing a technical and management
  infrastructure to implement the plans
• Implementing a comprehensive implementation plan.

10

• Implementation of the comprehensive action plan
  includes
• Developing new policies, processes, and
  procedures to insure privacy, security, and
  patients rights
• Building business associate agreements with
  business partners to support HIPAA objectives
• Developing a secure technical and physical
  information infrastructure
• Updating information systems to safeguard
  protected health information (PHI) and enable use
  of standard claims and related transactions
• Training of all workforce members
• Developing and maintaining an internal privacy
  and security management and enforcement
  infrastructure, including providing a Privacy
  Officer and Security Officer

11
HIPAAThe Privacy Rule

• Imposes restrictions on the use or disclosure of
  personal health information
• Provides the individual with greater assurance
  that their security information is guarded from
  intrusion
• Provides greater protection for the individual's
  health information and health record

12
Protected Health Information(PHI)

• What is PHI?
• Any time the individual gives personal health
  information to a provider, it becomes Protected
  Health Information, including
• Verbal information
• Written Information
• Recorded Information
• Electronic Information, e.g., faxes, e-mail
• Patients name, address, SSN, Doctors or Nurses
  Notes, Billing Information

13
Authorization Guidelines

• Patient authorization for release of PHI must be
  obtained
• Use or disclosure of psychotherapy notes
• For use or disclosure to third parties
• For research purposes

14
Authorization Guidelines

• PHI can be released without patient authorization
  for the following reasons
• Public health activities related to disease
  control or prevention
• To inform appropriate agencies, as directed by
  law or regulation
• To report victims of abuse, neglect, or domestic
  violence
• To funeral homes
• To tissue / organ banks or programs
• To avert any serious threat to public safety or
  health

15
Informed Consent

• Patients have the right to adequate and timely
  notice when PHI has been disclosed

16
Protective Mechanisms for Health Information

• Physical Safeguards e.g., Computer terminals and
  screens not within or visible to public areas
• Technical Safeguards e.g., every employee must
  safeguard their computer access code
• Administrative Safeguards e.g., Set policy
  procedure for releasing patient information

17
Enforcement

• Each organization is required by regulation to
  have a Safety and / or Privacy Officerpatient
  may forward complaint to that individual
• Or
• The Director, U.S. Department of Health and Human
  Services

18
Bibliography

• Phoenix Health Systems (2006). HIPAA primer.
  Retrieved November2, 2006 from http//www.hipaadvi
  sory.com/REGS?HIPAAprimer.htm
• Privacy Rights Clearinghouse (2006). How private
  is my medical information? Retrieved November 4,
  2006 from http//www.privacyrights.org/fs/fs8-med.
  htm